Recently, the Department of Health and Human Services (“DHHS”) attempted to clarify when HIPAA permits mental health care providers to do the following regarding protected health information (“PHI”):
- Communicate with a patient’s family members, friends, or others involved in the patient’s care.
- Communicate with family members when the patient is an adult.
- Communicate with the parent of a patient who is a minor.
- Consider the patient’s capacity to agree or object to the sharing of the patient’s information.
- Involve a patient’s family members, friends, or others in dealing with patient failures to adhere to medication or other therapy.
- Listen to family members about their loved ones receiving mental health treatment.
- Communicate with family members, law enforcement, or others when the patient presents a serious and imminent threat of harm to self or others.
- Communicate to law enforcement about the release of a patient brought in for an emergency.
Although the guidance on the DHHS website is helpful, it buries in a footnote at the bottom of the webpage the very real issue of state and federal mental health PHI laws that provide more privacy protection and, hence, preempt HIPAA. Burying the real issue might cause mental and behavioral health practices to make a disclosure that is authorized by HIPAA but that is prohibited or otherwise restricted by another federal or state law. That footnote reads: “The Privacy Rule permits, but does not require, providers to disclose information in these situations. Providers who are subject to more stringent privacy standards under other laws, such as certain state confidentiality laws or 42 CFR Part 2, would need to consider whether there is a similar disclosure permission under those laws that would apply in the circumstances.”
If you want instead an in-depth discussion of the heightened privacy standards regarding mental health PHI, see my book Mental and Behavioral Health and HIPAA: An Uneasy Alliance, available through Veterans Press.