On January 15, 2013, the Office of Civil Rights, the enforcer of HIPAA, published a letter that clarifies that providers may disclose information when there is a risk of danger. Specifically, providers may disclose necessary information about patients to law enforcement, family members of patients, or other persons when providers believe that patients present serious danger to themselves or to other people.
The letter goes on to say that:
The HIPAA Privacy Rule protects the privacy of patients’ health information but is balanced to ensure that appropriate uses and disclosures of the information still may be made when necessary to treat a patient, to protect the nation’s public health, and for other critical purposes, such as when a provider seeks to warn or report that persons may be at risk of harm because of a patient. When a health care provider believes in good faith that such a warning is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others, the Privacy Rule allows the provider, consistent with applicable law and standards of ethical conduct, to alert those whom the provider believes are reasonably able to prevent or lessen the threat.
Then the letter provides guidance about what is considered to be a good faith belief. A provider is presumed to have a good faith belief when his or her belief is based upon the provider’s actual knowledge, i.e. the providers’ own interaction with patients. Providers also have a good faith belief if they rely on a credible representation by persons with apparent knowledge or authority, i.e. based on credible reports from family members of patients or other persons. These provisions are included in the Privacy Rule at 45 CFR Section 164.512(j).
OCR interprets these provisions to mean that health care provider may disclose patient information, including information from mental health records, if necessary, to law enforcement, a patient’s family, or other persons who may reasonably be able to prevent or lessen the risk of harm. If, for example, a nurse has a patient who has made a credible threat to inflict serious and imminent bodily harm on one or more persons, HIPAA permits the nurse to alert the police, partner, or other family members, school administrator, campus police, and others who may be able to intervene to avert harm from threats. It is important to note that the above is consistent with statutes and court decisions in most states that frequently require disclosure of information about patients to prevent or lessen the risk of harm.
The letter concludes with the following statement:
We at the Office for Civil Rights understand that health care providers may at times have information about a patient that indicates a serious and imminent threat to health or safety. At those times, providers play an important role in protecting the safety of their patients and the broader community. I hope this letter is helpful in making clear that the HIPAA Privacy Rule does not prevent provider from sharing this information to fulfill their legal and ethical duties to warn or as otherwise necessary to prevent or lessen the risk of harm, consistent with applicable law and ethical standards.
Based upon the above, providers should be reminded that they may take action to avoid harm to others without violating the HIPAA Privacy Rule.
©2013 Elizabeth E. Hogue, Esq. All rights reserved. No portion of this material may be reproduced in any form without the advance written permission of the author.