Confidentiality Dilemmas: HIPAA, Friend or Foe?

Bright Studio/AdobeStock

Case 1

On your emergency department (ED) shift, you are psychiatrically evaluating a patient for erratic behavior. She shows signs of psychosis but objects to treatment and to staff corresponding with personal or professional contacts. You notice phone numbers for collateral contacts in her chart and are considering whether to call for more information despite her objection.

Case 2

Later that same day, an outpatient in your afternoon clinic who has appeared increasingly ill does not attend his appointment. His phone is no longer in service, but his medical chart lists the number of a family member with whom you have never corresponded. You are concerned about the patient’s safety and consider calling the family member for more information.

The Health Insurance Portability and Accountability Act (HIPAA) legislation facilitated the transition to electronic health records and aimed to prevent large-scale abuse of health information, but in clinical settings, the law has become virtually synonymous with patient privacy. Although the HIPAA Privacy Rule aims to “allow the flow of health information needed to provide and promote high-quality health care,”¹ liability anxiety and misinformation have led to institutional policies and individual practices that sometimes complicate necessary exchanges of protected health information (PHI). There are no systematic data on failures to communicate PHI necessary for treatment, but published articles and clinical experience suggest they continue to be widespread.^2-5 Even as evolving health information exchange systems like Epic’s Care Everywhere expand clinician access to PHI within an electronic medical record system, coordination across disjointed care systems remains contingent on the clinician’s ability to navigate common logistical, legal, and ethical challenges.

The stakes are high in community psychiatry. Accurate diagnosis and optimal treatment depend on a comprehensive history. For patients impaired by severe mental illness and lacking family support, communication between a network of treating clinicians spanning health care systems and government agencies can be necessary for making immediate triage decisions and starting appropriate treatment promptly. Logistical barriers can make this challenging task feel insurmountable. When patients object, competing obligations to respect patient autonomy and provide decent care complicate things further. Clinicians can ensure high-quality care by remaining informed about legal and ethical considerations in navigating patient privacy dilemmas while feeling empowered to use their judgment in ambiguous situations.

The History of the HIPAA Privacy Rule

HIPAA was enacted by the US Congress in 1996 to facilitate the transition to electronic recordkeeping for health care delivery, coordination, and payment. HIPAA called for establishing PHI privacy standards to address the unregulated access of insurance companies and managed care companies to individual health information that had traditionally been privy only to confidentiality-bound physicians.⁶ Congress failed to pass such standards, and the task was delegated to the US Department of Health and Human Services (HHS), which published the Privacy Rule and set an initial compliance deadline of April 2003. Since then, the Privacy Rule has undergone several updates, with a Final Regulation published in 2013.⁷

The Privacy Rule applies to any health care provider who transmits PHI electronically for payment. It takes precedence over state privacy laws except those that enforce stricter protections; state-by-state legislation is thus relevant but beyond the scope of this review. It establishes civil penalties for certain compliance failures, enforceable by HHS, and criminal penalties for willful violations under false pretenses, enforceable by the US Department of Justice.

The Privacy Rule requires written authorization before using or disclosing PHI. Exempt situations, which include most circumstances encountered in the physician-patient treatment relationship, either fully exempt clinicians from pursuing consent or exempt them from obtaining written authorization but require them to provide an informal opportunity for the patient to object.

The Privacy Rule fully exempts clinicians from obtaining consent for information disclosures made for treatment. A plain language summary published by HHS explains that clinicians are “permitted, but not required, to use and disclose protected health information, without an individual’s authorization, for the... purpose of treatment […and] may rely on professional ethics and best judgments in deciding which of these permissive uses and disclosures to make.”¹

Regarding PHI disclosure to a patient’s personal contact, the Privacy Rule again exempts clinicians from obtaining written authorization but expects them to provide the patient with an opportunity to object unless certain criteria are present¹: “Informal permission may be obtained by asking the individual outright, or by circumstances that clearly give the individual the opportunity to agree, acquiesce, or object. Where the individual is incapacitated, in an emergency situation, or not available, covered entities generally may make such uses and disclosures, if in the exercise of their professional judgment, the use or disclosure is determined to be in the best interests of the individual.”

In other words, if a patient lacks “capacity to agree or object to the sharing of personal health information at a particular time,” including for psychiatric reasons,⁸ or the clinician believes the patient is in an emergency, it is again up to the clinician to determine whether to disclose PHI to a personal contact. Of note, listening to a personal contact express their concerns about a patient’s mental illness does not constitute a use or disclosure and may be kept confidential from the patient if requested by the concerned party.⁹

Finally, the Privacy Rule fully exempts clinicians from obtaining consent to disclose PHI to anyone if the disclosure is “necessary to prevent or lessen a serious and imminent threat to a person or the public [and] when such disclosure is made to someone they believe can prevent or lessen the threat.”¹ This exemption may apply to acute psychiatric decompensations if good faith clinical judgment supports it.¹⁰

The Role of HIPAA

Let us return to our clinical case vignettes and apply the Privacy Rule.

Case 1

A patient is brought by police to a psychiatric ED after yelling nonsensically at passersby on the street. There, she is psychomotor agitated, thought disordered, and internally preoccupied and is unable to provide an account of the circumstances leading to her presentation. She clearly objects to treatment; she minimizes evident symptoms, objects to staff corresponding with personal or professional contacts in her chart, declines intervention, and requests discharge. Her medical chart has prior ED visit notes that do not elucidate her psychiatric history but contain phone numbers for a case manager and personal contact. You are tasked with determining whether she requires involuntary psychiatric hospitalization and are considering whether to call these numbers despite her stated objection.

The HIPAA Privacy Rule permits the exchange of PHI with this patient’s case manager for treatment if the clinician believes the exchange aligns with their professional ethics and best judgment. By contrast, it requests the patient be given an “opportunity to object” before calling a personal contact. However, if the patient does not have the capacity to object, is in emergent condition, or presents a serious and imminent threat that this personal contact could reasonably mitigate, then the clinician may make their own determination regarding the appropriateness of calling the personal contact over the patient’s objection.

Case 2

Your outpatient stops presenting to scheduled appointments. At previous appointments, he has appeared increasingly disheveled, thought disordered, and paranoid. You call his number and find that his phone is no longer in service. You notice that his medical chart contains the number of a family member with whom you have never corresponded. Because you are concerned about his safety, you consider calling the family member for information about the patient’s whereabouts and clinical status despite never having discussed reaching out to this family member with your patient.

In this example, the patient is not available to object to a phone call. Whether to contact the family member is strictly a matter of clinical judgment.

The Role of Ethics

As illustrated, when it comes to navigating common privacy dilemmas in treating patients with mental illnesses, the Privacy Rule rarely dictates whether clinicians should use and disclose PHI but empowers them to make their determinations based on sound clinical judgment and professional ethics. This determination can only be made on a case-by-case basis, taking the full treatment context into account, but universal considerations can help clarify the clinician’s decision-making process.

Although ethics education varies dramatically, some clinicians may be familiar with the 4 core bioethical principles that apply to medical decision-making: autonomy, nonmaleficence, beneficence, and justice.¹¹ PHI privacy dilemmas often involve a conflict between autonomy, or the patient’s right to determine for themselves who has access to their PHI, and beneficence, or the clinician’s duty to provide a benefit to the patient that is contingent upon an autonomy violation (exchanging PHI in violation of their preference). Nonmaleficence, or the clinician’s duty to minimize harms associated with therapeutic actions (including the exchange of PHI and the potential treatment), often conflicts with beneficence. Justice, or the clinician’s duty to make fair and equitable treatment decisions, highlights the importance of systematically applying these principles to all privacy dilemmas to counter personal and institutional biases that discriminate against community patients with mental illness.

Using a paradigm suggested by Lo et al,⁴ clinicians faced with a privacy dilemma can ask themselves:

• “Is this communication pertinent to providing a likely and important clinical benefit? Likewise, if omitted, is it likely to significantly compromise patient care?”
• “Are the potential harms of the communication low or proportional to the potential benefit?”

Some special considerations pertain to privacy dilemmas in patients with mental illness. When weighing autonomy, we can consider whether a patient’s information disclosure preference aligns with their values and goals or appears to be driven by illness-related impairments in executive functioning. When weighing beneficence, we can consider whether the communication is likely to significantly inform a patient’s risk assessment, mitigate a patient’s high level of risk, or connect them to treatment likely to significantly modify illness-related suffering, functioning, and quality of life. When weighing nonmaleficence, we can consider whether the communication will likely have significant negative consequences for the patient’s housing, occupational, or social support needs. We can also consider whether the communication, as an autonomy violation, is likely to negatively impact the treatment relationship to such an extent that it might preclude or negate the potential treatment benefits of the communication. As always, we think about the medical risks of the potential treatment itself.

The larger treatment context informs how clinicians weigh each ethical obligation. Suppose a clinician determines an objecting patient to require involuntary hospitalization because they judge the benefit of immediate treatment to outweigh autonomy and potential harm. In that case, they may prioritize acquiring the information needed to optimize that treatment benefit and restore the patient’s future autonomy over the patient’s current autonomy to refuse PHI exchange. Suppose a clinician has a long-term therapeutic relationship with a patient not in emergent condition. In that case, they may prioritize autonomy and nonmaleficence (avoiding harm to the treatment relationship) over the beneficence associated with an information exchange to which the patient objects.

Concluding Thoughts

Confidentiality dilemmas are commonplace in community mental health practice and can be exacerbated by common misunderstandings about the HIPAA Privacy Rule. We reviewed pertinent Privacy Rule standards and ethical considerations to guide clinical decision-making. Far from generalizable, the determination to disclose PHI for treatment requires a thoughtful and dynamic consideration of each case.

HHS maintains a website for health care professionals providing clear guidance on how the Privacy Rule applies to specific situations, both commonly encountered and unusual. The guidance is more permissive of disclosures than many clinicians would expect based on the ubiquity of privacy safeguards encountered in the clinical setting. We recommend reviewing both the Plain Language Summary of the HIPAA Privacy Rule¹ and the Frequently Asked Questions for Professionals,^8-10 which contains 35 scenarios unique to mental health and dozens more covering disclosures to family members, in emergencies, involving telehealth, related to judicial proceedings such as civil commitment, and related to mandated reporting.

Dr Keltz is a psychiatric resident at NYU Grossman School of Medicine in New York, New York. Dr Belcher is a clinical assistant professor in the Department of Psychiatry at NYU Grossman School of Medicine.

References

1. US Department of Health and Human Services. OCR Privacy Brief: Summary of the HIPAA Privacy Rule. Revised May 2003. Accessed August 28, 2024. https://www.hhs.gov/sites/default/files/privacysummary.pdf

2. Hickey K, Walther C, King J, et al. Connecting law enforcement and emergency department providers to improve access to mental health services. J Psychosoc Nurs Ment Health Serv. 2020;58(8):24-30.

3. Touchet BK, Drummond SR, Yates WR. Brief reports: the impact of fear of HIPAA violation on patient care. Psychiatr Serv.2004;55(5):575-576.

4. Lo B, Dornbrand L, Dubler NN. HIPAA and patient care: the role for professional judgment. JAMA. 2005;293(14):1766-1771.

5. Berwick DM, Gaines ME. How HIPAA harms care, and how to stop it. JAMA. 2018;320(3):229-230.

6. Appelbaum PS. Privacy in psychiatric treatment: threats and responses. Am J Psychiatry. 2002;159(11):1809-1818.

7. Tovino SA. Teaching the HIPAA privacy rule. St Louis Univ Law J. 2017;61(3):469-494.

8. Health information privacy: FAQ 2090. US Department of Health and Human Services. Updated September 12, 2017. Accessed August 28, 2024. https://www.hhs.gov/hipaa/for-professionals/faq/2090/when-does-mental-illness-or-another-mental-condition-constitute-incapacity-under-privacy-rule.html 

9. Health information privacy: FAQ 2095. US Department of Health and Human Services. Updated September 12, 2017. Accessed August 28, 2024. https://www.hhs.gov/hipaa/for-professionals/faq/2095/what-options-do-family-members-adult-patient-mental-illness-have-if-they-are-concerned-about.html 

10. Health information privacy: FAQ 520. US Department of Health and Human Services. Updated July 26, 2023. Accessed August 28, 2024. https://www.hhs.gov/hipaa/for-professionals/faq/520/does-hipaa-permit-a-health-care-provider-to-disclose-information-if-the-patient-is-a-danger/index.html 

11. Beauchamp TL, Childress JF. Principles of Biomedical Ethics. 5th ed. Oxford University Press; 2001.