The rash of mass shootings over the last few months prompted the Department of Health and Human Services Office of Civil Rights (OCR) to send a message to all healthcare providers. In that message, the OCR Director reminded all healthcare providers that the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule does not prohibit healthcare providers from disclosing information about a patient when the patient poses a serious danger to himself or other people.
All healthcare providers know that the HIPAA regulations protect the privacy of health information. Healthcare providers also know they can use and disclose that health information for the purposes of treatment, payment and operations (TPO). However, not all healthcare providers know the circumstances when they may and should share information about their patients, without the patient's consent, in order to prevent or lessen the risk of harm.
The HIPAA regulations allow a healthcare provider to disclose information about a patient without authorization from the patient and without providing the patient an opportunity to agree or object to the disclosure when the disclosure is made to prevent or lessen the risk of harm. The healthcare provider making the disclosure must have a good faith belief that the disclosure is necessary to prevent or lessen a serious or imminent threat to the health or safety of a person or the public. The disclosure must be made to a person that is reasonably able to prevent or lessen the threat.
The HIPAA regulations also allow a healthcare provider to disclose information about their patient without authorization from the patient and without providing the patient an opportunity to agree or object to the disclosure when the information is necessary for law enforcement officials to identify and apprehend an individual. The disclosure must be based upon a statement by the patient admitting participation in a violent crime that the healthcare provider reasonably believed caused serious harm, or where it appears the individual has escaped from lawful custody or a correctional institution.
For each type of disclosure, the healthcare provider must have a good faith belief that the disclosure is necessary to prevent or lessen a serious threat. A healthcare provider is presumed to be acting in good faith when that healthcare provider has actual knowledge of the facts, or the healthcare provider is relying upon credible information provided by a person that is knowledgeable about the facts.
In most cases the disclosure will be to law enforcement. The disclosure may also be made to the intended victim of the threat depending on the information known to the healthcare provider.
The healthcare provider cannot disclose all the protected health information of the individual that poses a threat. The information disclosed under these provisions must be limited to the information necessary for law enforcement officials to identify or apprehend an individual. Basically, the information that may be disclosed is limited to the individual's name, date and place of birth, social security number, blood type, injuries, treatment dates and a description of any distinguishing physical characteristics.
A healthcare provider may not disclose confidential information under this HIPAA regulation if the healthcare provider learned the information in the course of treatment to affect the propensity to commit the criminal conduct that is the basis for the disclosure, or if the information is learned through a request by the individual to initiate treatment to affect the propensity to commit the criminal conduct. Unfortunately, it may be difficult to determine when a patient crosses the line between seeking treatment to affect a propensity to commit a criminal act and becoming a serious and imminent threat to the health or safety of a person or the public. Fortunately, the majority of healthcare providers and facilities faced with these situations have policies and procedures on when, how and most importantly by whom these unauthorized disclosures are made. Healthcare providers should notify the appropriate individuals in their institutions when they have knowledge that one of their patients poses a serious or imminent threat to the health and safety of a person or the public.
All heathcare providers should remember, the HIPAA regulations do not prohibit healthcare providers from sharing confidential information with appropriate authorities when the disclosure is necessary to prevent or lessen the risk of harm to individuals or the general public. A healthcare provider may disclose information without the patient's consent if the disclosure is necessary to prevent or lessen a serious or imminent threat to the health or safety of a person or the public.
Michael L. Smith, JD, RRT is board certified in health law by The Florida Bar and practices at The Health Law Firm in Altamonte Springs, Fla. This article is for general information only and is not a substitute for formal legal advice.