The HIPAA Privacy Rule establishes national standards to protect individuals’ protected health information (PHI) while permitting certain disclosures when necessary for treatment, safety, or emergency response. But what is an emergency situation?
In typical clinical settings, covered entities (such as health care providers and health plans) must safeguard PHI and generally cannot disclose it without patient authorization. However, HIPAA explicitly allows exceptions in emergency situations, recognizing that protecting life and safety can require sharing information that would otherwise be confidential.
In addition, state laws on duty to warn can apply.
A prominent type of emergency disclosures under HIPAA involves serious and imminent threats to health or safety. If a provider reasonably believes that a patient presents such a threat, whether to themselves or others, the Privacy Rule permits disclosure of PHI to individuals or organizations reasonably able to prevent or lessen the threat. This may include family members, law enforcement, potential victims, or others who can intervene. Importantly, the provider’s belief must be made in good faith and consistent with professional judgment, state law, and ethical standards.
The above is a part of a larger legal concept often referred to as the Duty to Warn. Originating in mental health law, a duty to warn arises when a clinician becomes aware of a credible threat by a patient to harm another person. HIPAA supports disclosures that facilitate warnings or takes protective action so long as they aim to prevent or lessen a serious and imminent threat. Under HIPAA, disclosures can extend beyond law enforcement to include family members or others who may help reduce the risk or are at risk themselves.
Another scenario involves situations where a patient’s behavior signals danger to themselves — such as discontinuing psychotherapy without contact and posing risk of self-harm. HIPAA allows clinicians to use their professional judgment to decide whether contacting a family member is appropriate, especially if such contact could prevent harm. A clinician may consider a patient’s desire not to divulge such information; however, a clinician may ignore prior discussions on the topic if they believe it is in the best interest of the patient, according to their professional judgement.
HIPAA’s emergency disclosure provisions also address community-wide crises, such as natural disasters or mass casualty events. In such severe disasters, covered entities may share information as necessary to coordinate treatment, notify family members of a patient’s location and condition, and support emergency response. These allowances help ensure continuity of care and public safety during extraordinary conditions.
In sum, HIPAA balances individual privacy with the need to protect health and safety, allowing PHI disclosures in clearly defined emergency situations. Understanding these exceptions — especially duty to warn obligations under state law such as for mental health professionals — is essential for compliant, ethical practice.
Areas Covered in the Session
Who should attend?
Mark R. Brengelman is an attorney who has worked across all three branches of state government and retired as an Assistant Attorney General for the Commonwealth of Kentucky. He holds Bachelor’s and Master’s degrees in Philosophy from Emory University and a Juris Doctorate from the University of Kentucky. In his current private practice, he helps clients navigate the law and ethics while making rules understandable, primarily representing health care professionals in licensure and regulatory matters, government health care licensure boards,...