The U.S. Department of Health and Human Services (“HHS”) recently issued new guidance clarifying how the HIPAA Privacy Rule strikes the balance of protecting individuals’ privacy of mental health information and communicating with patients’ family members and others to enhance treatment and assure safety. The guidance addresses some of HHS’s most frequently asked questions about when it is appropriate under the Privacy Rule for a health care provider to share the protected health information of a patient who is being treated for a mental health condition. Specifically, HHS addresses when health care providers are permitted to:
- Communicate with a patient’s family members, friends, or others involved in the patient’s care;
- Communicate with family members when the patient is an adult;
- Communicate with the parent of a patient who is a minor;
- Consider the patient’s capacity to agree or object to the sharing of their information;
- Involve a patient’s family members, friends, or others in dealing with patient failures to adhere to medication or other therapy;
- Listen to family members about their loved ones receiving mental health treatment;
- Communicate with family members, law enforcement, or others when the patient presents a serious and imminent threat of harm to self or others; and
- Communicate to law enforcement about the release of a patient brought in for an emergency psychiatric hold.
As explained in the guidance, HIPAA generally allows health care professionals to communicate necessary information about the patient to family, friends or others involved in the patient's care, as long as the patient does not object. This includes information about mental health treatment. If a patient is unable to consent to information sharing, providers, using their professional judgment, are permitted to disclose necessary information, such as medication information, to those directly involved in the patient’s care. Providers also may disclose mental health information under the Privacy Rule to avert a serious and imminent threat.
The guidance also provides health care providers reminders about related privacy issues, including:
- The heightened protections afforded to psychotherapy notes by the Privacy Rule due to their highly sensitive nature, but the limited type of information that qualifies as psychotherapy notes;
- A parent’s right to access the protected health information of a minor child as the child’s personal representative;
- The potential applicability of federal alcohol and drug abuse confidentiality regulations (42 CFR Part 2 programs) or state laws that may provide more stringent protections for the information than HIPAA; and
- The intersection of HIPAA and FERPA in school settings.
The guidance does not address any particular state laws protecting mental health information. Usually, these laws result in heightened privacy protections or greater rights to the individuals and will not be preempted by HIPAA. Although the guidance is helpful, health care providers generally still must address the state law obligations for mental health information.