The guidance covers circumstances in which the Privacy Rule permits health care providers to communicate with family members and others to enhance the treatment of patients and assure safety.
It includes answers to questions about when it is appropriate under the Privacy Rule for a health care provider to
- share the protected health information of a patient who is being treated for a mental health condition
- communicate with a patient’s family members, friends, or others involved in the patient’s care, depending on whether the patient is an adult or a minor
- consider and address the patient’s capacity to agree or object to the sharing of their information.
- involve a patient’s family members, friends, or others in dealing with patient failures to adhere to medication or other therapy
- listen to family members about their relatives receiving mental health treatment.
- heightened protections afforded to psychotherapy notes by the Privacy Rule,
- a parent’s right to access the protected health information of a minor child as the child’s personal representative,
- potential applicability of Federal alcohol and drug abuse confidentiality regulations or state laws that may provide more stringent protections for the information than HIPAA,
- the interaction of HIPAA and the national Family Educational Rights and Privacy Act (FERPA) in a school setting. Student health information held by a school generally is subject to FERPA rather than HIPAA.
The Privacy Rule permits a health care provider to disclose necessary information about a patient to law enforcement, family members of the patient, or other persons, when the provider believes the patient presents a serious and imminent threat to self or others. The scope of this permission is described in a letter to the nation’s health care providers issued on January 15, 2013, and below.
Specifically, when a health care provider believes in good faith that such a warning is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others, the Privacy Rule allows the provider, consistent with applicable law and standards of ethical conduct, to alert those persons whom the provider believes are reasonably able to prevent or lessen the threat. These provisions may be found in the Privacy Rule at 45 CFR § 164.512(j).
Under these provisions, a health care provider may disclose patient information, including information from mental health records, if necessary, to law enforcement, family members of the patient, or any other persons who may reasonably be able to prevent or lessen the risk of harm. For example, if a mental health professional has a patient who has made a credible threat to inflict serious and imminent bodily harm on one or more persons, HIPAA permits the mental health professional to alert the police, a parent or other family member, school administrators or campus police, and others who may be able to intervene to avert harm from the threat.
In addition to professional ethical standards, most States have laws and/or court decisions which address, and in many instances require, disclosure of patient information to prevent or lessen the risk of harm. Providers should consult the laws applicable to their profession in the States where they practice, as well as 42 USC 290dd-2 and 42 CFR Part 2 under Federal law (governing the disclosure of alcohol and drug abuse treatment records) to understand their duties and authority in situations where they have information indicating a threat to public safety. Note that, where a provider is not subject to such State laws or other ethical standards, the HIPAA permission still would allow disclosures for these purposes to the extent the other conditions of the permission are met.