With gun violence and mental health concerns in the headlines, the Office of Civil Rights of the Department of Health and Human Services has published a letter to health care providers clarifying when it is permissible to reveal PHI when a patient is reasonably believed to present a serious danger to himself or others.   The long-awaited HIPAA Omnibus Rule, finally released yesterday, also addresses concerns about how to balance patient privacy with public safety.

Long before HIPAA, court decisions have supported the right, and the duty, of health care providers to reveal a patient’s health information where it may be necessary to protect the patient or the public from identifiable risks of harm.  The seminal case is the 1974 decision of the California Supreme Court in Tarasoff v. the Regents of the University of California. In that case, the family of a murder victim brought suit based on the failure of the university psychologist who had treated her killer to warn her that he had threatened her life during therapy sessions. The psychologist had recommended that the patient be hospitalized and did inform campus police, but he was not deemed dangerous enough to detain involuntarily, and later carried out his plan.   This landmark case established a duty of health care providers to warn potential victims and the authorities when an individual makes a credible threat of violence.  Most states follow the Tarasoff rule, either by statute or case law.

As the recent OCR letter indicates, the HIPAA rule permits disclosures in similar situations. 

When a health care provider believes in good faith that such a warning is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others, the Privacy Rule allows the provider, consistent with applicable law and standards of ethical conduct, to alert those persons whom the provider believes are reasonably able to prevent or lessen the threat. Further, the provider is presumed to have had a good faith belief when his or her belief is based upon the provider’s actual knowledge (i.e., based on the provider’s own interaction with the patient) or in reliance on a credible representation by a person with apparent knowledge or authority (i.e., based on a credible report from a family member of the patient or other person). These provisions may be found in the Privacy Rule at 45 CFR § 164.512(j).

Under these provisions, a health care provider may disclose patient information, including information from mental health records, if necessary, to law enforcement, family members of the patient, or any other persons who may reasonably be able to prevent or lessen the risk of harm. For example, if a mental health professional has a patient who has made a credible threat to inflict serious and imminent bodily harm on one or more persons, HIPAA permits the mental health professional to alert the police, a parent or other family member, school administrators or campus police, and others who may be able to intervene to avert harm from the threat.

In the spirit of the "imminent threat" exception, and recalling the famous Tarasoff decision quote, "The protective privilege ends where the public peril begins,"  the Omnibus rule resolves a controversy over when and how student immunization records may be shared with school officials. The rule simplifies the process to permit oral or written authorization to health care providers or other covered entities to supply this information to schools where required by state law for admission. 

The final rule adopts the proposal to The final rule adopts the proposal to amend § 164.512(b)(1) by adding a new paragraph that permits a covered entity to disclose proof of immunization to a school where State or other law requires the school to have such information prior to admitting the student. While written authorization will no longer be required to permit this disclosure, covered entities will still be required to obtain agreement, which may be oral, from a parent, guardian or other person acting in loco parentis for the individual, or from the individual himself or herself, if the individual is an adult or emancipated minor. We believe that the option to provide oral agreement for the disclosure of student immunization records will relieve burden on parents, schools, and covered entities, and greatly facilitate the role that schools play in public health, while still giving parents the opportunity to consider whether to agree to the disclosure of this information.

Documentation of the parental permission is still required, but the form of that documentation is up to the covered entity.  Note that once a school is in possession of a student’s PHI, the school’s handling of those records is governed by the Family Educational Rights and Privacy Act (FERPA), not HIPAA.

The Omnibus rule is described by OCR director Leon Rodriguez as making "the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented."  Many of these changes appeared in the Notice of Proposed Rulemaking published on July 14, 2010.  We will be analyzing these changes in forthcoming posts in the near future.   

In light of the Obama Administration’s initiatives following the Sandy Hook, CT and Aurora, CO tragedies, HHS appears to be responding to criticism of overly restrictive privacy rules that allegedly would have prevented disclosure of mental health information that may have saved lives.  Clearly the current rules permit disclosure of imminent, concrete threats directed at specific targets, and there is no indication that either of the gunmen had expressed any such threats in advance to healthcare providers or otherwise.  Nevertheless, the time may be right to dispel any misinformation about when such threats can be legally communicated to authorities and potential victims.