Late last week, the HHS Office for Civil Rights (OCR) published guidance designed to help health care providers understand when, consistent with the HIPAA Privacy Rule, they may share information related to a patient’s mental health with others. As we have previously written, HHS seeks to balance a patient’s privacy rights in mental health records against public safety concerns. OCR’s latest guidance clarifies the circumstances under which a health care provider may communicate with a patient’s family members, friends or others involved in an adult or minor patient’s care. The guidance also addresses when and how a mental health care provider may notify a patient’s family members, friends or others involved in the patient’s care (or payment for care) when the patient fails to comply with a treatment or medication regimen, as well as the mental health provider’s ability to listen to concerns raised by the patient’s family members, friends or others involved in the patient’s care about the patient’s health and well-being. Finally, the guidance addresses situations in which a patient presents a serious and imminent threat of harm to self or others and the role of law enforcement – and the ability of a health care provider to disclose information to law enforcement and others – in such situations.

The Privacy Rule and mental health information. Under the Privacy Rule, a health care provider may only disclose an individual’s protected health information (PHI) pursuant to a written authorization or under one of the Rule’s limited permissions or exceptions to the requirement for authorization. The guidance clarifies that the Privacy Rule applies “uniformly” to all PHI, including mental health information, with one exception – psychotherapy notes. Psychotherapy notes are defined as “notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or group, joint, or family counseling session and that are separated from the rest of the individual’s medical record.” Given the sensitive nature of mental health treatment and because the notes are the personal notes of the provider, psychotherapy notes are afforded extra protections under the Privacy Rule: with a few limited exceptions, a specific, separate authorization is required before a mental health provider may use or disclose psychotherapy notes, and a mental health provider is not required to disclose such notes to the individual under the individual’s Privacy Rule right of access. Although psychotherapy notes are afforded extra protections, they may be disclosed in limited circumstances, such as a mandatory “duty to warn” situations, or in event of a threat of serious and imminent harm to the health or safety of the patient or others.

Family and friends. In the guidance, OCR recognizes “the integral role that family and friends play in a patient’s health care.”  For this reason, a mental health provider may communicate with, and disclose a patient’s PHI (including mental health information) to, these persons under certain circumstances. A provider may discuss the patient’s condition with family, friends and others involved in the patient’s care when the patient is present, is capable of making health care decisions and does not object to the disclosure. When the patient is not present or is incapacitated, the mental health provider may disclose relevant information as long as the provider determines, based on his or her professional judgment, that doing so is in the best interests of the patient. While lack of consciousness is the most common form of incapacity, it can take other forms, especially with respect to a patient with mental health or substance abuse issues. For example, if a health care provider knows that a patient with a serious mental illness has stopped taking a prescribed medication, the provider can share that information with a family member of the patient if the provider believes, based on professional judgment, that the patient does not have the capacity to agree or object at the time, and that sharing the information would be in the patient’s best interests. OCR counsels that the provider should consider whether the patient has previously objected to the disclosure of his or her PHI, as well as the circumstances of the situation with which the provider is presented. If a provider discusses the patient’s PHI with family, friends and others involved in the patient’s care, the provider may share only the information the person needs to know about the patient’s care or payment for care. OCR cautions, however, that State or other law (including federal regulations protecting the confidentiality of alcohol and substance abuse and treatment information), or professional ethics, may impose stricter limitations on the sharing of such information.

Although mental health providers are limited in the information they may disclose, the Privacy Rule does not prevent such providers from listening to concerns raised by family members or friends about the health and well-being of the patient. The Privacy Rule permits information about such concerns shared with the provider to be withheld from the patient – under the patient’s right of access – if the disclosure would be reasonably likely to reveal the identity of the individual who came to the provider. This allows family members and friends to reveal their concerns about the health, safety, and well-being of the patient to mental health providers without the fear that such a discussion would be disclosed to the patient and disrupt the relationship of the relative or friend with the patient.

Minor children. Under the HIPAA Privacy Rule, a parent generally acts as a minor child’s personal representative with whom a health care provider may discuss the minor’s PHI.  There are exceptions to when a parent is treated as the minor’s personal representative that may apply when a minor is receiving mental health treatment.  A parent is not treated as a personal representative when: 1) State or other law does not require the consent of a parent before a minor can obtain a particular health care service, the minor consents to the health care service and the minor has not requested the parent be treated as a personal representative; 2) someone other than the parent is authorized by law to consent to the provision of the care and does so; or 3) a parent agrees to a confidential relationship between the minor and a health  care provider with respect to the health care services. For example, if a State law allows an adolescent to seek mental health treatment without the consent of a parent, then the parent would not be the personal representative of the minor. Regardless of whether the parent would be the child’s personal representative, the Privacy Rule defers to State or other applicable law that address a parent’s ability to access their child’s PHI. 

Threat of imminent harm. As discussed above, a health care provider may also disclose mental health records in the limited circumstance in which the provider believes the patient presents a serious and imminent threat to his/her own health or safety or to that of another. For example, if a provider knows a patient is not taking medication as prescribed and without the medication the patient is at an increased risk of suicide, then the provider may disclose this information to a family member or friend who is in a position to avert the threat, if the provider has a good faith belief that disclosure is necessary to prevent or lessen the threat of harm to the health or safety of the patient. A health care provider may also contact a patient’s family, friends or law enforcement if the provider believes the patient presents a serious and imminent threat to others. The disclosure may be made if the provider, in good faith, believes such a warning is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others. The disclosure should be made to those persons, including law enforcement, whom the provider believes are reasonably able to prevent or lessen the threat. OCR notes that many States have laws which may require disclosure of information to prevent or lessen the risk of serious harm. 

Law enforcement. The Privacy Rule allows a covered entity to disclose certain PHI, including date and time of admission and discharge, in response to a law enforcement official’s request, for the purpose of locating or identifying a suspect, fugitive, material witness or missing person. For example, a covered entity, such as a hospital, may notify law enforcement officials when a patient who has been placed on a temporary psychiatric hold has been released. Under this exception, the covered entity may disclose information such as name and address, social security number, blood type, type of injury and a description of distinguishing physical characteristics. However, the covered entity may not disclose PHI related to DNA or DNA analysis, dental records or typing, samples or analysis of body fluids or tissue.  OCR counsels that other Privacy Rule provisions may be relevant when responding to requests from law enforcement officials in such situations.