The government has released a new guidance—including a list of frequently asked questions—explaining how the HIPAA privacy rule operates to protect individuals’ privacy rights with respect to their mental health information and in what circumstances the privacy rule permits health care professionals to communicate with patients’ family members and others.
Importantly, the new guidance spells out that psychiatrists can discuss information with families and other third parties if, in their judgment, patients lack the capacity to meaningfully agree or object to the disclosure.
During congressional hearings convened in the aftermath of the school shooting in Newtown, Conn., in December 2012, some clinicians expressed confusion about what their obligations were under HIPAA with regard to treatment information when patients were or were not considered of “imminent danger to self or others” and in other clinical scenarios last May. APA convened a meeting, along with representatives from the AMA, with the Department of Health and Human Services Office of Civil Rights to encourage it to use subregulatory guidance in the form of “frequently asked questions” to help clinicians better comprehend scenarios under which HIPAA permits disclosures of personal health information.
“This subregulatory guidance is an important clarification that avoids the pitfalls of statutory changes to HIPAA or potential HIPAA open rulemaking from HHS,” said Matt Sturm, deputy director of APA’s Department of Government Relations.
Stephen Hoge, M.D., chair of APA’s Council on Psychiatry and Law, told Psychiatric News that the new guidance is important as it clarifies psychiatrists’ responsibilities with respect to privacy as they care for impaired patients.
“Many psychiatrists believed that they could not discuss impaired patients’ care with family, friends, or other involved individuals without express authorization from the patient or their representative,” he said. “However, some patients lacked the capacity to provide a meaningful authorization or to make a meaningful objection. This often left psychiatrists in a quandary—they were unable to share relevant information with third parties. This might impede efforts to obtain additional information for treatment purposes or to facilitate care in some other way.
“The new guidance makes clear that psychiatrists can discuss information with family and other third parties if, in their judgment, the patient lacks the capacity to meaningfully agree or object to the disclosure,” Hoge said. “The disclosure must also be in the patient’s best interests.”
Past APA President Paul Appelbaum, M.D., chair of the Committee on Judicial Action, said every clinician should be aware of the guidance.
“The new guidance represents a clarification, but not a change, in the HIPAA rules about disclosure of patient-related information,” he told Psychiatric News. “The most helpful provisions clarify that, unless a competent patient objects, psychiatrists and other treaters can speak with family members who are assisting in the patient’s treatment—such as about encouraging the patient to take prescribed medication—and underscore that when psychiatric disorders or substance use impair patients’ capacities, psychiatrists can share patient-related information in patients’ best interests. Other useful sections highlight rules governing disclosures to parents of minor patients and permissible disclosures when patients present serious and imminent threats to themselves or others.”
The first question in the HHS guidance is, “Does HIPAA allow a health care provider to communicate with a patient’s family, friends, or other persons who are involved in the patient’s care?”
Here is the answer, in part: “Yes. In recognition of the integral role that family and friends play in a patient’s health care, the HIPAA privacy rule allows these routine—and often critical—communications between health care providers and these persons. Where a patient is present and has the capacity to make health care decisions, health care providers may communicate with a patient’s family members, friends, or other persons the patient has involved in his or her health care or payment for care, so long as the patient does not object. . . . Where a patient is not present or is incapacitated, a health care provider may share the patient’s information with family, friends, or others involved in the patient’s care or payment for care, as long as the health care provider determines, based on professional judgment, that doing so is in the best interests of the patient. Note that, when someone other than a friend or family member is involved, the health care provider must be reasonably sure that the patient asked the person to be involved in his or her care or payment for care.
In all cases, disclosures to family members, friends, or other persons involved in the patient’s care or payment for care are to be limited to only the protected health information directly relevant to the person’s involvement in the patient’s care or payment for care.”
In addition, the guidance clarifies how providers may communicate with family members, law enforcement, or others when the patient presents a serious and imminent threat of harm to self or others. The FAQ poses the following question: “Does HIPAA permit a doctor to contact a patient’s family or law enforcement if the doctor believes that the patient might hurt herself or someone else?”
The answer, in part, is this: “Yes. The privacy rule permits a health care provider to disclose necessary information about a patient to law enforcement, family members of the patient, or other persons, when the provider believes the patient presents a serious and imminent threat to self or others. . . . Specifically, when a health care provider believes in good faith that such a warning is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others, the privacy rule allows the provider, consistent with applicable law and standards of ethical conduct, to alert those persons whom the provider believes are reasonably able to prevent or lessen the threat. . . . Under these provisions, a health care provider may disclose patient information, including information from mental health records, if necessary, to law enforcement, family members of the patient, or any other persons who may reasonably be able to prevent or lessen the risk of harm. For example, if a mental health professional has a patient who has made a credible threat to inflict serious and imminent bodily harm on one or more persons, HIPAA permits the mental health professional to alert the police, a parent or other family member, school administrators or campus police, and others who may be able to intervene to avert harm from the threat.”■