Recently, the U.S. Department of Health & Human Services (HHS) released new guidance regarding how the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule operates with respect to protecting and sharing individual  information related to mental health.

The guidance addresses some of the most frequently asked questions regarding when it is appropriate under the Privacy Rule for a health care  provider  to share the protected health information (PHI) of a patient who is being treated for a mental health condition. In addition, the guidance clarifies when HIPAA permits health care providers to:

  • Communicate  with  a  patient’s  family  members,  friends,  or  others  involved  in  the patient’s care;
  • Communicate with family members when the patient is an adult;
  • Communicate with the parent of a patient who is a minor;
  • Consider  the  patient’s  capacity  to  agree  with  or  object  to  the  sharing  of  his  or  her information;
  • Involve a patient’s family members, friends or others in dealing with patient failures to adhere to medication or other therapy;
  • Listen to family members about their loved ones receiving mental health treatment;
  • Communicate with family members, law enforcement or others when the patient presents a serious and imminent threat of harm to self or others; and
  • Communicate  to  law  enforcement  about  the  release  of  a  patient  brought  in  for  an emergency psychiatric hold.

Finally, the guidance provides relevant reminders about related issues, such as the heightened protections afforded to psychotherapy notes by the Privacy Rule, a parent’s right to access the protected health information of a minor child as the child’s personal representative, the potential applicability of federal alcohol and drug abuse confidentiality regulations or state laws that may provide more stringent protections  for the information  than HIPAA, and the intersection  of HIPAA and FERPA in a school setting.

Covered entities and business associates reviewing the new guidance should remember that if a state law is more protective of the patient’s mental health information than HIPAA, the state law takes precedence over HIPAA.