Are DNR Orders Covered by HIPAA? Privacy and Access Explained

HIPAA Privacy Rule Overview

Yes. Do Not Resuscitate (DNR) orders are part of a patient’s medical record and therefore qualify as Protected Health Information under the HIPAA Privacy Rule. As PHI, they are safeguarded by federal privacy standards that govern how, when, and with whom the information can be shared.

Core concepts you should know

• Protected Health Information: Individually identifiable health data in any form—paper, verbal, or electronic—created or received by a covered entity.
• Treatment, Payment, and Healthcare Operations: HIPAA permits use and disclosure of PHI for these purposes without a separate Disclosure Authorization.
• Minimum Necessary: Applies to most non-treatment uses and disclosures; it does not restrict information shared for treatment between providers.
• Patient Consent vs. Authorization: Patient consent is generally used for routine care interactions; a HIPAA-compliant Authorization is required for most uses/disclosures not otherwise permitted by the Rule.
• Verification: Before sharing PHI, providers must take reasonable steps to verify the identity and authority of the requestor.

Understanding DNR Orders

A DNR order is a medical order written by a licensed clinician directing healthcare teams not to initiate cardiopulmonary resuscitation (CPR) if breathing or heartbeat stops. It is typically based on conversations about goals of care and may be informed by Medical Directives such as a living will or a healthcare power of attorney, but it is distinct from those documents.

DNR orders can exist in-hospital and out-of-hospital. Many systems use standardized forms, wallet cards, or identifiers so first responders can quickly honor the patient’s wishes. Because a DNR is a clinician order, it should be clearly visible in the chart and readily retrievable during emergencies.

Sharing DNR Orders Under HIPAA

When sharing is permitted without Authorization

• Treatment: You may share a patient’s DNR status with any treating provider or first responder as needed to provide care. The minimum necessary standard does not limit treatment disclosures, but you should still share only what is relevant.
• Care coordination and transfers: Communicating DNR orders during handoffs, referrals, or facility-to-facility transfers is part of treatment and allowed.
• Individuals involved in care: If the patient agrees, does not object, or is incapacitated, you may disclose relevant information to family or caregivers involved in the patient’s care using professional judgment.
• Required by law: If a law or valid mandate requires disclosure (for example, to EMS in jurisdictions with specific DNR mechanisms), HIPAA permits it.

When Authorization or additional steps are needed

• Non-treatment purposes: Sharing a DNR order for reasons outside treatment, payment, or healthcare operations (such as media or non-care-related third parties) generally requires a HIPAA Authorization.
• Minimum necessary for non-treatment: For operations or other permitted non-treatment uses, disclose only the minimum information reasonably necessary.
• Documentation: Record the rationale for disclosures made when the patient cannot consent, including the basis for professional judgment.

Role of POLST Forms

Physician Orders for Life-Sustaining Treatment (POLST) translate a patient’s goals into portable medical orders that extend beyond CPR preferences. Unlike a standalone DNR, a POLST typically addresses interventions such as intubation, ventilation, antibiotics, and artificial nutrition, making it actionable across settings of care.

Because POLST forms are medical orders, they are PHI protected by HIPAA. Their purpose, however, is to be quickly accessible to treating clinicians and EMS. Sharing a POLST for treatment is permitted without additional Authorization. Many systems implement registries or EHR flags so authorized clinicians can locate the most current orders during emergencies.

DNR vs. POLST at a glance

• DNR: A focused order about CPR only.
• POLST: A broader, condition-appropriate set of orders that may include a DNR component plus other life-sustaining treatment preferences.

Protecting Patient Privacy

Practical safeguards

• Standardize documentation: Use clearly labeled DNR/POLST sections or EHR alerts to prevent searching sensitive notes during crises.
• Role-based access: Limit who can edit or revoke orders; audit “break-the-glass” accesses to emergency views.
• Secure exchange: Use secure messaging, encrypted EHR-to-EHR transfers, or sanctioned registries; avoid texting photos of forms.
• Verification before disclosure: Confirm identity and authority of callers requesting DNR information, especially across organizations.
• Minimum necessary mindset: For non-treatment purposes, disclose only pertinent details (e.g., that a DNR exists, not unrelated history).
• Update and revoke: Document revisions promptly; ensure old versions are retired so teams act on the current order.

Patient consent and Authorization

Routine sharing of DNR/POLST for treatment does not require a separate Disclosure Authorization. If a patient wants certain family members informed or excluded, capture that preference and honor it unless required by law to do otherwise. For non-permitted uses, obtain a valid, written Authorization before disclosure.

Access Rights of Family and Caregivers

Patients have the right to access and obtain copies of their medical records, including DNR or POLST orders. A personal representative—such as a court-appointed guardian or a healthcare agent named in a power of attorney—generally has the same access rights as the patient, subject to applicable law.

• Family and friends involved in care: Providers may share relevant information if the patient agrees or, when the patient is incapacitated, if doing so is in the patient’s best interest, using professional judgment.
• Parents and minors: Parents or legal guardians often act as the minor’s personal representative, with exceptions defined by law (for example, certain sensitive services).
• Copies and timelines: When a patient or personal representative requests a copy of the DNR/POLST, provide it within required timeframes and at reasonable, cost-based fees where applicable.

Compliance with Healthcare Regulations

Healthcare Compliance around DNR/POLST rests on aligning HIPAA with other rules. Facilities should implement policies that respect patient autonomy, meet documentation standards, and support rapid access during emergencies while maintaining privacy.

• Policy integration: Align HIPAA procedures with organizational advance care planning workflows and EMS recognition processes.
• Training and drills: Educate staff on locating, confirming, and communicating DNR/POLST orders; rehearse handoffs and after-hours scenarios.
• State law awareness: Requirements for out-of-hospital DNRs, identifiers, and clinician signatures vary; incorporate state-specific rules into policy.
• Quality and audits: Monitor for outdated orders, inappropriate access, or disclosure gaps; remediate and re-train promptly.
• Incident response: If an impermissible disclosure occurs, follow breach risk assessment and notification obligations.

Conclusion

DNR and POLST orders are covered by the HIPAA Privacy Rule as Protected Health Information. HIPAA permits swift, treatment-based sharing with clinicians and EMS, while requiring Authorization for most non-permitted uses. By combining clear documentation, role-based access, careful verification, and staff training, you can honor patient preferences and protect privacy at every step.

FAQs.

Can healthcare providers share DNR orders without patient consent?

Yes. Providers may share a DNR order for treatment purposes—such as with hospital teams or first responders—without separate patient consent or Authorization. If the patient is present and able, providers should include them in the conversation; if not, they may use professional judgment to share relevant details with those involved in care.

How does HIPAA protect patient privacy regarding DNR orders?

HIPAA classifies DNR orders as PHI, limits non-treatment disclosures, and requires verification of requestors, adherence to the minimum necessary standard for non-treatment uses, and safeguards like role-based access and auditing. For most disclosures beyond care delivery, a specific HIPAA Authorization is required.

Who is allowed to access a patient’s DNR order?

The patient and their personal representative have a right to access and obtain copies. Treating clinicians and EMS can access the order as needed for care. Family or caregivers may be informed if the patient agrees or, when the patient cannot agree, if sharing is in the patient’s best interest and relevant to their involvement in care.

What is the difference between a DNR order and a POLST form?

A DNR is a medical order focused on whether to perform CPR. A POLST (Physician Orders for Life-Sustaining Treatment) is a broader set of portable medical orders that may include CPR preferences plus directives on interventions like ventilation, antibiotics, and artificial nutrition. Both are PHI, but POLST captures a more comprehensive plan of care for serious illness.