When can patient information be shared with spouses?

Case study 

A man enters a skin therapy practice during a routine afternoon. He approaches the front desk.

"Good afternoon. My wife comes here regularly, and I'd like to get her a gift card for her birthday for the treatments she normally receives," he explains.

Lisa, the practice manager, responds. "We'd be happy to help with a gift card. What's her email address?"

The man provides the email but then continues, "Could you also confirm what services she typically gets? I want to make sure I'm purchasing the right amount. She was here about three months ago."

Lisa replies. "I understand you want to get the perfect gift, but due to HIPAA regulations, I can't confirm whether your wife is a client or provide any information about possible services."

"I think you misunderstand," the man countered. "I just need to verify she's actually a patient here and which practitioner she sees. We're married—I'm just trying to get her the right gift."

Lisa further explains. "I appreciate that, and it's a thoughtful gesture. However, I legally cannot confirm or deny if she's a client here. I'd be happy to create a gift card that she can use for any service with any of our practitioners."

The man persists. "I need to know if she comes here before I spend the money. Can't you at least tell me if she has an appointment history here? We share everything—we're married."

"I understand your position," Lisa responds, "but HIPAA protects all patients' information, even from spouses. I can offer you a general gift card, or perhaps suggest our most popular treatment packages that many clients enjoy."

Understanding your legal obligations

This scenario asks an important question for skincare professionals: What are your HIPAA obligations when a spouse requests information? Understanding the correct approach not only protects your practice legally but also preserves patient trust.

According to the National Med Spa Association, “The Health Insurance Portability and Accountability Act (HIPAA) sets national standards for the protection of individuals’ medical records and other personal health information. Aesthetic businesses, such as medical spas, dermatology clinics, and cosmetic surgery centers, must comply with HIPAA regulations if they handle protected health information (PHI).”

HIPAA requirements for aesthetic practices

As healthcare providers who likely conduct covered electronic transactions, medical spas and skin care clinics generally qualify as HIPAA-covered entities when:

• You perform medical-grade treatments (chemical peels, certain laser treatments, injectables)
• You bill insurance for any services
• You employ or work with licensed medical professionals
• You maintain electronic protected health information (ePHI)

45 CFR § 164 sets the general rules for uses and disclosures of PHI, prohibiting disclosure without patient authorization except as permitted or required by law. It also provides standards for de-identification of PHI and limits on the use and disclosure of such information.

Under HIPAA guidelines, you cannot:

• Confirm or deny someone is your patient/client
• Share appointment histories
• Reveal treatment information
• Disclose provider relationships
• Indicate service frequencies or preferences
  
  

Marriage does not override HIPAA

A common misconception among both clients and sometimes practitioners is that marital status creates automatic permission for information sharing. The legal reality:

• Spousal status does not confer automatic access rights
• No "marital exception" exists within HIPAA
• Each adult patient maintains individual privacy rights
• Written explicit is required for any disclosure
  
  

The limited exceptions

Information can only be shared with spouses when:

1. Explicit written authorization exists: The patient has completed a HIPAA authorization form specifically naming their spouse and detailing what information can be shared
2. The spouse is a legal personal representative: This requires formal documentation (power of attorney, legal guardianship)
3. Emergency situations: When necessary for emergency treatment and the patient cannot provide authorization
4. Patient is present and verbally consents: If your patient is physically present and verbally authorizes the disclosure

In its FAQs, the U.S. Department of Health and Human Services (HHS) clarifies that the HIPAA Privacy Rule permits covered entities to share protected health information that is directly relevant to a patient’s care or payment for care with a spouse, family members, friends, or other individuals identified by the patient.

If the patient is present or otherwise available before the disclosure and has the capacity to make healthcare decisions, the covered entity may disclose this information if:

• The patient agrees, or
• The patient is given an opportunity to object and does not do so.

Additionally, the covered entity may share relevant information with these individuals if, based on professional judgment, it can reasonably infer that the patient does not object.

Read also: Spouses, family members and marriage under HIPAA

Possible professional responses to common requests

When faced with spousal inquiries:

Request: "Can you confirm my spouse is a patient here?" Compliant response: "I'm sorry, but I cannot confirm or deny if any specific individual is a client here. I'd be happy to provide information about our services in general."

Request: "What treatments does my spouse typically get?" Compliant response: "I understand you want to purchase something appropriate, but I cannot disclose any client's treatment information. Would you be interested in a gift card for a specific dollar amount instead?"

Request: "Who is my spouse's preferred practitioner?" Compliant response: "I cannot share information about client-practitioner relationships. All our practitioners are highly qualified, and a gift card can be used with any of them."

Request: "I pay for all her treatments, so I should have access." Compliant response: "Financial responsibility doesn't override HIPAA privacy protections. Each adult client maintains individual privacy rights regardless of payment arrangements."

Creating HIPAA compliant solutions

When spouses want to purchase gifts or services:

1. Offer open-value gift cards: Provide gift certificates that can be applied to any service
2. Suggest popular service packages: Discuss trending treatments without referencing any specific client
3. Maintain written authorization policies: Have clear procedures for documenting when clients do authorize spousal access
4. Train all staff: Ensure everyone from reception to practitioners understands these rules

Implementation steps for aesthetic businesses

The National Med Spa Association provides implementation steps for aesthetic businesses, these include:

• Conduct a HIPAA risk assessment: Identify and evaluate potential risks to the confidentiality, integrity, and availability of PHI.
• Develop and implement policies and procedures: Create written policies and procedures to comply with HIPAA rules and train staff on these policies.
• Secure patient information: Use physical, administrative, and technical safeguards to protect PHI, including secure storage and transmission methods.
• Obtain patient consent and authorization: Ensure patients are informed about their rights and obtain necessary consents for using or disclosing their PHI.
• Monitor compliance: Regularly review and update security measures and ensure continuous compliance with HIPAA regulations.
• Handle breaches appropriately: Establish a breach response plan and follow required notification procedures in case of a PHI breach."

Legal consequences of non-compliance

The penalties for improper disclosure can be severe:

• Civil penalties ranging from $127 to $63,973 per violation
• Criminal penalties including fines up to $500,000 and imprisonment
• Loss of client trust and potential damage to reputation
• Possible licensure issues for medical professionals involved

Read also: The complete guide to HIPAA violations

FAQs

Can I share information with a spouse if they are listed as the emergency contact?

Only in emergencies or with explicit patient authorization.

Can front desk staff share PHI if the spouse claims to pay for services?

No—payment responsibility does not grant access to protected health information.

Do HIPAA rules apply to non-medical spa services like facials?

Only if the service involves medical procedures or PHI handled by a covered entity.

Is there a grace period for HIPAA compliance in new aesthetic businesses?

No—compliance is required from the moment PHI is collected or processed.

What training must staff receive to handle spousal inquiries correctly?

Staff should receive regular HIPAA training focused on real-world scenarios and privacy protocols.