A recent editorial from Kansas City’s KMBC/KCWE General Manager Sarah Smith recounted the story of a 19-year-old college student that committed suicide that may have been prevented but for HIPAA’s alleged barrier to disclosing protected health information (“PHI”) to the parents of an adult child. The parents had referred their son to a mental health counselor because he had told them that he was depressed. He then expressed suicidal thoughts to the mental health counselor, who apparently believed that he could not tell the parents because of HIPAA.
Section 164.512(j) of the Privacy Rule permits covered entities to disclose PHI if the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public and the disclosure is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat. Note that this disclosure, without patient consent or authorization, is not limited to notifying law enforcement or health care providers but authorizes disclosure to “a person or persons reasonably able to prevent or lessen the threat.” One would expect that the parents of a 19-year-old that had recounted his depression to them might be able to prevent or lessen the threat of his committing suicide. This incident is not the first, and probably won’t be the last, time that someone suffers harm because of overreaction to or lack of understanding of HIPAA. See my October 19, 2011, post on this topic.
Even assuming that HIPAA were some impediment to this disclosure, I would rather get sued for this fairly minor breach of confidentiality—his parents already knew that he was depressed and undergoing mental health treatment—than for negligence that may have resulted in wrongful death. I would have to know a lot more about the case to speak definitively on whether the provider was negligent in not notifying the parents, but in this type of situation, the provider needs to contact a lawyer who knows HIPAA inside and out.