One of my recent seminar attendees asked what HIPAA says about releasing therapist notes to a state agency requesting them. Specifically, the case has to do with a child brought in by a parent. The parents are going through a difficult divorce, the child is terrified of the parent who brought her in, and the not-for-profit mental health facility had to call the other parent to come get the child after the session with the therapist because they were afraid to let the child go with the parent that had brought her in. The parents have joint custody. The question is whether the mental health facility can release the records to the child protective agency without a consent or authorization. Also, in the ongoing abuse case, the Florida Department of Children and Families had sent the mental health facility a nonconsentual release.
This situation falls under the heading of uses and disclosures to avert a serious threat to health or safety. Those of you who have the Compliance Guide to HIPAA and the DHHS Regulations, 4th ed., will find a discussion in Chapter 17. A covered entity may, consistent with applicable laws and ethical standards, use or disclose PHI if the covered entity believes, in good faith, that the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or of the public and the disclosure is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat. A covered entity that uses or discloses PHI to prevent or lessen a serious and imminent threat is presumed to have acted in good faith with regard to its belief justifying use or disclosure under this subsection if the belief is based upon the covered entity’s actual knowledge or in reliance on a credible representation by a person with apparent knowledge or authority.
A related question is whether, in a joint custody situation, both parents must consent to the release of records or whether only one parent can consent to the release of the child’s therapist’s notes. The answer is that only the parent granted physical custody of the child—not both parents—needs to consent to the use or disclosure of the child’s records in most routine situations. The covered entity should keep a copy of the court order granting physical custody to that parent.
Another related question is whether the parent that the child is afraid of has a right to request review of the covered entity’s decision to deny that parent’s request for access to the records. The answer is that the individual who is the subject of the PHI or the parent or guardian of the individual who is requesting access to the records on behalf of the individual has a right to review of a decision to deny access in certain situations. Reviewable grounds for denial include the situation in which a licensed health care professional has determined in the exercise of professional judgment, that the access is reasonably likely to endanger the life or physical safety of the individual or another person. If the individual requests review of the denial, the covered entity must designate a licensed health care professional who was not directly involved in the denial to review the decision to deny access. See Chapter 9 of the Compliance Guide for a full discussion of this topic.
Except in a life or death emergency, this type of situation is one in which you need a qualified HIPAA attorney to review the law and the facts before granting or denying a request for access.