Mental Health Practitioners: Balancing Privacy With Public Welfare

Richard F. Cahill, JD, Vice President and Associate General Counsel, and Robert Morton, MAS, CPPS, Assistant Vice President, Department of Patient Safety and Risk Management, The Doctors Company, Part of TDC Group

As reported by the national media on a frequent basis, societal tension and an increase in demand for mental health services—not to mention an increase in violence against healthcare professionals—have adversely affected our already overburdened mental health resources and resulted in unexpected consequences for healthcare practitioners.

Therapists are often faced with addressing uncommon clinical presentations and managing critical situations that go well beyond treating routine, isolated issues. With increasing frequency, patients report ideation of harm—including self-harm, “suicide by cop,” community violence involving serial or mass killings, and random acts of assault or homicide.

These types of encounters create a perilous moral dilemma for mental health practitioners: how to maintain the clinician-patient privilege, consistent with their ethical duties to patients and federal and state privacy laws, while adhering to legal reporting obligations that require healthcare practitioners to reveal certain confidential circumstances to law enforcement to protect the public welfare.

Protection and Release of Health Information

Congress passed HIPAA in 1996. One of its stated goals is to help protect the privacy and security of patient health information in a variety of categories. The federal government has enacted comprehensive rules governing the use, access, and release of protected health information (PHI), including exceptions and significant monetary and administrative penalties for statutory violations. The Office for Civil Rights is responsible for investigating data breaches and enforcing HIPAA’s privacy and security rules.

Subsequently, state legislatures have followed suit and enacted similar—and often more restrictive—regulatory measures designed to protect patient confidentiality.

Ordinarily, third-party access to PHI requires patient authorization or a court order. Exceptions include government agencies with oversight duties, coroners’ offices, circumstances involving imminent danger to public health or welfare, and other specified outliers.

The HIPAA FAQs for Professionals states: “The HIPAA Privacy Rule permits a covered entity [such as a mental health practitioner] to disclose PHI, including psychotherapy notes, when the covered entity has a good faith belief that the disclosure: (1) is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others and (2) is to a person(s) reasonably able to prevent or lessen the threat.” The HIPAA Privacy Rule provisions may include disclosure to law enforcement, members of the family, or even the target of the threat, depending on the circumstances presented and consistent with applicable law and the prevailing standards of ethical conduct.

Who Can You Call?

Consider the following examples of clinical scenarios and courses of action for mental health practitioners. In all scenarios, practitioners should limit the amount of PHI disclosed to the minimum necessary to achieve the intended purpose.

  • A patient is a potential risk to self. Who can you call? Under HIPAA, healthcare practitioners may disclose the necessary PHI to anyone who is in a position to prevent or lessen the threatened harm—including family, friends, caregivers, and law enforcement—without a patient’s permission. Consider calling the patient’s emergency contact or adult protective services for a wellness check.
  • A patient says he is going to commit suicide by cop. Who can you call? Consider calling the patient’s emergency contact and law enforcement if, in your good faith judgment, disclosure of the threat is critical to prevent or lessen the threat and each contact is reasonably able to prevent or lessen the threat.
  • A patient says he is going to kill his spouse or another identified individual. Who can you call? Consider calling the spouse or the target of the threat and law enforcement if, in your good faith judgment, disclosure of the threat is necessary to prevent or lessen the threat and each contact is reasonably able to prevent or lessen the threat.
  • A patient expresses the intent to commit mass harm or random act(s) of assault. Who can you call? Consider calling law enforcement if, in your good faith judgment, disclosure of the threat is necessary to prevent or lessen the threat and law enforcement is reasonably able to prevent or lessen the threat.
  • A patient needs to be admitted involuntarily due to being a threat to self or others and will not cooperate. Who do you call? Call local law enforcement and follow the law in your state for involuntary commitment.

For additional guidance, contact the Department of Patient Safety and Risk Management at (800) 421-2368 or by email.


Resources

U.S. Department of Health and Human Services, HIPAA for Professionals, FAQs for Mental Health

U.S. Department of Health and Human Services, Message to Our Nation’s Health Care Providers


The guidelines suggested here are not rules, do not constitute legal advice, and do not ensure a successful outcome. The ultimate decision regarding the appropriateness of any treatment must be made by each healthcare provider considering the circumstances of the individual situation and in accordance with the laws of the jurisdiction in which the care is rendered.

J01709 11/24

Stay in the Know

Sign up for The Doctor’s Practice.

Our e-newsletter features timely articles, videos, and guides on a range of patient safety topics.

Subscribe