Mental Health

Disclosures of protected health information in a group therapy setting are treatment disclosures and, thus, may be made without an individual’s authorization.

The HIPAA Privacy Rule treats an adult or emancipated minor’s personal representative as the individual for purposes of the Rule regarding the health care matters that relate to the representation, including the right of access under 45 CFR 164.524.

Yes, the Privacy Rule generally allows a parent to have access to the medical records about his or her child, as his or her minor child’s personal representative when such access is not inconsistent with State or other law.

The individual who is the subject of the protected health information can exercise all rights granted by the HIPAA Privacy Rule with respect to all protected health information about him or her, including information obtained while the individual was an unemancipated minor consistent with State or other law.

The HIPAA Privacy Rule would defer to State or other applicable law that addresses the disclosure of health information to a parent about a minor child.

The Privacy Rule does not prohibit a covered entity from obtaining an individual's consent to use or disclose his or her health information and, therefore, presents no barrier to the entity's ability to comply with State law requirements.

The fact that a patient has been

Where the HIPAA Privacy Rule applies, does it allow a health care provider to disclose protected health information (PHI) about a troubled teen to the parents of the teen?

Where the HIPAA Privacy Rule applies, does it permit a health care provider to disclose protected health information (PHI) about a patient to law enforcement, family members, or others if the provider believes the patient presents a serious danger to self or others?

Does the HIPAA Privacy Rule permit a covered entity to disclose psychotherapy notes to or through a health information organization (HIO)?

Can a covered entity use existing aspects of the HIPAA Privacy Rule to give individuals the right to decide whether sensitive information about them may be disclosed to or through a health information organization (HIO)?

In specified circumstances, yes.

Yes. The HIPAA Privacy Rule at 45 CFR 164.510(b) permits covered entities to share with an individual’s family member, other relative, close personal friend, or any other person identified by the individual, the information directly relevant to the involvement of that person in the patient’s care or payment for health care. 

Yes. In recognition of the integral role that family and friends play in a patient’s health care, the HIPAA Privacy Rule allows these routine – and often critical – communications between health care providers and these persons.

Generally, the Privacy Rule applies uniformly to all protected health information, without regard to the type of information.

In situations where the patient is given the opportunity and does not object, HIPAA allows the provider to share or discuss the patient’s mental health information with family members or other persons involved in the patient’s care or payment for care.

Section 164.510(b)(3) of the HIPAA Privacy Rule permits a health care provider, when a patient is not present or is unable to agree or object to a disclosure due to incapacity or emergency circumstances, to determine whether disclosing a patient’s information to the patient’s family, friends, or other persons involved in the patient’s care or payment for care, is in the best interests of the patient.

So long as the patient does not object, HIPAA allows the provider to share or discuss a patient’s mental health information with the patient’s family members.

With respect to general treatment situations, a parent, guardian, or other person acting in loco parentis usually is the personal representative of the minor child, and a health care provider is permitted to share patient information with a patient’s personal representative under the Privacy Rule.

HIPAA defers to state law to determine the age of majority and the rights of parents to act for a child in making health care decisions, and thus, the ability of the parent to act as the personal representative of the child for HIPAA purposes. See 45 CFR 164.502(g).

No. The Privacy Rule distinguishes between mental health information in a mental health professional’s private notes and that contained in the medical record.

The HIPAA Privacy Rule permits a health care provider to disclose information to the family members of an adult patient who has capacity and indicates that he or she does not want the disclosure made, only to the extent that the provider perceives a serious and imminent threat to the health or safety of the patient or others and the family members are in a position to lessen the threat.

Yes. The Privacy Rule permits a health care provider to disclose necessary information about a patient to law enforcement, family members of the patient, or other persons, when the provider believes the patient presents a serious and imminent threat to self or others. The scope of this permission is described in a letter to the nation’s health care providers.

The Privacy Rule permits a HIPAA covered entity, such as a hospital, to disclose certain protected health information, including the date and time of admission and discharge, in response to a law enforcement official’s request, for the purpose of locating or identifying a suspect, fugitive, material witness, or missing person.

A health care provider’s “duty to warn” generally is derived from and defined by standards of ethical conduct and State laws and court decisions such as Tarasoff v. Regents of the University of California.

Student health information held by a school generally is subject to the Family Educational Rights and Privacy Act (FERPA), not HIPAA.

Generally, yes. If a health care power of attorney is currently in effect, the named person would be the patient’s personal representative (The period of effectiveness may depend on the type of power of attorney: Some health care power of attorney documents are effective immediately, while others are only triggered if and when the patient lacks the capacity to make health care decisions and then cease to be effective if and when the patient regains such capacity).

If the patient who has overdosed is incapacitated and unable to agree or object, a doctor may notify a family member, personal representative, or another person responsible for the individual’s care of the patient’s location, general condition, or death. See 45 CFR 164.510(b)(1)(ii). Similarly, HIPAA allows a doctor to share additional information with a patient’s family member, friend, or caregiver as long as the information shared is directly related to the person’s involvement in the patient's health care or payment for care. 45 CFR 164.510(b)(1)(i).ER:

HIPAA expressly defers to the professional judgment of health professionals in making determinations about the nature and severity of the threat to health or safety posed by a patient. OCR would not second guess a health professional’s good faith belief that a patient poses a serious and imminent threat to the health or safety of the patient or others and that the situation requires the disclosure of patient information to prevent or lessen the threat. Health care providers may disclose the necessary protected health information to anyone who is in a position to prevent or lessen the threatened harm, including family, friends, caregivers, and law enforcement, without a patient’s permission.

Yes, under two possible circumstances:

  1. Given that the patient is no longer present, if the therapist determines, based on professional judgment, that there may be an emergency situation and that contacting the family member of the absent patient is in the patient’s best interests; or
  2. If the disclosure is needed to lessen a serious and imminent threat and the family member is in a position to avert or lessen the threat.

Not at the time of disclosure; however, the Notice of Privacy Practices should contain an example of this type of disclosure so patients are informed in advance of that possibility. See 45 CFR 164.520(b).

A health provider that provides treatment for substance use disorders, including opioid abuse, needs to determine whether it is subject to 42 CFR Part 2 (i.e., a “Part 2 program”) and whether it is a covered entity under HIPAA. Generally, the Part 2 rules provide more stringent privacy protections than HIPAA, including in emergency situations. If an entity is subject to both Part 2 and HIPAA, it is responsible for complying with the more protective Part 2 rules, as well as with HIPAA. HIPAA is intended to be a set of minimum federal privacy standards, so it generally is possible to comply with HIPAA and other laws, such as 42 CFR Part 2, that are more protective of individuals’ privacy.

Hospitals may notify family, friends, or caregivers of a patient who has been hospitalized for a psychiatric hold has been admitted or discharged in several circumstances.

HIPAA permits health care providers to disclose to other health providers any protected health information (PHI) contained in the medical record about an individual for treatment, case management, and coordination of care and, with few exceptions, treats mental health information the same as other health information.

HIPAA, with few exceptions, treats all health information, including mental health information, the same. HIPAA allows health care providers to disclose protected health information (PHI), including mental health information, to other public or private-sector entities providing social services (such as housing, income support, job training) in specified circumstances.