Recently, the U.S. Department of Health & Human Services (HHS) released new guidance regarding how the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule operates with respect to protecting and sharing individual information related to mental health.
The guidance addresses some of the most frequently asked questions regarding when it is appropriate under the Privacy Rule for a health care provider to share the protected health information (PHI) of a patient who is being treated for a mental health condition. In addition, the guidance clarifies when HIPAA permits health care providers to:
- Communicate with a patient’s family members, friends, or others involved in the patient’s care;
- Communicate with family members when the patient is an adult;
- Communicate with the parent of a patient who is a minor;
- Consider the patient’s capacity to agree with or object to the sharing of his or her information;
- Involve a patient’s family members, friends or others in dealing with patient failures to adhere to medication or other therapy;
- Listen to family members about their loved ones receiving mental health treatment;
- Communicate with family members, law enforcement or others when the patient presents a serious and imminent threat of harm to self or others; and
- Communicate to law enforcement about the release of a patient brought in for an emergency psychiatric hold.
Finally, the guidance provides relevant reminders about related issues, such as the heightened protections afforded to psychotherapy notes by the Privacy Rule, a parent’s right to access the protected health information of a minor child as the child’s personal representative, the potential applicability of federal alcohol and drug abuse confidentiality regulations or state laws that may provide more stringent protections for the information than HIPAA, and the intersection of HIPAA and FERPA in a school setting.
Covered entities and business associates reviewing the new guidance should remember that if a state law is more protective of the patient’s mental health information than HIPAA, the state law takes precedence over HIPAA.