patient’s right of access to protected health information gives family members the ability to disclose relevant
safety information with health care providers without fear of disrupting the family’s relationship with the patient.
Does HIPAA permit a doctor to contact a patient’s family or law enforcement if
the doctor believes that the patient might hurt herself or someone else?
Yes. The Privacy Rule permits a health care provider to disclose necessary information about a patient to law
enforcement, family members of the patient, or other persons, when the provider believes the patient presents
a serious and imminent threat to self or others. The scope of this permission is described in a letter to the
nation’s health care providers - PDF
Specifically, when a health care provider believes in good faith that such a warning is necessary to prevent or
lessen a serious and imminent threat to the health or safety of the patient or others, the Privacy Rule allows the
provider, consistent with applicable law and standards of ethical conduct, to alert those persons whom the
provider believes are reasonably able to prevent or lessen the threat. These provisions may be found in the
Privacy Rule at 45 CFR § 164.512(j).
Under these provisions, a health care provider may disclose patient information, including information from
mental health records, if necessary, to law enforcement, family members of the patient, or any other persons
who may reasonably be able to prevent or lessen the risk of harm. For example, if a mental health professional
has a patient who has made a credible threat to inflict serious and imminent bodily harm on one or more
persons, HIPAA permits the mental health professional to alert the police, a parent or other family member,
school administrators or campus police, and others who may be able to intervene to avert harm from the threat.
In addition to professional ethical standards, most States have laws and/or court decisions which address, and
in many instances require, disclosure of patient information to prevent or lessen the risk of harm. Providers
should consult the laws applicable to their profession in the States where they practice, as well as 42 USC
290dd-2 and 42 CFR Part 2 under Federal law (governing the disclosure of alcohol and drug abuse treatment
records) to understand their duties and authority in situations where they have information indicating a threat to
public safety. Note that, where a provider is not subject to such State laws or other ethical standards, the
HIPAA permission still would allow disclosures for these purposes to the extent the other conditions of the
permission are met.
If a law enforcement officer brings a patient to a hospital or other mental health
facility to be placed on a temporary psychiatric hold, and requests to be notified if
or when the patient is released, can the facility make that notification?
The Privacy Rule permits a HIPAA covered entity, such as a hospital, to disclose certain protected health
information, including the date and time of admission and discharge, in response to a law enforcement official’s
request, for the purpose of locating or identifying a suspect, fugitive, material witness, or missing person. See
45 CFR § 164.512(f)(2). Under this provision, a covered entity may disclose the following information about an
individual: name and address; date and place of birth; social security number; blood type and rh factor; type of
injury; date and time of treatment (includes date and time of admission and discharge) or death; and a
description of distinguishing physical characteristics (such as height and weight). However, a covered entity
may not disclose any protected health information under this provision related to DNA or DNA analysis, dental
records, or typing, samples, or analysis of body fluids or tissue. The law enforcement official’s request may be
made orally or in writing.
Other Privacy Rule provisions also may be relevant depending on the circumstances, such as where a law
enforcement official is seeking information about a person who may not rise to the level of a suspect, fugitive,
material witness, or missing person, or needs protected health information not permitted under the above
provision. For example, the Privacy Rule’s law enforcement provisions also permit a covered entity to respond
to an administrative request from a law enforcement official, such as an investigative demand for a patient’s
protected health information, provided the administrative request includes or is accompanied by a written
statement specifying that the information requested is relevant, specific and limited in scope, and that de-
identified information would not suffice in that situation. The Rule also permits covered entities to respond to
court orders and court-ordered warrants, and subpoenas and summonses issued by judicial officers. See 45
CFR § 164.512(f)(1). Further, to the extent that State law may require providers to make certain disclosures,
6