HHS “duty to warn” letter highlights conflicting privacy laws | Behavioral Healthcare Executive Skip to content Skip to navigation

HHS “duty to warn” letter highlights conflicting privacy laws

March 14, 2013
by By Renée M. Popovits, J.D.
| Reprints
Exercising "duty to warn" is allowed under HIPAA regs, but problematic under 42 C.F.R. Part 2 statute

In the wake of the Newtown shootings and the national discussion about gun violence, the President’s Executive Action 17 provided for the release of a letter to health care providers stating that “no federal law prohibits them from reporting threats of violence to law enforcement authorities.”  While this action was intended to reassure providers who were uncertain about exercising their “duty to warn” under federal statutes, the statement itself is inaccurate.

Here is why: the January 15, 2013 letter released by HHS addresses the “duty to warn” only in terms of HIPAA Privacy requirements.  While HIPAA is by far the best known and most widely used of federal privacy protections, there is another statute of great importance to behavioral health providers—the federal confidentiality statute and regulations (42 U.S.C. 290 dd-3 and 42 C.F.R. Part 2). The provisions of Part 2 are not dealt with in the January 15 letter, even though they, not HIPAA, shape the decision making of addiction treatment providers nationwide who may hear threats of violence from the individuals in their care. Given the current duty to warn conversation aimed at reducing gun violence, it is important to clarify the specific duty to warn provisions contained in both HIPAA and 42 C.F.R. Part 2.

Section 164.512(j) of HIPAA expressly permits a health care provider to disclose patient information, including information from mental health records, if the provider in good faith believes the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.  It also enables a health care provider to make a disclosure to law enforcement officials, family members of the patient, or others who may reasonably be able to prevent or lessen the threat. 

The HHS letter goes on to advise providers to consult state laws and 42 C.F.R. Part 2.  This is critical because 42 C.F.R. Part 2 does not have a “duty to warn” provision and any disclosures made by providers must fit into certain “exceptions” in the regulations.

Thus, a Part 2 program may:

·         Inform law enforcement or others if you obtain a valid court order. See 42 C.F.R. 2.61-2.66;

·         Disclose to law enforcement if an immediate threat to the health or safety of an individual exists due to a crime on program premises or against program personnel. See 42 C.F.R. 2.12(c)(5);

·         Report to health care personnel (not law enforcement) under the medical emergency exception for purposes of “treating a condition which poses an immediate threat to the health of any individual and which requires immediate medical intervention.” See 42 C.F.R. 2.51; or

·         Make such disclosure anonymously without divulging patient identifying information (that you work at an addiction treatment facility or that the person who made the threat is an alcohol or drug abuser). 

Providers also need to check state facility and professional staff licensing laws and ethics standards for compliance.  If clear and imminent danger to a particular person exists, the person identifies a specific victim, has a history of violence, has a plan, and has a means to carry out that plan, providers often err on the side of warning about the danger.  While confidentiality is important, providers must carefully weigh the risks a breach poses against the risks of physical violence/injuries to others as well as exposure to a wrongful death lawsuit.

History shows us that behavioral health providers and the agencies that collaborate with the field consistently search for and find exceptions that enable them to legally and ethically share information that advances the greater good.  But such cooperation does not diminish the importance or need for a significant conversation about the need to update forty year-old regulations and somehow harmonize federal confidentiality protections to meet future needs.

Shortly after the Executive Order and the release of the “duty to warn” letter, HHS issued the new Final HIPAA Omnibus Rule—a major update spurred on by the tide of health reforms and the expanding adoption of EHRs.  Yet, not one of the 563 pages of regulations, updates, and commentary by HHS makes reference to 42 C.F.R. Part 2.  And, although HHS is limited in its ability to fully standardize the treatment of health information due to statutory provisions, this omission amounts to a missed opportunity to address and clarify important confidentiality issues facing our field.  Confidentiality should not equate with silence when our health care delivery system is undergoing such massive reform.

End of Part 1.   Go to Part 2.