The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) was passed to make healthcare delivery more efficient and to protect the privacy of patients. In general, HIPAA does not distinguish between physical and mental health in protecting patient privacy. While some advocates argue that not distinguishing between physical and mental health is the only way to protect the privacy of those with mental illnesses, others, including many families with loved ones suffering from mental illness, argue that excluding family members from mental health records can have a devastating effect on the patient, the family, and the public.

In May of 2017, a mother and father in Flint, Michigan experienced devastation first hand when a relative living in their home shot their daughter. The family was completely unaware that their relative had been medically declared a “threat” due to her mental illness. Other families around the country have dealt with similar situations, as mental health providers often refuse to share information about diagnosis and treatment with their patients’ families for fear of violating HIPAA privacy laws. It is critical that providers understand when and how they can involve families in the care of patients with mental illnesses.

The Department of Health and Human Services released guidelines in 2014 explaining when providers can share protected health information with a patient’s family:

  • If a patient is present and has the capacity to make healthcare decisions, a provider may communicate with third parties with the patient’s permission.
  • If a patient is not present or is incapacitated, providers can use their professional judgement to communicate with third parties if it is in the best interest of the patient.
  • If a provider determines the patient does not have the capacity to agree or object to the sharing of information, the provider may share that information if it is in the best interest of the patient. 

However, these guidelines also remind providers that state laws or professional ethics may impose stricter limits on sharing a patient’s protected health information with family members. Providers continue to exercise their “professional judgment” with extreme caution, or risk malpractice suits or criminal penalties by breaching their confidentiality obligations or violating established laws. 

Opinions may differ as to whether the provider in the Flint, Michigan case made the correct decision in not disclosing the patient’s mental health condition to the patient’s family. However, many agree that HIPAA’s inherent balancing act between privacy and safety will likely result in similar unfortunate stories appearing in the news.