Patients have six fundamental rights:
1. The right to receive a notice about the doctor's privacy policies.
This notice will be similar to the form credit card companies or banks currently send to customers, indicating specifically how they use their personal information. The notice must include information about patients' rights under HIPAA, including the right to access the information the doctor maintains about them and the right to complain if they feel their rights have been violated. Although the doctor does not have to obtain a patient's consent to use their personal health information for treatment, they must at least make a good faith effort to acquire the patient's acknowledgment that they received notice of the doctor's privacy policies. A copy of the acknowledgment should be kept in the patient's file.
2. The right to access the medical information that is maintained.
On request, the doctor may provide a summary of the patient records or the records themselves, but they must do so within a specified time period. If they provide a copy of records, they may charge the patient a reasonable price for reproducing them. There are some exceptions under which the doctor may deny patients access to their records. However, if this is done, the decision must be reviewed by another licensed professional whom they have designated in their privacy policies and procedures.
3. The right to limit the uses and disclosure of medical information.
This includes limitations that can cause significant practical problems. For example, a patient may not want their diagnosis of cancer disclosed to a payer out of fear the information could reach their employer. If they are estranged from their family, they may not want any information (e.g., their phone number) disclosed to their siblings. A patient could also refuse to allow the doctor to report data to their health plan for quality assurance purposes (which is otherwise protected under the definition of "operations" for which the doctor does not need consent). Although this is a patient's right under HIPAA, reporting such data is also a requirement of most managed care contracts. The doctor is not obligated to agree to patients' restrictions, nor must they care for patients whose restrictions would interfere with their treatment. If the doctor agrees to the restrictions, they must document them and abide by them. If they don't agree to them, the patient will either have to relinquish the request or look elsewhere for care. If the patient chooses the latter, the doctor will have to adhere to their basic common law responsibilities of non-abandonment.
4. The right to request amendments to the medical record.
The privacy notice the doctor gives to patients must specify how they should make requests to amend their records (e.g., in writing). The doctor may refuse such a request for several reasons, including that the patient's record is accurate and complete. However, the patient does have the right to appeal. If the doctor agrees to amend the patient's record, they must notify the individual and others to whom they have provided the information that it has been amended.
5. The right to revoke or limit authorization.
If the doctor's practice uses or discloses personal health information for any reason other than TPO, they must obtain a specific "authorization" from the patient. This is a form that states what information will be disclosed and how it will be done. Special rules apply for clinical trials or research data. Psychotherapy notes may only be disclosed subject to authorization. Parental access to minors' medical records will continue to be controlled by state law.
6. The right to an accounting of disclosures of PHI.
According to the privacy rule, patients can ask to see what disclosures have been made during the past six years only. .
HIPAA FORM AND ACKNOWLEDGMENT
| hipaa_form_letter_size.docx |
| hipaa_patient_signature_form.doc |
Hipaa’s Use as Code of Silence Often Misinterprets the Law
Paula Span : NY Times : July 15, 2015
How do people use, misuse or abuse Hipaa, the federal regulations protecting patients’ confidential health information? Let us count the ways:
■ Last month, in a continuing care retirement community in Ithaca, N.Y., Helen Wyvill, 72, noticed that a friend hadn’t shown up for their regular swim. She wasn’t in her apartment, either.
Had she gone to a hospital? Could friends visit or call? Was anyone taking care of the dog?
Questions to the staff brought a familiar nonresponse: Nobody could provide any information because of Hipaa.
“The administration says they have to abide by the law, blah, blah,” Ms. Wyvill said. “They won’t even tell you if somebody has died.”
■ Years ago, Patricia Gross, then 56, and a close friend had taken refuge in a cafe at Brigham and Women’s Hospital in Boston, where Ms. Gross’s husband was dying of cancer. She was lamenting his inadequately treated pain and her own distress when a woman seated at a nearby table walked over.
“She told me how very improper it was to be discussing the details of a patient’s treatment in public and that it was a Hipaa violation,” Ms. Gross recalled.
■ In 2012, Ericka Gray repeatedly phoned the emergency room at York Hospital in York, Pa., where her 85-year-old mother had gone after days of back pain, to alert the staff to her medical history. “They refused to take the information, citing Hipaa,” said Ms. Gray, who was in Chicago on a business trip.
“I’m not trying to get any information. I’m trying to give you information,” Ms. Gray told them, adding that because her mother’s memory was impaired, she couldn’t supply the crucial facts, like medication allergies.
By the time Ms. Gray found a nurse willing to listen, hours later, her mother had already been prescribed a drug she was allergic to. Fortunately, the staff hadn’t administered it yet.
Each scenario, attorneys say, involves a misinterpretation of the privacy rules created under the Health Insurance Portability and Accountability Act. “It’s become an all-purpose excuse for things people don’t want to talk about,” said Carol Levine, director of the United Hospital Fund’s Families and Health Care Project, which has published a Hipaa guide for family caregivers.
Intended to keep personal health information private, the law does not prohibit health care providers from sharing information with family, friends or caregivers unless the patient specifically objects. Even if she does object, is not present, or is incapacitated, providers may use “professional judgment” to disclose pertinent information to a relative or friend if it’s “in the best interests of the individual.”
Hipaa applies only to health care providers, health insurers, clearinghouses that manage and store health data, and their business associates. Yet when I last wrote about this topic, a California reader commented that she’d heard a minister explain that the names of ailing parishioners could no longer appear in the church bulletin because of Hipaa.
Wrong. Neither a church nor a distraught spouse is a “covered entity” under the law.
Last month, Representative Doris Matsui, Democrat of California and co-chairwoman of the Democratic Caucus Seniors Task Force, who has heard similar complaints from constituents, introduced legislation to clarify who can divulge what and under what circumstances. The proposed bill would require the Department of Health and Human Services, which last year issued new Hipaa “guidance,” to make that statement part of its regulations and to create model training programs for providers and administrators, patients and families.
“A lot of times it’s just misunderstanding what is and isn’t allowed under Hipaa,” Representative Matsui said in an interview.
So, what is and isn’t?
Family members can provide information, as Ms. Gray attempted to do. “How does keeping information confidential stop you from listening to someone?” said Eric Carlson, the directing attorney for Justice in Aging, a legal advocacy group in California. “There’s no Hipaa privacy consideration there.”
An assisted living facility or nursing home can report a death. It can also give someone’s general condition and location, assuming the patient remains within the facility. And if, as Ms. Wyvill suggested, residents ask administrators to keep a list of those who want their neighbors to know they’ve gone to a hospital, that’s perfectly legal under Hipaa.
The law gives providers flexibility in disclosing information in the patient’s interest, but it doesn’t require them to. Clinton Mikel, chairman of an American Bar Association group on e-health and privacy, said that providers sometimes decided, “ ‘We could, but we’re not required to, and we think this situation is a mess, so we’re going to exercise that option.’ ”
A caregiver’s strongest defense, Mr. Mikel said, is to be the patient’s personal representative — his health care proxy or guardian, or with power of attorney — or to have the patient himself authorize the release of information. In such cases, providers must comply.
Hipaa doesn’t require patients to give consent in writing. They can verbally ask that a relative or friend receive information. Facilities may legally demand a signature on a form, nonetheless, and many do.
Staff members’ fears of the consequences of an unintended Hipaa violation are probably overblown. Patients can complain to the Health and Human Services Office for Civil Rights, which lately has intensified enforcement of many aspects of the privacy rules, Mr. Mikel said.
Still, the civil rights office “is not in the gotcha game,” he said. The office generally tries to resolve complaints by fixing problems, not levying penalties.
“Do I see it going after a health care provider for disclosing something to a family member in good faith? I don’t,” Mr. Mikel said. An assisted living staff member or hospital aide isn’t likely to lose her job.
Another common complaint about Hipaa enforcement, by the way, is the lack of access to patients’ own health records, which they have a right to see or copy, though providers can charge copying fees.
Within families, decisions about how much health information to share, and with whom, often become complicated, as a recent study in JAMA Internal Medicine found. When researchers working to design online patient portals convened two sets of focus groups — one for people over age 75, another for family caregivers — they heard the usual tension between older adults’ need for assistance and their desire for autonomy.
“Seniors say, ‘I don’t want to burden my kids with my medical issues,’ ” said Bradley Crotty, the director of patient portals at Beth Israel Deaconess Medical Center in Boston and the study’s lead author. “And the family is saying, ‘I’m already worried. Not knowing is the burden.’ ”
The older group wanted help but not second-guessing or “spying,” Dr. Crotty added. They might agree to disclose the medications they take — just not all of them.
Moreover, the dynamic often changes with increasing disability or a health crisis.
“Say a senior has a serious medical condition — a stroke, for instance — and requires a lot of help and support,” Dr. Crotty said. “He could recover enough to want to take back control of his health information. It may go back and forth.”
Such negotiations require continuing discussions of what patients want to divulge and what families need to know. Personal relationships are tricky terrain.
The law, on the other hand, is comparatively straightforward.
“Providers may be disinclined to give out information anyway, and this provides an easy rationale,” Mr. Carlson, the Justice in Aging lawyer, said. “But Hipaa is more common sense than people give it credit for.”
Paula Span : NY Times : July 15, 2015
How do people use, misuse or abuse Hipaa, the federal regulations protecting patients’ confidential health information? Let us count the ways:
■ Last month, in a continuing care retirement community in Ithaca, N.Y., Helen Wyvill, 72, noticed that a friend hadn’t shown up for their regular swim. She wasn’t in her apartment, either.
Had she gone to a hospital? Could friends visit or call? Was anyone taking care of the dog?
Questions to the staff brought a familiar nonresponse: Nobody could provide any information because of Hipaa.
“The administration says they have to abide by the law, blah, blah,” Ms. Wyvill said. “They won’t even tell you if somebody has died.”
■ Years ago, Patricia Gross, then 56, and a close friend had taken refuge in a cafe at Brigham and Women’s Hospital in Boston, where Ms. Gross’s husband was dying of cancer. She was lamenting his inadequately treated pain and her own distress when a woman seated at a nearby table walked over.
“She told me how very improper it was to be discussing the details of a patient’s treatment in public and that it was a Hipaa violation,” Ms. Gross recalled.
■ In 2012, Ericka Gray repeatedly phoned the emergency room at York Hospital in York, Pa., where her 85-year-old mother had gone after days of back pain, to alert the staff to her medical history. “They refused to take the information, citing Hipaa,” said Ms. Gray, who was in Chicago on a business trip.
“I’m not trying to get any information. I’m trying to give you information,” Ms. Gray told them, adding that because her mother’s memory was impaired, she couldn’t supply the crucial facts, like medication allergies.
By the time Ms. Gray found a nurse willing to listen, hours later, her mother had already been prescribed a drug she was allergic to. Fortunately, the staff hadn’t administered it yet.
Each scenario, attorneys say, involves a misinterpretation of the privacy rules created under the Health Insurance Portability and Accountability Act. “It’s become an all-purpose excuse for things people don’t want to talk about,” said Carol Levine, director of the United Hospital Fund’s Families and Health Care Project, which has published a Hipaa guide for family caregivers.
Intended to keep personal health information private, the law does not prohibit health care providers from sharing information with family, friends or caregivers unless the patient specifically objects. Even if she does object, is not present, or is incapacitated, providers may use “professional judgment” to disclose pertinent information to a relative or friend if it’s “in the best interests of the individual.”
Hipaa applies only to health care providers, health insurers, clearinghouses that manage and store health data, and their business associates. Yet when I last wrote about this topic, a California reader commented that she’d heard a minister explain that the names of ailing parishioners could no longer appear in the church bulletin because of Hipaa.
Wrong. Neither a church nor a distraught spouse is a “covered entity” under the law.
Last month, Representative Doris Matsui, Democrat of California and co-chairwoman of the Democratic Caucus Seniors Task Force, who has heard similar complaints from constituents, introduced legislation to clarify who can divulge what and under what circumstances. The proposed bill would require the Department of Health and Human Services, which last year issued new Hipaa “guidance,” to make that statement part of its regulations and to create model training programs for providers and administrators, patients and families.
“A lot of times it’s just misunderstanding what is and isn’t allowed under Hipaa,” Representative Matsui said in an interview.
So, what is and isn’t?
Family members can provide information, as Ms. Gray attempted to do. “How does keeping information confidential stop you from listening to someone?” said Eric Carlson, the directing attorney for Justice in Aging, a legal advocacy group in California. “There’s no Hipaa privacy consideration there.”
An assisted living facility or nursing home can report a death. It can also give someone’s general condition and location, assuming the patient remains within the facility. And if, as Ms. Wyvill suggested, residents ask administrators to keep a list of those who want their neighbors to know they’ve gone to a hospital, that’s perfectly legal under Hipaa.
The law gives providers flexibility in disclosing information in the patient’s interest, but it doesn’t require them to. Clinton Mikel, chairman of an American Bar Association group on e-health and privacy, said that providers sometimes decided, “ ‘We could, but we’re not required to, and we think this situation is a mess, so we’re going to exercise that option.’ ”
A caregiver’s strongest defense, Mr. Mikel said, is to be the patient’s personal representative — his health care proxy or guardian, or with power of attorney — or to have the patient himself authorize the release of information. In such cases, providers must comply.
Hipaa doesn’t require patients to give consent in writing. They can verbally ask that a relative or friend receive information. Facilities may legally demand a signature on a form, nonetheless, and many do.
Staff members’ fears of the consequences of an unintended Hipaa violation are probably overblown. Patients can complain to the Health and Human Services Office for Civil Rights, which lately has intensified enforcement of many aspects of the privacy rules, Mr. Mikel said.
Still, the civil rights office “is not in the gotcha game,” he said. The office generally tries to resolve complaints by fixing problems, not levying penalties.
“Do I see it going after a health care provider for disclosing something to a family member in good faith? I don’t,” Mr. Mikel said. An assisted living staff member or hospital aide isn’t likely to lose her job.
Another common complaint about Hipaa enforcement, by the way, is the lack of access to patients’ own health records, which they have a right to see or copy, though providers can charge copying fees.
Within families, decisions about how much health information to share, and with whom, often become complicated, as a recent study in JAMA Internal Medicine found. When researchers working to design online patient portals convened two sets of focus groups — one for people over age 75, another for family caregivers — they heard the usual tension between older adults’ need for assistance and their desire for autonomy.
“Seniors say, ‘I don’t want to burden my kids with my medical issues,’ ” said Bradley Crotty, the director of patient portals at Beth Israel Deaconess Medical Center in Boston and the study’s lead author. “And the family is saying, ‘I’m already worried. Not knowing is the burden.’ ”
The older group wanted help but not second-guessing or “spying,” Dr. Crotty added. They might agree to disclose the medications they take — just not all of them.
Moreover, the dynamic often changes with increasing disability or a health crisis.
“Say a senior has a serious medical condition — a stroke, for instance — and requires a lot of help and support,” Dr. Crotty said. “He could recover enough to want to take back control of his health information. It may go back and forth.”
Such negotiations require continuing discussions of what patients want to divulge and what families need to know. Personal relationships are tricky terrain.
The law, on the other hand, is comparatively straightforward.
“Providers may be disinclined to give out information anyway, and this provides an easy rationale,” Mr. Carlson, the Justice in Aging lawyer, said. “But Hipaa is more common sense than people give it credit for.”
HIPAA Privacy Rule and Sharing Information Related to Mental Health
Download PDF version
Background
The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule provides consumers with important privacy rights and protections with respect to their health information, including important controls over how their health information is used and disclosed by health plans and health care providers. Ensuring strong privacy protections is critical to maintaining individuals’ trust in their health care providers and willingness to obtain needed health care services, and these protections are especially important where very sensitive information is concerned, such as mental health information. At the same time, the Privacy Rule recognizes circumstances arise where health information may need to be shared to ensure the patient receives the best treatment and for other important purposes, such as for the health and safety of the patient or others. The Rule is carefully balanced to allow uses and disclosures of information—including mental health information—for treatment and these other purposes with appropriate protections.
In this guidance, we address some of the more frequently asked questions about when it is appropriate under the Privacy Rule for a health care provider to share the protected health information of a patient who is being treated for a mental health condition. We clarify when HIPAA permits health care providers to:
Questions and Answers about HIPAA and Mental Health
Does HIPAA allow a health care provider to communicate with a patient’s family, friends, or other persons who are involved in the patient’s care?
Yes. In recognition of the integral role that family and friends play in a patient’s health care, the HIPAA Privacy Rule allows these routine – and often critical – communications between health care providers and these persons. Where a patient is present and has the capacity to make health care decisions, health care providers may communicate with a patient’s family members, friends, or other persons the patient has involved in his or her health care or payment for care, so long as the patient does not object. See 45 CFR 164.510(b). The provider may ask the patient’s permission to share relevant information with family members or others, may tell the patient he or she plans to discuss the information and give them an opportunity to agree or object, or may infer from the circumstances, using professional judgment, that the patient does not object. A common example of the latter would be situations in which a family member or friend is invited by the patient and present in the treatment room with the patient and the provider when a disclosure is made.
Where a patient is not present or is incapacitated, a health care provider may share the patient’s information with family, friends, or others involved in the patient’s care or payment for care, as long as the health care provider determines, based on professional judgment, that doing so is in the best interests of the patient. Note that, when someone other than a friend or family member is involved, the health care provider must be reasonably sure that the patient asked the person to be involved in his or her care or payment for care.
In all cases, disclosures to family members, friends, or other persons involved in the patient’s care or payment for care are to be limited to only the protected health information directly relevant to the person’s involvement in the patient’s care or payment for care.
OCR’s website contains additional information about disclosures to family members and friends in fact sheets developed for consumers and providers.
Does HIPAA provide extra protections for mental health information compared with other health information?
Generally, the Privacy Rule applies uniformly to all protected health information, without regard to the type of information. One exception to this general rule is for psychotherapy notes, which receive special protections. The Privacy Rule defines psychotherapy notes as notes recorded by a health care provider who is a mental health professional documenting or analyzing the contents of a conversation during a private counseling session or a group, joint, or family counseling session and that are separate from the rest of the patient’s medical record. Psychotherapy notes do not include any information about medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, or results of clinical tests; nor do they include summaries of diagnosis, functional status, treatment plan, symptoms, prognosis, and progress to date. Psychotherapy notes also do not include any information that is maintained in a patient’s medical record. See 45 CFR 164.501.
Psychotherapy notes are treated differently from other mental health information both because they contain particularly sensitive information and because they are the personal notes of the therapist that typically are not required or useful for treatment, payment, or health care operations purposes, other than by the mental health professional who created the notes. Therefore, with few exceptions, the Privacy Rule requires a covered entity to obtain a patient’s authorization prior to a disclosure of psychotherapy notes for any reason, including a disclosure for treatment purposes to a health care provider other than the originator of the notes. See 45 CFR 164.508(a)(2). A notable exception exists for disclosures required by other law, such as for mandatory reporting of abuse, and mandatory “duty to warn” situations regarding threats of serious and imminent harm made by the patient (State laws vary as to whether such a warning is mandatory or permissible).
Is a health care provider permitted to discuss an adult patient’s mental health information with the patient’s parents or other family members?
In situations where the patient is given the opportunity and does not object, HIPAA allows the provider to share or discuss the patient’s mental health information with family members or other persons involved in the patient’s care or payment for care. For example, if the patient does not object:
When does mental illness or another mental condition constitute incapacity under the Privacy Rule? For example, what if a patient who is experiencing temporary psychosis or is intoxicated does not have the capacity to agree or object to a health care provider sharing information with a family member, but the provider believes the disclosure is in the patient’s best interests?
Section 164.510(b)(3) of the HIPAA Privacy Rule permits a health care provider, when a patient is not present or is unable to agree or object to a disclosure due to incapacity or emergency circumstances, to determine whether disclosing a patient’s information to the patient’s family, friends, or other persons involved in the patient’s care or payment for care, is in the best interests of the patient.1Where a provider determines that such a disclosure is in the patient’s best interests, the provider would be permitted to disclose only the PHI that is directly relevant to the person’s involvement in the patient’s care or payment for care.
This permission clearly applies where a patient is unconscious. However, there may be additional situations in which a health care provider believes, based on professional judgment, that the patient does not have the capacity to agree or object to the sharing of personal health information at a particular time and that sharing the information is in the best interests of the patient at that time. These may include circumstances in which a patient is suffering from temporary psychosis or is under the influence of drugs or alcohol. If, for example, the provider believes the patient cannot meaningfully agree or object to the sharing of the patient’s information with family, friends, or other persons involved in their care due to her current mental state, the provider is allowed to discuss the patient’s condition or treatment with a family member, if the provider believes it would be in the patient’s best interests. In making this determination about the patient’s best interests, the provider should take into account the patient’s prior expressed preferences regarding disclosures of their information, if any, as well as the circumstances of the current situation. Once the patient regains the capacity to make these choices for herself, the provider should offer the patient the opportunity to agree or object to any future sharing of her information.
If a health care provider knows that a patient with a serious mental illness has stopped taking a prescribed medication, can the provider tell the patient’s family members?
So long as the patient does not object, HIPAA allows the provider to share or discuss a patient’s mental health information with the patient’s family members. See 45 CFR 164.510(b). If the provider believes, based on professional judgment, that the patient does not have the capacity to agree or object to sharing the information at that time, and that sharing the information would be in the patient’s best interests, the provider may tell the patient’s family member. In either case, the health care provider may share or discuss only the information that the family member involved needs to know about the patient’s care or payment for care.
Otherwise, if the patient has capacity and objects to the provider sharing information with the patient’s family member, the provider may only share the information if doing so is consistent with applicable law and standards of ethical conduct, and the provider has a good faith belief that the patient poses a threat to the health or safety of the patient or others, and the family member is reasonably able to prevent or lessen that threat. See 45 CFR 164.512(j). For example, if a doctor knows from experience that, when a patient’s medication is not at a therapeutic level, the patient is at high risk of committing suicide, the doctor may believe in good faith that disclosure is necessary to prevent or lessen the threat of harm to the health or safety of the patient who has stopped taking the prescribed medication, and may share information with the patient’s family or other caregivers who can avert the threat. However, absent a good faith belief that the disclosure is necessary to prevent a serious and imminent threat to the health or safety of the patient or others, the doctor must respect the wishes of the patient with respect to the disclosure.
Can a minor child’s doctor talk to the child’s parent about the patient’s mental health status and needs?
With respect to general treatment situations, a parent, guardian, or other person acting in loco parentis usually is the personal representative of the minor child, and a health care provider is permitted to share patient information with a patient’s personal representative under the Privacy Rule. However, section 164.502(g) of the Privacy Rule contains several important exceptions to this general rule. A parent is not treated as a minor child’s personal representative when: (1) State or other law does not require the consent of a parent or other person before a minor can obtain a particular health care service, the minor consents to the health care service, and the minor child has not requested the parent be treated as a personal representative; (2) someone other than the parent is authorized by law to consent to the provision of a particular health service to a minor and provides such consent; or (3) a parent agrees to a confidential relationship between the minor and a health care provider with respect to the health care service.2 For example, if State law provides an adolescent the right to obtain mental health treatment without parental consent, and the adolescent consents to such treatment, the parent would not be the personal representative of the adolescent with respect to that mental health treatment information.
Regardless, however, of whether the parent is otherwise considered a personal representative, the Privacy Rule defers to State or other applicable laws that expressly address the ability of the parent to obtain health information about the minor child. In doing so, the Privacy Rule permits a covered entity to disclose to a parent, or provide the parent with access to, a minor child’s protected health information when and to the extent it is permitted or required by State or other laws (including relevant case law). Likewise, the Privacy Rule prohibits a covered entity from disclosing a minor child’s protected health information to a parent when and to the extent it is prohibited under State or other laws (including relevant case law). See 45 CFR 164.502(g)(3)(ii).
In cases in which State or other applicable law is silent concerning disclosing a minor’s protected health information to a parent, and the parent is not the personal representative of the minor child based on one of the exceptional circumstances described above, a covered entity has discretion to provide or deny a parent access to the minor’s health information, if doing so is consistent with State or other applicable law, and the decision is made by a licensed health care professional in the exercise of professional judgment. For more information about personal representatives under the Privacy Rule, see OCR’s guidance for consumers and providers.
In situations where a minor patient is being treated for a mental health disorder and a substance abuse disorder, additional laws may be applicable. The Federal confidentiality statute and regulations that apply to federally-funded drug and alcohol abuse treatment programs contain provisions that are more stringent than HIPAA. See 42 USC § 290dd–2; 42 CFR 2.11, et. seq.
At what age of a child is the parent no longer the personal representative of the child for HIPAA purposes?
HIPAA defers to state law to determine the age of majority and the rights of parents to act for a child in making health care decisions, and thus, the ability of the parent to act as the personal representative of the child for HIPAA purposes. See 45 CFR 164.502(g).
Does a parent have a right to receive a copy of psychotherapy notes about a child’s mental health treatment?
No. The Privacy Rule distinguishes between mental health information in a mental health professional’s private notes and that contained in the medical record. It does not provide a right of access to psychotherapy notes, which the Privacy Rule defines as notes recorded by a health care provider who is a mental health professional documenting or analyzing the contents of a conversation during a private counseling session or a group, joint, or family counseling session and that are separate from the rest of the patient’s medical record. See 45 CFR 164.501. Psychotherapy notes are primarily for personal use by the treating professional and generally are not disclosed for other purposes. Thus, the Privacy Rule includes an exception to an individual’s (or personal representative’s) right of access for psychotherapy notes. See 45 CFR 164.524(a)(1)(i).
However, parents generally are the personal representatives of their minor child and, as such, are able to receive a copy of their child’s mental health information contained in the medical record, including information about diagnosis, symptoms, treatment plans, etc. Further, although the Privacy Rule does not provide a right for a patient or personal representative to access psychotherapy notes regarding the patient, HIPAA generally gives providers discretion to disclose the individual’s own protected health information (including psychotherapy notes) directly to the individual or the individual’s personal representative. As any such disclosure is purely permissive under the Privacy Rule, mental health providers should consult applicable State law for any prohibitions or conditions before making such disclosures.
What options do family members of an adult patient with mental illness have if they are concerned about the patient’s mental health and the patient refuses to agree to let a health care provider share information with the family?
The HIPAA Privacy Rule permits a health care provider to disclose information to the family members of an adult patient who has capacity and indicates that he or she does not want the disclosure made, only to the extent that the provider perceives a serious and imminent threat to the health or safety of the patient or others and the family members are in a position to lessen the threat. Otherwise, under HIPAA, the provider must respect the wishes of the adult patient who objects to the disclosure. However, HIPAA in no way prevents health care providers from listening to family members or other caregivers who may have concerns about the health and well-being of the patient, so the health care provider can factor that information into the patient’s care.
In the event that the patient later requests access to the health record, any information disclosed to the provider by another person who is not a health care provider that was given under a promise of confidentiality (such as that shared by a concerned family member), may be withheld from the patient if the disclosure would be reasonably likely to reveal the source of the information. 45 CFR 164.524(a)(2)(v). This exception to the patient’s right of access to protected health information gives family members the ability to disclose relevant safety information with health care providers without fear of disrupting the family’s relationship with the patient.
Does HIPAA permit a doctor to contact a patient’s family or law enforcement if the doctor believes that the patient might hurt herself or someone else?
Yes. The Privacy Rule permits a health care provider to disclose necessary information about a patient to law enforcement, family members of the patient, or other persons, when the provider believes the patient presents a serious and imminent threat to self or others. The scope of this permission is described in a letter to the nation’s health care providers issued on January 15, 2013, and below.
Specifically, when a health care provider believes in good faith that such a warning is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others, the Privacy Rule allows the provider, consistent with applicable law and standards of ethical conduct, to alert those persons whom the provider believes are reasonably able to prevent or lessen the threat. These provisions may be found in the Privacy Rule at 45 CFR § 164.512(j).
Under these provisions, a health care provider may disclose patient information, including information from mental health records, if necessary, to law enforcement, family members of the patient, or any other persons who may reasonably be able to prevent or lessen the risk of harm. For example, if a mental health professional has a patient who has made a credible threat to inflict serious and imminent bodily harm on one or more persons, HIPAA permits the mental health professional to alert the police, a parent or other family member, school administrators or campus police, and others who may be able to intervene to avert harm from the threat.
In addition to professional ethical standards, most States have laws and/or court decisions which address, and in many instances require, disclosure of patient information to prevent or lessen the risk of harm. Providers should consult the laws applicable to their profession in the States where they practice, as well as 42 USC 290dd-2 and 42 CFR Part 2 under Federal law (governing the disclosure of alcohol and drug abuse treatment records) to understand their duties and authority in situations where they have information indicating a threat to public safety. Note that, where a provider is not subject to such State laws or other ethical standards, the HIPAA permission still would allow disclosures for these purposes to the extent the other conditions of the permission are met.
If a law enforcement officer brings a patient to a hospital or other mental health facility to be placed on a temporary psychiatric hold, and requests to be notified if or when the patient is released, can the facility make that notification?
The Privacy Rule permits a HIPAA covered entity, such as a hospital, to disclose certain protected health information, including the date and time of admission and discharge, in response to a law enforcement official’s request, for the purpose of locating or identifying a suspect, fugitive, material witness, or missing person. See 45 CFR § 164.512(f)(2). Under this provision, a covered entity may disclose the following information about an individual: name and address; date and place of birth; social security number; blood type and rh factor; type of injury; date and time of treatment (includes date and time of admission and discharge) or death; and a description of distinguishing physical characteristics (such as height and weight). However, a covered entity may not disclose any protected health information under this provision related to DNA or DNA analysis, dental records, or typing, samples, or analysis of body fluids or tissue. The law enforcement official’s request may be made orally or in writing.
Other Privacy Rule provisions also may be relevant depending on the circumstances, such as where a law enforcement official is seeking information about a person who may not rise to the level of a suspect, fugitive, material witness, or missing person, or needs protected health information not permitted under the above provision. For example, the Privacy Rule’s law enforcement provisions also permit a covered entity to respond to an administrative request from a law enforcement official, such as an investigative demand for a patient’s protected health information, provided the administrative request includes or is accompanied by a written statement specifying that the information requested is relevant, specific and limited in scope, and that de-identified information would not suffice in that situation. The Rule also permits covered entities to respond to court orders and court-ordered warrants, and subpoenas and summonses issued by judicial officers. See 45 CFR § 164.512(f)(1). Further, to the extent that State law may require providers to make certain disclosures, the Privacy Rule would permit such disclosures of protected health information as “required-by-law” disclosures. See 45 CFR § 164.512(a).
Finally, the Privacy Rule permits a covered health care provider, such as a hospital, to disclose a patient’s protected health information, consistent with applicable legal and ethical standards, to avert a serious and imminent threat to the health or safety of the patient or others. Such disclosures may be to law enforcement authorities or any other persons, such as family members, who are able to prevent or lessen the threat. See 45 CFR § 164.512(j).
If a doctor believes that a patient might hurt himself or herself or someone else, is it the duty of the provider to notify the family or law enforcement authorities?
A health care provider’s “duty to warn” generally is derived from and defined by standards of ethical conduct and State laws and court decisions such as Tarasoff v. Regents of the University of California. HIPAA permits a covered health care provider to notify a patient’s family members of a serious and imminent threat to the health or safety of the patient or others if those family members are in a position to lessen or avert the threat. Thus, to the extent that a provider determines that there is a serious and imminent threat of a patient physically harming self or others, HIPAA would permit the provider to warn the appropriate person(s) of the threat, consistent with his or her professional ethical obligations and State law requirements. See 45 CFR 164.512(j). In addition, even where danger is not imminent, HIPAA permits a covered provider to communicate with a patient’s family members, or others involved in the patient’s care, to be on watch or ensure compliance with medication regimens, as long as the patient has been provided an opportunity to agree or object to the disclosure and no objection has been made. See 45 CFR 164.510(b)(2).
Does HIPAA prevent a school administrator, or a school doctor or nurse, from sharing concerns about a student’s mental health with the student’s parents or law enforcement authorities?
Student health information held by a school generally is subject to the Family Educational Rights and Privacy Act (FERPA), not HIPAA. HHS and the Department of Education have developed guidance clarifying the application of HIPAA and FERPA.
In the limited circumstances where the HIPAA Privacy Rule, and not FERPA, may apply to health information in the school setting, the Rule allows disclosures to parents of a minor patient or to law enforcement in various situations. For example, parents generally are presumed to be the personal representatives of their unemancipated minor child for HIPAA privacy purposes, such that covered entities may disclose the minor’s protected health information to a parent. See 45 CFR § 164.502 (g)(3). In addition, disclosures to prevent or lessen serious and imminent threats to the health or safety of the patient or others are permitted for notification to those who are able to lessen the threat, including law enforcement, parents or others, as relevant. See 45 CFR § 164.512(j).
Notes
1 The Privacy Rule permits, but does not require, providers to disclose information in these situations. Providers who are subject to more stringent privacy standards under other laws, such as certain state confidentiality laws or 42 CFR Part 2, would need to consider whether there is a similar disclosure permission under those laws that would apply in the circumstances.
2 A parent also may not be a personal representative if there are safety concerns. A provider may decide not to treat the parent as the minor’s personal representative if the provider believes that the minor has been or may be subject to violence, abuse, or neglect by the parent or the minor may be endangered by treating the parent as the personal representative; and the provider determines, in the exercise of professional judgment, that it is not in the best interests of the patient to treat the parent as the personal representative. See 45 CFR 164.502(g)(5).
Download PDF version
Background
The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule provides consumers with important privacy rights and protections with respect to their health information, including important controls over how their health information is used and disclosed by health plans and health care providers. Ensuring strong privacy protections is critical to maintaining individuals’ trust in their health care providers and willingness to obtain needed health care services, and these protections are especially important where very sensitive information is concerned, such as mental health information. At the same time, the Privacy Rule recognizes circumstances arise where health information may need to be shared to ensure the patient receives the best treatment and for other important purposes, such as for the health and safety of the patient or others. The Rule is carefully balanced to allow uses and disclosures of information—including mental health information—for treatment and these other purposes with appropriate protections.
In this guidance, we address some of the more frequently asked questions about when it is appropriate under the Privacy Rule for a health care provider to share the protected health information of a patient who is being treated for a mental health condition. We clarify when HIPAA permits health care providers to:
- Communicate with a patient’s family members, friends, or others involved in the patient’s care;
- Communicate with family members when the patient is an adult;
- Communicate with the parent of a patient who is a minor;
- Consider the patient’s capacity to agree or object to the sharing of their information;
- Involve a patient’s family members, friends, or others in dealing with patient failures to adhere to medication or other therapy;
- Listen to family members about their loved ones receiving mental health treatment;
- Communicate with family members, law enforcement, or others when the patient presents a serious and imminent threat of harm to self or others; and
- Communicate to law enforcement about the release of a patient brought in for an emergency psychiatric hold.
Questions and Answers about HIPAA and Mental Health
Does HIPAA allow a health care provider to communicate with a patient’s family, friends, or other persons who are involved in the patient’s care?
Yes. In recognition of the integral role that family and friends play in a patient’s health care, the HIPAA Privacy Rule allows these routine – and often critical – communications between health care providers and these persons. Where a patient is present and has the capacity to make health care decisions, health care providers may communicate with a patient’s family members, friends, or other persons the patient has involved in his or her health care or payment for care, so long as the patient does not object. See 45 CFR 164.510(b). The provider may ask the patient’s permission to share relevant information with family members or others, may tell the patient he or she plans to discuss the information and give them an opportunity to agree or object, or may infer from the circumstances, using professional judgment, that the patient does not object. A common example of the latter would be situations in which a family member or friend is invited by the patient and present in the treatment room with the patient and the provider when a disclosure is made.
Where a patient is not present or is incapacitated, a health care provider may share the patient’s information with family, friends, or others involved in the patient’s care or payment for care, as long as the health care provider determines, based on professional judgment, that doing so is in the best interests of the patient. Note that, when someone other than a friend or family member is involved, the health care provider must be reasonably sure that the patient asked the person to be involved in his or her care or payment for care.
In all cases, disclosures to family members, friends, or other persons involved in the patient’s care or payment for care are to be limited to only the protected health information directly relevant to the person’s involvement in the patient’s care or payment for care.
OCR’s website contains additional information about disclosures to family members and friends in fact sheets developed for consumers and providers.
Does HIPAA provide extra protections for mental health information compared with other health information?
Generally, the Privacy Rule applies uniformly to all protected health information, without regard to the type of information. One exception to this general rule is for psychotherapy notes, which receive special protections. The Privacy Rule defines psychotherapy notes as notes recorded by a health care provider who is a mental health professional documenting or analyzing the contents of a conversation during a private counseling session or a group, joint, or family counseling session and that are separate from the rest of the patient’s medical record. Psychotherapy notes do not include any information about medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, or results of clinical tests; nor do they include summaries of diagnosis, functional status, treatment plan, symptoms, prognosis, and progress to date. Psychotherapy notes also do not include any information that is maintained in a patient’s medical record. See 45 CFR 164.501.
Psychotherapy notes are treated differently from other mental health information both because they contain particularly sensitive information and because they are the personal notes of the therapist that typically are not required or useful for treatment, payment, or health care operations purposes, other than by the mental health professional who created the notes. Therefore, with few exceptions, the Privacy Rule requires a covered entity to obtain a patient’s authorization prior to a disclosure of psychotherapy notes for any reason, including a disclosure for treatment purposes to a health care provider other than the originator of the notes. See 45 CFR 164.508(a)(2). A notable exception exists for disclosures required by other law, such as for mandatory reporting of abuse, and mandatory “duty to warn” situations regarding threats of serious and imminent harm made by the patient (State laws vary as to whether such a warning is mandatory or permissible).
Is a health care provider permitted to discuss an adult patient’s mental health information with the patient’s parents or other family members?
In situations where the patient is given the opportunity and does not object, HIPAA allows the provider to share or discuss the patient’s mental health information with family members or other persons involved in the patient’s care or payment for care. For example, if the patient does not object:
- A psychiatrist may discuss the drugs a patient needs to take with the patient’s sister who is present with the patient at a mental health care appointment.
- A therapist may give information to a patient’s spouse about warning signs that may signal a developing emergency.
- A nurse may not discuss a patient’s mental health condition with the patient’s brother after the patient has stated she does not want her family to know about her condition.
When does mental illness or another mental condition constitute incapacity under the Privacy Rule? For example, what if a patient who is experiencing temporary psychosis or is intoxicated does not have the capacity to agree or object to a health care provider sharing information with a family member, but the provider believes the disclosure is in the patient’s best interests?
Section 164.510(b)(3) of the HIPAA Privacy Rule permits a health care provider, when a patient is not present or is unable to agree or object to a disclosure due to incapacity or emergency circumstances, to determine whether disclosing a patient’s information to the patient’s family, friends, or other persons involved in the patient’s care or payment for care, is in the best interests of the patient.1Where a provider determines that such a disclosure is in the patient’s best interests, the provider would be permitted to disclose only the PHI that is directly relevant to the person’s involvement in the patient’s care or payment for care.
This permission clearly applies where a patient is unconscious. However, there may be additional situations in which a health care provider believes, based on professional judgment, that the patient does not have the capacity to agree or object to the sharing of personal health information at a particular time and that sharing the information is in the best interests of the patient at that time. These may include circumstances in which a patient is suffering from temporary psychosis or is under the influence of drugs or alcohol. If, for example, the provider believes the patient cannot meaningfully agree or object to the sharing of the patient’s information with family, friends, or other persons involved in their care due to her current mental state, the provider is allowed to discuss the patient’s condition or treatment with a family member, if the provider believes it would be in the patient’s best interests. In making this determination about the patient’s best interests, the provider should take into account the patient’s prior expressed preferences regarding disclosures of their information, if any, as well as the circumstances of the current situation. Once the patient regains the capacity to make these choices for herself, the provider should offer the patient the opportunity to agree or object to any future sharing of her information.
If a health care provider knows that a patient with a serious mental illness has stopped taking a prescribed medication, can the provider tell the patient’s family members?
So long as the patient does not object, HIPAA allows the provider to share or discuss a patient’s mental health information with the patient’s family members. See 45 CFR 164.510(b). If the provider believes, based on professional judgment, that the patient does not have the capacity to agree or object to sharing the information at that time, and that sharing the information would be in the patient’s best interests, the provider may tell the patient’s family member. In either case, the health care provider may share or discuss only the information that the family member involved needs to know about the patient’s care or payment for care.
Otherwise, if the patient has capacity and objects to the provider sharing information with the patient’s family member, the provider may only share the information if doing so is consistent with applicable law and standards of ethical conduct, and the provider has a good faith belief that the patient poses a threat to the health or safety of the patient or others, and the family member is reasonably able to prevent or lessen that threat. See 45 CFR 164.512(j). For example, if a doctor knows from experience that, when a patient’s medication is not at a therapeutic level, the patient is at high risk of committing suicide, the doctor may believe in good faith that disclosure is necessary to prevent or lessen the threat of harm to the health or safety of the patient who has stopped taking the prescribed medication, and may share information with the patient’s family or other caregivers who can avert the threat. However, absent a good faith belief that the disclosure is necessary to prevent a serious and imminent threat to the health or safety of the patient or others, the doctor must respect the wishes of the patient with respect to the disclosure.
Can a minor child’s doctor talk to the child’s parent about the patient’s mental health status and needs?
With respect to general treatment situations, a parent, guardian, or other person acting in loco parentis usually is the personal representative of the minor child, and a health care provider is permitted to share patient information with a patient’s personal representative under the Privacy Rule. However, section 164.502(g) of the Privacy Rule contains several important exceptions to this general rule. A parent is not treated as a minor child’s personal representative when: (1) State or other law does not require the consent of a parent or other person before a minor can obtain a particular health care service, the minor consents to the health care service, and the minor child has not requested the parent be treated as a personal representative; (2) someone other than the parent is authorized by law to consent to the provision of a particular health service to a minor and provides such consent; or (3) a parent agrees to a confidential relationship between the minor and a health care provider with respect to the health care service.2 For example, if State law provides an adolescent the right to obtain mental health treatment without parental consent, and the adolescent consents to such treatment, the parent would not be the personal representative of the adolescent with respect to that mental health treatment information.
Regardless, however, of whether the parent is otherwise considered a personal representative, the Privacy Rule defers to State or other applicable laws that expressly address the ability of the parent to obtain health information about the minor child. In doing so, the Privacy Rule permits a covered entity to disclose to a parent, or provide the parent with access to, a minor child’s protected health information when and to the extent it is permitted or required by State or other laws (including relevant case law). Likewise, the Privacy Rule prohibits a covered entity from disclosing a minor child’s protected health information to a parent when and to the extent it is prohibited under State or other laws (including relevant case law). See 45 CFR 164.502(g)(3)(ii).
In cases in which State or other applicable law is silent concerning disclosing a minor’s protected health information to a parent, and the parent is not the personal representative of the minor child based on one of the exceptional circumstances described above, a covered entity has discretion to provide or deny a parent access to the minor’s health information, if doing so is consistent with State or other applicable law, and the decision is made by a licensed health care professional in the exercise of professional judgment. For more information about personal representatives under the Privacy Rule, see OCR’s guidance for consumers and providers.
In situations where a minor patient is being treated for a mental health disorder and a substance abuse disorder, additional laws may be applicable. The Federal confidentiality statute and regulations that apply to federally-funded drug and alcohol abuse treatment programs contain provisions that are more stringent than HIPAA. See 42 USC § 290dd–2; 42 CFR 2.11, et. seq.
At what age of a child is the parent no longer the personal representative of the child for HIPAA purposes?
HIPAA defers to state law to determine the age of majority and the rights of parents to act for a child in making health care decisions, and thus, the ability of the parent to act as the personal representative of the child for HIPAA purposes. See 45 CFR 164.502(g).
Does a parent have a right to receive a copy of psychotherapy notes about a child’s mental health treatment?
No. The Privacy Rule distinguishes between mental health information in a mental health professional’s private notes and that contained in the medical record. It does not provide a right of access to psychotherapy notes, which the Privacy Rule defines as notes recorded by a health care provider who is a mental health professional documenting or analyzing the contents of a conversation during a private counseling session or a group, joint, or family counseling session and that are separate from the rest of the patient’s medical record. See 45 CFR 164.501. Psychotherapy notes are primarily for personal use by the treating professional and generally are not disclosed for other purposes. Thus, the Privacy Rule includes an exception to an individual’s (or personal representative’s) right of access for psychotherapy notes. See 45 CFR 164.524(a)(1)(i).
However, parents generally are the personal representatives of their minor child and, as such, are able to receive a copy of their child’s mental health information contained in the medical record, including information about diagnosis, symptoms, treatment plans, etc. Further, although the Privacy Rule does not provide a right for a patient or personal representative to access psychotherapy notes regarding the patient, HIPAA generally gives providers discretion to disclose the individual’s own protected health information (including psychotherapy notes) directly to the individual or the individual’s personal representative. As any such disclosure is purely permissive under the Privacy Rule, mental health providers should consult applicable State law for any prohibitions or conditions before making such disclosures.
What options do family members of an adult patient with mental illness have if they are concerned about the patient’s mental health and the patient refuses to agree to let a health care provider share information with the family?
The HIPAA Privacy Rule permits a health care provider to disclose information to the family members of an adult patient who has capacity and indicates that he or she does not want the disclosure made, only to the extent that the provider perceives a serious and imminent threat to the health or safety of the patient or others and the family members are in a position to lessen the threat. Otherwise, under HIPAA, the provider must respect the wishes of the adult patient who objects to the disclosure. However, HIPAA in no way prevents health care providers from listening to family members or other caregivers who may have concerns about the health and well-being of the patient, so the health care provider can factor that information into the patient’s care.
In the event that the patient later requests access to the health record, any information disclosed to the provider by another person who is not a health care provider that was given under a promise of confidentiality (such as that shared by a concerned family member), may be withheld from the patient if the disclosure would be reasonably likely to reveal the source of the information. 45 CFR 164.524(a)(2)(v). This exception to the patient’s right of access to protected health information gives family members the ability to disclose relevant safety information with health care providers without fear of disrupting the family’s relationship with the patient.
Does HIPAA permit a doctor to contact a patient’s family or law enforcement if the doctor believes that the patient might hurt herself or someone else?
Yes. The Privacy Rule permits a health care provider to disclose necessary information about a patient to law enforcement, family members of the patient, or other persons, when the provider believes the patient presents a serious and imminent threat to self or others. The scope of this permission is described in a letter to the nation’s health care providers issued on January 15, 2013, and below.
Specifically, when a health care provider believes in good faith that such a warning is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others, the Privacy Rule allows the provider, consistent with applicable law and standards of ethical conduct, to alert those persons whom the provider believes are reasonably able to prevent or lessen the threat. These provisions may be found in the Privacy Rule at 45 CFR § 164.512(j).
Under these provisions, a health care provider may disclose patient information, including information from mental health records, if necessary, to law enforcement, family members of the patient, or any other persons who may reasonably be able to prevent or lessen the risk of harm. For example, if a mental health professional has a patient who has made a credible threat to inflict serious and imminent bodily harm on one or more persons, HIPAA permits the mental health professional to alert the police, a parent or other family member, school administrators or campus police, and others who may be able to intervene to avert harm from the threat.
In addition to professional ethical standards, most States have laws and/or court decisions which address, and in many instances require, disclosure of patient information to prevent or lessen the risk of harm. Providers should consult the laws applicable to their profession in the States where they practice, as well as 42 USC 290dd-2 and 42 CFR Part 2 under Federal law (governing the disclosure of alcohol and drug abuse treatment records) to understand their duties and authority in situations where they have information indicating a threat to public safety. Note that, where a provider is not subject to such State laws or other ethical standards, the HIPAA permission still would allow disclosures for these purposes to the extent the other conditions of the permission are met.
If a law enforcement officer brings a patient to a hospital or other mental health facility to be placed on a temporary psychiatric hold, and requests to be notified if or when the patient is released, can the facility make that notification?
The Privacy Rule permits a HIPAA covered entity, such as a hospital, to disclose certain protected health information, including the date and time of admission and discharge, in response to a law enforcement official’s request, for the purpose of locating or identifying a suspect, fugitive, material witness, or missing person. See 45 CFR § 164.512(f)(2). Under this provision, a covered entity may disclose the following information about an individual: name and address; date and place of birth; social security number; blood type and rh factor; type of injury; date and time of treatment (includes date and time of admission and discharge) or death; and a description of distinguishing physical characteristics (such as height and weight). However, a covered entity may not disclose any protected health information under this provision related to DNA or DNA analysis, dental records, or typing, samples, or analysis of body fluids or tissue. The law enforcement official’s request may be made orally or in writing.
Other Privacy Rule provisions also may be relevant depending on the circumstances, such as where a law enforcement official is seeking information about a person who may not rise to the level of a suspect, fugitive, material witness, or missing person, or needs protected health information not permitted under the above provision. For example, the Privacy Rule’s law enforcement provisions also permit a covered entity to respond to an administrative request from a law enforcement official, such as an investigative demand for a patient’s protected health information, provided the administrative request includes or is accompanied by a written statement specifying that the information requested is relevant, specific and limited in scope, and that de-identified information would not suffice in that situation. The Rule also permits covered entities to respond to court orders and court-ordered warrants, and subpoenas and summonses issued by judicial officers. See 45 CFR § 164.512(f)(1). Further, to the extent that State law may require providers to make certain disclosures, the Privacy Rule would permit such disclosures of protected health information as “required-by-law” disclosures. See 45 CFR § 164.512(a).
Finally, the Privacy Rule permits a covered health care provider, such as a hospital, to disclose a patient’s protected health information, consistent with applicable legal and ethical standards, to avert a serious and imminent threat to the health or safety of the patient or others. Such disclosures may be to law enforcement authorities or any other persons, such as family members, who are able to prevent or lessen the threat. See 45 CFR § 164.512(j).
If a doctor believes that a patient might hurt himself or herself or someone else, is it the duty of the provider to notify the family or law enforcement authorities?
A health care provider’s “duty to warn” generally is derived from and defined by standards of ethical conduct and State laws and court decisions such as Tarasoff v. Regents of the University of California. HIPAA permits a covered health care provider to notify a patient’s family members of a serious and imminent threat to the health or safety of the patient or others if those family members are in a position to lessen or avert the threat. Thus, to the extent that a provider determines that there is a serious and imminent threat of a patient physically harming self or others, HIPAA would permit the provider to warn the appropriate person(s) of the threat, consistent with his or her professional ethical obligations and State law requirements. See 45 CFR 164.512(j). In addition, even where danger is not imminent, HIPAA permits a covered provider to communicate with a patient’s family members, or others involved in the patient’s care, to be on watch or ensure compliance with medication regimens, as long as the patient has been provided an opportunity to agree or object to the disclosure and no objection has been made. See 45 CFR 164.510(b)(2).
Does HIPAA prevent a school administrator, or a school doctor or nurse, from sharing concerns about a student’s mental health with the student’s parents or law enforcement authorities?
Student health information held by a school generally is subject to the Family Educational Rights and Privacy Act (FERPA), not HIPAA. HHS and the Department of Education have developed guidance clarifying the application of HIPAA and FERPA.
In the limited circumstances where the HIPAA Privacy Rule, and not FERPA, may apply to health information in the school setting, the Rule allows disclosures to parents of a minor patient or to law enforcement in various situations. For example, parents generally are presumed to be the personal representatives of their unemancipated minor child for HIPAA privacy purposes, such that covered entities may disclose the minor’s protected health information to a parent. See 45 CFR § 164.502 (g)(3). In addition, disclosures to prevent or lessen serious and imminent threats to the health or safety of the patient or others are permitted for notification to those who are able to lessen the threat, including law enforcement, parents or others, as relevant. See 45 CFR § 164.512(j).
Notes
1 The Privacy Rule permits, but does not require, providers to disclose information in these situations. Providers who are subject to more stringent privacy standards under other laws, such as certain state confidentiality laws or 42 CFR Part 2, would need to consider whether there is a similar disclosure permission under those laws that would apply in the circumstances.
2 A parent also may not be a personal representative if there are safety concerns. A provider may decide not to treat the parent as the minor’s personal representative if the provider believes that the minor has been or may be subject to violence, abuse, or neglect by the parent or the minor may be endangered by treating the parent as the personal representative; and the provider determines, in the exercise of professional judgment, that it is not in the best interests of the patient to treat the parent as the personal representative. See 45 CFR 164.502(g)(5).
