Mental Health Providers: Balancing Privacy With Public Welfare

Richard F. Cahill, JD, Vice President and Associate General Counsel, and Robert Morton, MAS, CPPS, Assistant Vice President, Department of Patient Safety and Risk Management, The Doctors Company

As reported by the national media on an almost daily basis, a large sector of the population has experienced heightened tensions related to disruptions in employment, personal finances, health, family turmoil, and a plethora of other significant concerns caused by the pandemic. These tensions have adversely affected our already overburdened mental health resources and resulted in unexpected consequences for healthcare providers.

Since the spring of 2020, therapists have been faced with addressing uncommon clinical presentations and managing critical situations that go well beyond treating routine, isolated issues. With increasing frequency, patients report ideation of harm, including self-harm, “suicide by cop,” community violence involving serial or mass killings, and random acts of assault or homicide.

These types of encounters create a perilous moral dilemma for mental health providers: how to maintain provider-patient privilege, consistent with their ethical duties to patients and federal and state privacy laws, while adhering to legal reporting obligations that require healthcare providers to reveal certain confidential circumstances to law enforcement to protect the public welfare.

Protection and Release of Health Information

Congress passed HIPAA in 1996. One of its stated goals is to help protect the privacy and security of patient health information in a variety of categories. The federal government has enacted comprehensive rules governing the use, access, and release of protected health information (PHI), including exceptions and significant monetary and administrative penalties for statutory violations. The Office for Civil Rights is responsible for investigating data breaches and enforcing HIPAA’s privacy and security rules.

Subsequently, state legislatures have followed suit and enacted similar—and often more restrictive—regulatory measures designed to protect patient confidentiality. Ordinarily, third-party access to PHI requires patient authorization or a court order. Exceptions include government agencies with oversight duties, coroners’ offices, circumstances involving imminent danger to public health or welfare, and other specified outliers.

The HIPAA FAQs for Professionals states: “The HIPAA Privacy Rule permits a covered entity [such as a mental health provider] to disclose PHI, including psychotherapy notes, when the covered entity [such as the mental health provider] has a good faith belief that the disclosure: (1) is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others and (2) is to a person(s) reasonably able to prevent or lessen the threat.” It may include disclosure to law enforcement, members of the family, or even the target of the threat, depending on the circumstances presented and consistent with applicable law and the prevailing standards of ethical conduct.

Who Can You Call?

Here are examples of clinical scenarios and courses of action for mental health providers:

  • A patient is a potential risk to self. Who can you call? Under HIPAA, healthcare providers may disclose the necessary PHI to anyone who is in a position to prevent or lessen the threatened harm—including family, friends, caregivers, and law enforcement—without a patient’s permission. Consider calling the patient’s emergency contact or adult protective services for a wellness check.
  • A patient says he is going to commit suicide by cop. Who can you call? Consider calling the patient’s emergency contact and law enforcement if, in your good faith judgment, disclosure of the threat is necessary to prevent or lessen the threat and each contact is reasonably able to prevent or lessen the threat.
  • A patient says he is going to kill his spouse or another identified individual. Who can you call? Consider calling the spouse or the target of the threat, and law enforcement if, in your good faith judgment, disclosure of the threat is necessary to prevent or lessen the threat and each contact is reasonably able to prevent or lessen the threat.
  • A patient expresses the intent to commit mass harm or random act(s) of assault. Who can you call? Consider calling law enforcement if, in your good faith judgment, disclosure of the threat is necessary to prevent or lessen the threat and law enforcement is reasonably able to prevent or lessen the threat.
  • A patient needs to be admitted involuntarily due to being a threat to self or others and will not cooperate. Who do you call? Call local law enforcement and follow the law in your state for involuntary commitment.

For additional guidance, contact the Department of Patient Safety and Risk Management at (800) 421-2368 or by email.


Resources

U.S. Department of Health and Human Services, HIPAA for Professionals, FAQs for Mental Health

U.S. Department of Health and Human Services, Message to Our Nation’s Health Care Providers


The guidelines suggested here are not rules, do not constitute legal advice, and do not ensure a successful outcome. The ultimate decision regarding the appropriateness of any treatment must be made by each healthcare provider considering the circumstances of the individual situation and in accordance with the laws of the jurisdiction in which the care is rendered.

J13623 09/22

Stay in the Know

Sign up for The Doctor’s Practice.

Our e-newsletter features timely articles, videos, and guides on a range of patient safety topics.

Subscribe