HIPAA Does Not Prevent Information Disclosure if Patient Poses Harm

What do you do if a patient tells you he is thinking of hurting himself?  What do you do if a patient tells you she wishes to harm another? Do you call the patient’s family?  Do you call the police?  Are you allowed to call anyone under state privacy laws or HIPAA?  

The obligation of physicians to warn third parties of a potential physical threat by a patient is based on common law.  Although generally the physician-patient privilege does not permit a physician to share a patient’s confidential information with a third party, many states have carved out an exception to this privilege when the physician has knowledge that a patient threatens foreseeable harm to a third party. 

One of the most famous cases that addresses this issue is Tarasoff v. Regents of University of California, in which a patient informed his psychotherapist that he intended to kill a woman who was readily identifiable to the psychotherapist.  The psychotherapist failed to warn the woman or relatives of the woman, who was subsequently killed by the patient.  The court held that the psychotherapist had a duty to protect the non-patient, third party when:  (a) the provider has knowledge of a foreseeable harm; and (b) the third party is known or readily identifiable to the provider.

Although many physicians are familiar with this “duty to protect,” the introduction of the HIPAA Privacy Rule has made it more difficult for a physician to understand whether he is able to disclose necessary information about a patient to law enforcement, or other persons, when he believes a patient presents a serious danger to himself/herself or others. 

With recent incidents like the ones in Newtown, Conn., and Aurora, Colo., providers across the country are questioning what should be done if they believe a patient poses a threat to others. To assist in the decision-making process, on Jan. 15, 2013, the director of the Office for Civil Rights of HHS issued a letter to the nation’s healthcare providers in which the director emphasized that the privacy rule is intended to protect the privacy of a patient’s health information, but is also balanced to ensure that appropriate uses and disclosures of the information may be made when necessary to treat a patient, to protect the nation’s public health, and for other critical purposes, such as warning or reporting that persons may be at risk of harm because of a patient. 

According to the privacy rule, if a healthcare provider believes in good faith that a warning to third parties is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others, the provider, consistent with applicable law and standards of ethical conduct, is free to alert those persons whom the provider believes are reasonably able to prevent or lessen the threat.  In sharing confidential information, a provider is assumed to have a good faith belief based on the provider’s actual knowledge or in reliance on a credible representation by a person with apparent knowledge or authority.

Although the explanation of the privacy rule provided by the director is helpful, providers still need to be aware that state laws and court decisions affect how and when providers may disclose information about a patient they believe to be threat to public safety or themselves.  Thus, although the position of the federal government with regard to HIPAA has been clarified, providers should still seek clarification of their obligations under state law.

If you are concerned about how to handle patients in your practice who might pose a threat to themselves or third parties, do not hesitate to contact a local healthcare lawyer for guidance so you can be aware, in advance, of your rights and obligations. Your intervention could save the life of your patient as well as the lives of countless others, even your own.