Recent reports surrounding Germanwings co-pilot Andreas Lubitz suggest that Lubitz told his doctors he was on sick leave (or was instructed by his doctors to be on sick leave), and concealed that he was still flying for the commercial airline. Although Lubitz’ motives remain unknown, we now know a great deal of Lubitz’ medical history, including medications he was taking at the time and past mental health history, largely as disclosed by German prosecutors. Many are now wondering if his doctors had known that he was still flying, could they have disclosed his medical information, including mental health information, to his employer, Germanwings, or its parent company, Lufthansa in an attempt to avert the harm that ensued.

This tragedy raises the important, and much debated, question of when public safety outweighs patient confidentiality – a fundamental principal to ensuring those at risk or struggling with mental health issues seek treatment. Whether it’s a pilot, conductor, surgeon, or someone else responsible for others’ lives, treating mental health illness and disclosing related information raises challenges.

When employer or industry mandated self-reporting proves insufficient, when can doctors disclose information about patients they believe may cause harm to themselves or others?

In the U.S., the disclosure of medical information, including mental health information, by health care providers is largely controlled by a federal law, the Health Insurance Portability and Accountability Act (HIPAA), and a patchwork of more stringent state laws. For any disclosures not expressly permitted or required by HIPAA, a covered provider needs the individual’s written authorization to make the disclosure.

Relevant to these circumstances, HIPAA permits providers to disclose information about a patient to those involved in the patient’s care, such as friends or family members, when the patient is present and does not object. Providers also can disclose information to third parties involved in a patient’s care when the patient is not present or is incapacitated, but under more limited circumstances: the provider must determine in his or her professional judgment whether the disclosure is in the best interests of the patient and may only disclose the information directly relevant to the third parties’ involvement in the individual’s care.

HIPAA also permits providers to disclose patient information, including mental health information (except for psychotherapy notes), when there is a serious and imminent threat to the health or safety of a person or the public. The disclosure must be only to a person or entity that is capable of preventing or lessening the potential harm. The U.S. Department of Health and Human Services has stated in HIPAA guidance related to mental health that “if a mental health professional has a patient who has made a credible threat to inflict serious and imminent bodily harm on one or more persons, HIPAA permits the mental health professional to alert the police, a parent or other family member, school administrators or campus police, and others who may be able to intervene to avert harm from the threat.” Presumably, in the U.S., a provider also could, under HIPAA, disclose this information to the patient’s employer if the patient is in a position where public safety is at issue and the provider has acredible basis for believing the patient poses a serious and imminent threat of harm to the public.

Like U.S. law, German federal law generally prohibits providers from disclosing a patient’s sensitive personal information, such as mental health treatment information, for a purpose other than the purpose for which the information was collected without the patient’s consent. In contrast to HIPAA though, German law does not allow disclosure of a patient’s confidential personal information to “family and friends” as permitted under HIPAA, but does allow, in very limited circumstances, disclosure “if necessary to avert substantial threats to state security or public safety” (emphasis added). If Lubitz’ providers had actual knowledge, or a credible suspicion, that he would undertake crashing Flight 9525 – or any other flight – a disclosure by his providers would have likely been permissible under German law to avert the threat. However, in the absence of a clear, substantial threat, German law most likely would have required the providers to protect the patient’s confidentiality – a strong tenet of the medical profession dating back centuries.

Additionally, posthumous disclosures are protected under both U.S. and German law. As there is no credible, substantial threat or serious and imminent harm posthumous, providers both in the U.S. and Germany will be much more restricted in how they can disclose sensitive medical information, including mental health information posthumous.

In light of the Germanwings tragedy, many people have called for relaxed legal restrictions on disclosing mental health conditions or other sensitive medical information prevent such tragedies in the future.  However, mental health experts widely agree that suicide or harming others is difficult to predict and the vast majority of individuals suffering from some type of mental illness are never violent. So we wonder, would relaxed legal restrictions actually prevent tragedies such as the Germanwings crash, or would it just increase stigmatization and deter treatment or encourage individuals to hide information from their doctors and employers?  The unfortunate reality is that, in either situation, we could end up with the same tragic result.

This debate will continue to play out as the crash is investigated and in litigation as parties potentially seek to obtain medical records under court orders.