duty to warn

Subscribe to duty to warn

I was recently asked whether the sending of an unencrypted group email to participants in a health-related support group violated HIPAA.  Faithful blog readers can guess my first question:  “Was the sender a covered entity, business associate, or subcontractor?”  Many support group entities are non-profit organizations staffed by volunteers and do not meet the definition of a covered entity “health care provider” (or other type of covered entity) under the HIPAA regulations (see 45 CFR 160.103).  Participants in support groups may expect the fact that they participate in the group and the information they disclose to be held in confidence by the organizers and other participants, but HIPAA may or may not protect that information.  (Whether other federal laws, state laws, or codes of ethics may protect the privacy of the information is beyond the scope of this post.)

When HIPAA applies, support group organizers (and other providers) should remember to use caution when sending group emails.  Does the group email list the email addresses of other participants?  Not only does this listing of participant email addresses, by itself, potentially constitute protected health information (PHI), but a participant’s inadvertent “reply all” message (intended for a support group therapist alone, for example) raises sticky HIPAA issues.  Health information disclosed by the individual to another support group participant falls outside the definition of “individually identifiable health information” under the HIPAA regulations and so is not HIPAA-protected PHI.  Still, a covered entity should be very careful to limit how and when email and social media are used to communicate with both individual patients and members of a support group.  While it does not solve the problem, perhaps all messages sent to more than one participant by a support group organizer should be sent as a “bcc” to limit disclosure.

The U.S. Department of Health and Human Services addressed whether covered entities have a “duty to warn” individuals that agree to receive unencrypted emails as a means of communication in the Omnibus Rule adoption:

“We clarify that covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email.  We disagree [with some commenters] that the “duty to warn” individuals of risks associated with unencrypted email would be unduly burdensome … We do not expect covered entities to educate individuals about encryption technology and the information security.  Rather, we merely expect the covered entity to notify the individual that there may be some level of risk that the information in the email could be read by a third party … .”  [78 Fed. Reg. 5566, 5634]

Covered entities, business associates and subcontractors that get an individual’s permission to communicate via unecrypted email might want to include some type of bold warning as to limits of HIPAA protection.  Although voluntary participants in support groups may seem most likely to understand and have agreed to disclosure and use of their PHI within the group, it’s important to set ground rules and remind participants as to when (or whether) HIPAA applies – particularly if email or social media is involved.  Before accepting email addresses or allowing individuals to participate in any other unencrypted means of electronic communication, a covered entity might want to put its HIPAA warning — or disclaimer — in big, bold, easy-to-understand writing.

With gun violence and mental health concerns in the headlines, the Office of Civil Rights of the Department of Health and Human Services has published a letter to health care providers clarifying when it is permissible to reveal PHI when a patient is reasonably believed to present a serious danger to himself or others.   The long-awaited HIPAA Omnibus Rule, finally released yesterday, also addresses concerns about how to balance patient privacy with public safety.

Long before HIPAA, court decisions have supported the right, and the duty, of health care providers to reveal a patient’s health information where it may be necessary to protect the patient or the public from identifiable risks of harm.  The seminal case is the 1974 decision of the California Supreme Court in Tarasoff v. the Regents of the University of California. In that case, the family of a murder victim brought suit based on the failure of the university psychologist who had treated her killer to warn her that he had threatened her life during therapy sessions. The psychologist had recommended that the patient be hospitalized and did inform campus police, but he was not deemed dangerous enough to detain involuntarily, and later carried out his plan.   This landmark case established a duty of health care providers to warn potential victims and the authorities when an individual makes a credible threat of violence.  Most states follow the Tarasoff rule, either by statute or case law.

As the recent OCR letter indicates, the HIPAA rule permits disclosures in similar situations. 

When a health care provider believes in good faith that such a warning is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others, the Privacy Rule allows the provider, consistent with applicable law and standards of ethical conduct, to alert those persons whom the provider believes are reasonably able to prevent or lessen the threat. Further, the provider is presumed to have had a good faith belief when his or her belief is based upon the provider’s actual knowledge (i.e., based on the provider’s own interaction with the patient) or in reliance on a credible representation by a person with apparent knowledge or authority (i.e., based on a credible report from a family member of the patient or other person). These provisions may be found in the Privacy Rule at 45 CFR § 164.512(j).

Under these provisions, a health care provider may disclose patient information, including information from mental health records, if necessary, to law enforcement, family members of the patient, or any other persons who may reasonably be able to prevent or lessen the risk of harm. For example, if a mental health professional has a patient who has made a credible threat to inflict serious and imminent bodily harm on one or more persons, HIPAA permits the mental health professional to alert the police, a parent or other family member, school administrators or campus police, and others who may be able to intervene to avert harm from the threat.

In the spirit of the "imminent threat" exception, and recalling the famous Tarasoff decision quote, "The protective privilege ends where the public peril begins,"  the Omnibus rule resolves a controversy over when and how student immunization records may be shared with school officials. The rule simplifies the process to permit oral or written authorization to health care providers or other covered entities to supply this information to schools where required by state law for admission. 

The final rule adopts the proposal to The final rule adopts the proposal to amend § 164.512(b)(1) by adding a new paragraph that permits a covered entity to disclose proof of immunization to a school where State or other law requires the school to have such information prior to admitting the student. While written authorization will no longer be required to permit this disclosure, covered entities will still be required to obtain agreement, which may be oral, from a parent, guardian or other person acting in loco parentis for the individual, or from the individual himself or herself, if the individual is an adult or emancipated minor. We believe that the option to provide oral agreement for the disclosure of student immunization records will relieve burden on parents, schools, and covered entities, and greatly facilitate the role that schools play in public health, while still giving parents the opportunity to consider whether to agree to the disclosure of this information.

Documentation of the parental permission is still required, but the form of that documentation is up to the covered entity.  Note that once a school is in possession of a student’s PHI, the school’s handling of those records is governed by the Family Educational Rights and Privacy Act (FERPA), not HIPAA.

The Omnibus rule is described by OCR director Leon Rodriguez as making "the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented."  Many of these changes appeared in the Notice of Proposed Rulemaking published on July 14, 2010.  We will be analyzing these changes in forthcoming posts in the near future.   

In light of the Obama Administration’s initiatives following the Sandy Hook, CT and Aurora, CO tragedies, HHS appears to be responding to criticism of overly restrictive privacy rules that allegedly would have prevented disclosure of mental health information that may have saved lives.  Clearly the current rules permit disclosure of imminent, concrete threats directed at specific targets, and there is no indication that either of the gunmen had expressed any such threats in advance to healthcare providers or otherwise.  Nevertheless, the time may be right to dispel any misinformation about when such threats can be legally communicated to authorities and potential victims.