HHS letter clarifies HIPAA’s Privacy Rule and may have the potential to reduce gun violence.
Shortly after the tragic elementary school shooting at Newtown, Connecticut, President Barack Obama announced a series of nearly two dozen executive actions intended to reduce gun violence. Among these were efforts to clarify federal health information privacy protections and address real or perceived barriers to information sharing between health care professionals and law enforcement officials.
In one of these initiatives, the White House announced that the U.S. Department of Health and Human Services (HHS) would release a letter to health care providers “clarify[ing] that no federal law prohibits [them] from warning law enforcement authorities about threats of violence.” This letter, which was issued in 2013 by the HHS Office for Civil Rights (OCR), explains that a health care provider can share necessary health information when attempting “to warn or report that persons may be at risk of harm because of a patient.”
Now that two years have passed since the horrific event at Sandy Hook and the executive actions it prompted, it is possible to look back and carefully assess the role of health information privacy regulation in addressing gun violence reduction.
In its letter, OCR reminds the health care community that the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule does not prohibit physicians and other medical providers from disclosing patient information when the health care professional believes in good faith that the disclosure is “necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others.” The disclosure must be made to someone who is “reasonably able to prevent or lessen the threat,” such as a law enforcement official, family member, school administrator, or “the target of the threat” itself.
In accordance with the presidential initiative, OCR used its letter to reiterate and explain the HIPAA Privacy Rule’s provision on averting serious threats to health and safety, which is one of the “12 national priority purposes” for which HIPAA regulations permit the use and disclosure of protected health information without the patient’s authorization or permission. This standard generally reflects the “duty to warn” potential victims imposed on medical providers in numerous states by common law and statute.
The HIPAA Privacy Rule does not establish its own duty to warn. Rather, it is designed to be “consistent with” the predominant legal and ethical consensus developed over the past 40 years that medical confidentiality should yield to public safety in cases where there is both a serious threat and a reasonably identifiable third party at risk. HIPAA regulations also expressly permit disclosure of health information when “required by law,” including state statutes and regulations. However, the specific provision discussed in OCR’s letter creates additional leeway for health care entities to act in accordance with permissive state laws that allow but do not compel disclosure in these scenarios, as well as with professional codes of conduct advocating “reasonable precautions” when patients make credible threats.
While the “good faith” of health care providers and institutions in making such warnings is usually presumed, releases of health information permitted under this standard are nonetheless intended to “apply in rare circumstances.” The Privacy Rule’s relatively narrow exception was envisioned as an emergency mechanism, requiring a certain level of acuity to overcome the general presumption against disclosure without patient authorization. Thus, the HIPAA Privacy Rule provides a fail-safe lever for doctors to issue alarms in accordance with preexisting legal or ethical obligations, not a blueprint for strategic information exchange with law enforcement agencies.
Although the ability to contact law enforcement, family members, or others when a patient presents a serious and imminent threat has special relevance to mental health practitioners, the scope of HIPAA’s permission is not limited to psychiatric records. The Privacy Rule generally does not distinguish between different types of health information. When state laws accord extra protections to mental health or other categories of especially sensitive records, HIPAA defers to these “more stringent” standards.
Since the physician’s duty to warn stems primarily from state law and professional standards, the correlative HIPAA permission enables health care professionals to act pursuant to these legal or ethical touchstones. Conversely, where state law prohibits such disclosure, it would not be allowed merely because the Privacy Rule permits it. One of the challenges to leveraging HIPAA in gun violence reduction efforts is that even when the Privacy Rule itself does not prevent the release of health information, other laws may still do so. This limits the extent of assurance that OCR can provide to health care providers about the lawfulness of their disclosure.
To many health care practitioners, health privacy law may sometimes seem absolute. But the letter HHS issued in the wake of the Sandy Hook tragedy makes clear that HIPAA protections are not inviolate. The Privacy Rule balances patient privacy and the public interest. It does not stand in the way when professional duty or state law calls for disclosure to lessen serious and imminent threats to safety. This standard underscores the importance of medical providers understanding the laws and ethical norms applicable to their practice. HIPAA need not be a barrier to disclosure in critical situations, but neither is it a gateway to widespread information sharing absent patient authorization.
In a separate essay next week, Major Kels will examine a second executive action the Obama Administration has taken in an effort to reduce gun violence by addressing health information policy.