HIPAA and Mental Health: Answers to Top Doc Questions

Handling young patients who display mental health issues is a challenge for all providers.  While looking out for the patient is always the priority, providers often become confused about the rights and obligations that apply to handling a mental health crisis while complying with HIPAA’s privacy rule.

A good example of this dilemma is a call I received from an internal medicine physician treating a patient who was 18 years of age.  The patient had signed an authorization allowing her parents to be informed of her care.  The patient subsequently displayed disturbing mental health behavior which concerned the provider and family.  The parents wanted to alert the patient’s new out-of-state school and contacted a physician near the school to take over care of the patient. 

The parents and treating physician believed they had reason to fear for the safety of the patient and others in her presence.

They asked me how they could share this information with the new physician and school since the patient refused to sign an authorization.  They also asked how they should respond to the patient stating she regretted her original authorization.

Dealing with young adults is a challenge for families and providers, as this is the age when mental health conditions often manifest. Providers must be aware of HIPAA requirements if they confront a similar scenario to the one described above:

1. Did the patient withdraw the authorization verbally by her statement? Once a patient provides an authorization, HIPAA gives individuals the right to revoke it, at any time. The revocation must be in writing, and is not effective until the covered entity receives it. In addition, a written revocation is not effective with respect to actions a covered entity took in reliance on a valid authorization.

2. Does HIPAA permit a doctor to contact a patient’s family or law enforcement if the doctor believes that the patient might hurt herself or someone else?  In addition to family, the HIPAA privacy rule permits a healthcare provider to disclose necessary information to law enforcement or other persons, when the provider believes the patient presents a serious and imminent threat to self or others.  The scope of this permission is described in a letter to the nation’s healthcare providers issued on January 15, 2013. When a healthcare provider believes in good faith that such a warning is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others, the privacy rule allows the provider, consistent with applicable law and standards of ethical conduct, to alert those persons whom the provider believes are reasonably able to prevent or lessen the threat. These provisions may be found in the privacy rule at 45 CFR § 164.512(j).

Under HIPAA provisions, a healthcare provider may disclose patient information to any persons who may reasonably be able to prevent or lessen the risk of harm. For example, if a mental health professional has a patient who has made a credible threat to inflict serious and imminent bodily harm on one or more persons, HIPAA permits the mental health professional to alert the police, a parent or other family member, school administrators, or campus police, and others who may be able to intervene to avert harm from the threat.  In addition to professional ethical standards, most states have laws and/or court decisions which address, and in many instances require, disclosure of patient information to prevent or lessen the risk of harm.

It’s not entirely clear whether these exceptions allow the new physician to receive information.  From my perspective, the parents should speak with the school to formulate an approach.  The institution likely has a medical clinic/provider that will treat the patient as a condition of remaining at the school.  Medical records could easily be transferred at that time and the current and new provider could also then freely speak.

There are not always clear answers under HIPAA, particularly when it comes to mental health issues.  However, all providers should be familiar with the law so as to protect the patient and those around him, as well as to protect their own practice from an unintended violation of HIPAA.