HIPAA Threat of Harm Exception Gets a Second Look
Prompted by the tragic shootings in Newtown, Connecticut, and Aurora, Colorado, the HHS Office for Civil Rights (OCR) released a letter to all health care providers on January 15, 2013 making them “aware” that the HIPAA Privacy Rule does not prevent their “ability to disclose necessary information about a patient to law enforcement, family members of the patient, or other persons, when you believe the patient presents a serious danger to himself or other people.” Given the actual language in HIPAA and the variations in state and other federal law, we thought it worthwhile to examine the state of the law on the subject.
HIPAA and the Exception for Preventing Harm
HIPAA sets out a very broad proscription against disclosure of protected health information (PHI), unless the disclosure fits an exception in the statute or Privacy Rule. There is no mistaking the starting point for an analysis. Health care providers, including mental health professionals, “may not use or disclose protected health information, except as permitted by [the Privacy Rule or Enforcement Rule under HIPAA].” This general rule is backed by civil or criminal sanctions against covered entities and individuals.
The OCR letter is a timely reminder that the Privacy Rule does include a generally workable exception to address serious threats of harm. The exception and its attendant conditions permit a covered entity to use or disclose PHI without written authorization “to avert a serious threat to health or safety” when the following conditions are met:
“A covered entity may, consistent with applicable law and standards of ethical conduct, use or disclose protected health information, if the covered entity, in good faith, believes the use or disclosure: (i)(A) is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and (B) is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat . . . .”1
A later section of the exception affords a “presumption” of good faith belief:
“If the belief is based upon the covered entity’s actual knowledge or in reliance on a creditable representation by a person with apparent knowledge or authority.”2
The permissive standard for disclosure is thus in several parts, as follows:
HIPAA doesn’t protect a disclosure otherwise contrary to more stringent state or federal law – so check state law in particular and then decide if another federal law is involved.
The covered entity must believe the individual constitutes a serious and imminent threat to the health or safety of a person or the public. This means that someone in whom the covered entity has confidence forms the opinion, unless the covered entity is an individual. Who are those persons? They have the ongoing main role to play in helping to meet the HIPAA exception.
The threat must meet the “serious and imminent” standard. These words have meaning. Importantly, however, and unlike some states, this standard does not mean an intended victim must be discreetly identified. The HIPAA exception reaches threats to unknown persons and the public.
The belief must be a “good faith” belief. Even with the very helpful presumption that attaches to a disclosure, this means that before the covered entity can act on the belief of the key individual or individuals who have articulated the belief, it must know the source of information and how the belief was formed.
The disclosure must be to a person or persons reasonably able to prevent or lessen the threat, including the victim (where one is identified) or law enforcement.
We have counseled numerous clients about the use this exception in the face of actual fact scenarios over the years. Fact scenarios range from the threat an intoxicated or impaired driver or pilot poses to vague but credible threats of intentional harm to others. We typically go through the following sequence of questions and considerations, which can often be brief and straightforward:
Has the covered entity documented, or can it document, the thought process leading to the decision to disclose or not disclose? This possible disclosure is after all based on an exception to an otherwise very strict privacy law balanced against a mandatory or permissive state duty or permission to disclose. A covered entity or individual licensee is potentially at risk for either side of the decision, so documentation is equally important whether disclosure is ultimately called for or not.
Who at the covered entity has formed the good faith belief? If the good faith belief is the product of professional judgment based on therapy or professional services, what are the credentials of the person forming the good faith belief, and what is the state law privacy and disclosure standard against which the disclosure may be judged? See the discussion of Nebraska and Iowa law below.
What is the context in which the good faith belief was formed? What makes it credible when uttered or posed by the particular patient? Is it directed toward an employer, ex-spouse, or someone with a real relationship to the patient or is it more vague and general?
Does state law impose a more stringent restraint on making the disclosure? We briefly examine Nebraska and Iowa law below, with particular reference to mental health records and licensure of mental health professionals.
How do other federal laws apply? The other federal law most often implicated is 42 C.F.R. Part 2, dealing with confidential records of alcohol and substance abuse treatment programs.
The decision to disclose ultimately turns on whether the covered entity, and particularly the key individual(s) responsible for the decision, stand by and can document their conclusions after discussion. Lawyers can lay out factors to consider and help interpret state law, but the conclusion about serious and imminent threat of harm rests with health care professionals.
Nebraska law is consistent with the HIPAA exception and does not impose any more stringent standards in real threat scenarios.
The Nebraska Supreme Court in Simonson v. Swenson long ago enunciated the principle in a health care privacy context that an individual’s right of privacy in medical matters “ends where the public peril begins.”3 A treating physician in that case, believing a patient suffered from Syphilis, told residents of the boarding house where the patient lived that he was searching for the patient because he believed the patient suffered from a contagious disease. The Nebraska Supreme Court refused to find that the physician had beached a duty to the patient through the disclosure. While medical science and privacy expectations have advanced, the case continues to support permissive disclosure to prevent or lessen a public peril.
Many years later the U. S. District Court for the District of Nebraska adopted the reasoning in the famous California case of Tarasoff v. Regents of the University of California4 and imposed a duty to warn in Lipari v. Sears Roebuck & Co.5 The Lipari case involved a Veterans Administration patient who had purchased a shotgun at Sears and used it to commit a murder. The family of the victim sued Sears and Sears filed a third-party complaint against the United States under the Federal Tort Claims Act, claiming that the United States was liable to Sears for contributing to the VA’s negligent treatment of the patient. Sears argued that the VA knew, or should have known, that the patient was dangerous to himself and others and have taken appropriate steps. The Court determined that under Nebraska law, the relationship between psychotherapist and patient gives rise to an affirmative duty for the benefit of third persons. The duty requires that the therapist initiate whatever precautions are reasonably necessary to protect potential victims, whether or not identified. The duty arises only when, in accordance with the standards of his or her profession, the therapist knows, or should know, that the patient’s dangerous propensities present an unreasonable risk of harm to others.
Nebraska statutes now provide that therapists licensed under the Mental Health Practice Act cannot disclose information learned in therapy except pursuant to certain exceptions. One such exception is Neb. Rev. Stat. § 38-2137, which states in part:
“There shall be no monetary liability on the part of, and no cause of action shall arise against, any person who is licensed or certified pursuant to the [Act] for failure to warn of and protect from a patient’s violent behavior except when the patient has communicated to the mental health practitioner a serious threat of physical violence against himself, herself, or reasonably identifiable victim or victims.”
The statute goes on to state that the duty to warn is discharged by the mental health professional if reasonable efforts are made to communicate the threat to the victim or victims and to a law enforcement agency. A nearly verbatim statutory duty to warn and similar protection for doing so exists for psychologists.6 Taken together, these authorities easily support a disclosure authority that is at least coextensive with the authority in the HIPAA exception.
Iowa case law appears to limit any duty to disclose to cases where potential victims can be specifically identified and are not otherwise aware of the threat. In Leonard v. State,7 the Iowa Supreme Court held that, although a special relationship existed between a patient and his treating psychiatrist which conferred a duty upon the psychiatric hospital to control the patient’s conduct, or at least to not negligently release him from custody, the psychiatrist owed no duty of care to an individual member of the general public for decisions regarding the treatment and release of the mentally ill person from confinement. This and subsequent cases deal with duty to disclose; no Iowa cases discussing permissive authority to disclose were noted, other than those that discussed a duty and implied permission to disclose coextensive with the duty.
Iowa statutory authority appears to more broadly authorize permissive disclosure as contemplated in the HIPAA exception. Iowa Code § 154C.5 permits a licensed social worker or a person working under the supervision of a licensed social worker to disclose information acquired from persons consulting that person in a professional capacity:
“If the information reveals the contemplation or commission of a crime.”
This permission appears to stand alone – it is not tied to the limiting conditions in case law requiring that specific victims are identifiable and do not already know of the threat. A credible threat to cause harm to the public might support a disclosure to law enforcement if the threat is specific enough to represent contemplation of a crime. Having said that, if this is the extent of permissive authority to disclose in Iowa, it is clearly less broad and more limiting that the HIPAA exception or the Nebraska rule.
Alcohol and Substance Abuse Treatment Providers
Alcohol and drug abuse treatments programs are subject to the separate and more stringent confidentiality rules of 42 C.F.R. Part 2.8 Like HIPAA, Part 2 sets out a blanket prohibition against disclosure of information that could identify an individual as receiving diagnosis or treatment from a covered program, but its exceptions are much narrower than those under HIPAA. Part 2’s confidentiality standards are enforced through criminal sanctions.
The regulations include the following statements of prohibition and exceptions. First, there is the blanket prohibition against disclosure absent an exception. Second, there is an express prohibition against using a patient’s record to make criminal charges against or to investigate a patient.
“[n]o record … may be used to initiate or substantiate any criminal charges against a patient or to conduct any investigation of a patient.”9
This is a very broad and unqualified prohibition against furnishing program-related information to initiate or support an investigation, even if done to warn others of a perceived threat to individuals or the public. The Substance Abuse and Mental Health Services Administration (SAMHSA) and industry justification seems to be while a provider may disclose a threat, the provider cannot detail the basis of its belief or provide any detail that possibly identifies the individual as receiving services covered by Part 2.
Third, there is a Part 2 exception permitting disclosure to law enforcement to report a crime on premises or against program personnel or a threat to commit such a crime, but this in no way authorizes disclosure based on threats to persons or the public outside of the program.10 In fact, taken together, the Part 2 rules do not contain a duty or permission to warn exception and would thus be the more stringent limiting factor if disclosure is needed.
In published FAQs, SAMHSA asks and answers the following question:
“Q5. Does Part 2 permit a healthcare provider to disclose information without consent when there is an immediate threat to the health or safety of an individual or the public?
A5. … If a Part 2 program (or a healthcare provider that has received Part 2 patient information) believes that there is an immediate threat to the health or safety of any individual, there are steps described below that the Part 2 program or healthcare provider can take in such a situation:
Immediate threats to health or safety that do not involve medical emergencies or crimes on programs premises or against program personnel: Part 2 programs and health care providers and HIOs who have received Part 2 patient information, can make reports to law enforcement about an immediate threat to the health or safety of an individual or the public if patient-identifying information is not disclosed. Immediate threats to health or safety that do not involve a medical emergency or crimes (e.g., a fire) are not addressed in the regulations. Programs should evaluate those circumstances individually.”11
This is obviously very limiting and may undercut the effectiveness of a disclosure or the ability to marshal mental health, state, or other resources to voluntarily or involuntarily assess and treat an individual.
The OCR letter is timely, helpful, and fairly represents providers’ authority to disclose under HIPAA. But recognize that under HIPAA and state law, the authority to disclose is an exception to a very broad and strict prohibition, so go through the decision and documentation process very carefully. Nebraska law is consistent with the HIPAA rule; Iowa law is close, with the qualifier that permissive authority seems to turn on whether the threat evidences contemplation of a crime. The alcohol and substance abuse confidentiality rules, on the other hand, will simply be inadequate authority to make meaningful disclosure in many cases.
1 45 C.F.R. § 164.512(j)(1)(i)(A) (emphasis added).
2 Id. at § 164.512(j)(4).
3 177 N.W. 831 (Neb. 1920).
4 551 P.2d 334 (Cal. 1976).
5 497 F. Supp. 185 (D. Neb. 1980).
6 Neb. Rev. Stat. § 38-3132 (2008 Reissue).
7 491 N.W.2d 508 (Iowa 1992).
8 42 U.S.C. § 290dd-2 and 42 C.F.R. Part 2.
9 42 C.F.R. § 2.2(c) (emphasis added).
10 See id. at § 2.12.
11 SAMHSA, Applying the Substance Abuse Confidentiality Regulations (Dec. 14, 2011), available at http://www.samhsa.gov/about/laws/SAMHSA_42CFRPART2FAQII_Revised.pdf.