<img height="1" width="1" src="https://www.facebook.com/tr?id=156746741685952&amp;ev=PageView &amp;noscript=1">
Show all

HIPAA Privacy Rules, Mental Health, and Addiction: When can PHI be shared without consent?

HIPAA is designed to protect patient confidentiality.

What happens when patient confidentiality conflicts with a patient being able to receive the best care possible? 

In cases of mental health and addiction, such as the current opioid overdose crisis, there are situations in which a covered healthcare provider may share protected health information (PHI) to help the patient. 

In this post, we’ll share guidance on sharing protected information to prevent harm in both mental health and opioid overdose situations.

While HIPAA may permit disclosure of patient information, there may be other overlapping privacy laws related to individual states or other regulations that need to be taken into consideration before information is shared.

Mental Health and Privacy

When addressing mental health issues, HIPAA rules provide guidance on sharing patient information to ensure that the patient receives the best treatment and care possible. Disclosure of information is also acceptable when the health and safety of the patient and others is at risk. 

Communicate with a patient’s family members, friends, and others involved in the patient’s care. If a patient is present and has the capacity to make decisions, and does not object; a healthcare professional can discuss treatment or payment issues. 

If not present or incapacitated (intoxicated or experiencing temporary psychosis, for example), the patient’s information can be shared if the provider, in his or her professional judgement, determines that doing so in the patient’s best interests. Section 164.510(b)(3) of the HIPAA Privacy Rule explains this permission.

Patient with mental illness not taking medication. If a patient doesn’t object, a provider can share patient information with family members. If a patient does object, but the provider believes that the unmedicated patient poses serious and imminent danger to herself or others, then the provider can share pertinent information, if consistent with applicable law and standards of ethical conduct. 

Communications with law enforcement. The Privacy Rule permits a doctor to contact family or law enforcement if the doctor believes that such a warning is needed to prevent or at least lessen an imminent threat to the health or safety of the patient or others. For instance, if a patient makes a credible threat to do harm to someone, a mental health professional can alert police, school administrators, family, and others who may be able to intervene. 

Your practical guide to HIPAA compliance 24By7Security

HIPAA Privacy and Opioid Overdose

Sadly, opioid addiction continues to hold sway across much of the United States. Despite HIPAA regulations that allow healthcare providers to share PHI with family members, confusion remains. 

Healthcare providers can share information related to the care and treatment of a patient in a crisis situation, such as a drug overdose. If the provider determines that the best interests of an incapacitated or unconscious patient involves sharing information with family or close friends, they can do so. 

However, while they can share information about the overdose, a healthcare provider cannot share medical information unrelated to ongoing care and treatment of the patient. 

HIPAA and Changes to Decision-Making Capacity

Regardless of whether a patient can or cannot make a decision due to a mental health or an overdose issue, the situation can change. 

Because the inability to make a decision can be temporary, a healthcare provider must give the patient a chance to decide whether to continue to share information or not when the patient is once again able to make a decision. For instance, someone intoxicated to the point of unconsciousness or incoherence will eventually become sober. The patient can then object to future information sharing. However, as already described, the provider can still share PHI if, in their professional judgement, the patient poses a serious and imminent threat to himself or others. 

Healthcare Power of Attorney

A patient’s “personal representative” has authority, under applicable law, to make healthcare decisions for a patient. They have the same rights of access to health information as the patient. A provider may refuse to share information if they believe that the personal representative has subjected the patient to violence, abuse, or neglect. 

Patient Care Outweighs Patient Privacy

Simply stated, the rules around HIPAA privacy are designed to ensure the best possible healthcare outcome for the patient. For patients who are unable to make decisions for themselves, their PHI can be shared with loved ones to ensure care.

There is also a “duty to warn” in situations where the patient is a danger to him/herself or others. 

The U.S. Department of Health and Human Services has a page devoted to explaining situations when sharing PHI is permissible. You can explore the details here.

Rema Deo
Rema Deo

As CEO and Managing Director of 24By7Security, Inc., Rema is a highly experienced and credentialed information security professional. Among her certifications are PCI Qualified Security Assessor (QSA) from PCI SSC, Health Care Information Security & Privacy Practitioner (HCISPP) from (ISC)2, Certified Information Security Manager (CISM), and Certified Information Security Auditor (CISA) from ISACA. She also holds a certificate in Cybersecurity: Technology, Application, and Policy from the Massachusetts Institute of Technology, and Certified Data Privacy Practitioner (CDPP) from Network Intelligence. She earned her MBA from Symbiosis Institute of Business Management in Pune, India, and her Bachelor of Commerce degree from the University of Bombay. Be sure to follow the 24By7Security Blog for valuable insights from Rema and her colleagues.

Related posts

August, 22 2023
May, 23 2023
March, 7 2023

Comments are closed.

What to Include in Your Incident Response Plan
How to Protect Your Business From Password Spraying
Subscribe to our Blog!