HIPAA and Emergency Disclosures

The HIPAA Privacy Rule establishes national standards to protect individuals’ protected health information (PHI) while permitting certain disclosures when necessary for treatment, safety, or emergency response. But what is an emergency?

In typical clinical settings, covered entities (such as health care providers and health plans) must safeguard PHI and generally cannot disclose it without patient authorization. However, HIPAA explicitly allows exceptions in emergencies, recognizing that protecting life and safety can require sharing information that would otherwise be confidential.

In addition, state laws on duty to warn can apply.

A prominent type of emergency disclosures under HIPAA involves serious and imminent threats to health or safety. If a provider reasonably believes that a patient presents such a threat, whether to themselves or others, the Privacy Rule permits disclosure of PHI to individuals or organizations reasonably able to prevent or lessen the threat. This may include family members, law enforcement, potential victims, or others who can intervene. Importantly, the provider’s belief must be made in good faith and consistent with professional judgment, state law, and ethical standards. 

The above is a part of a larger legal concept often referred to as the Duty to Warn. Originating in mental health law, a duty to warn arises when a clinician becomes aware of a credible threat by a patient to harm another person. HIPAA supports disclosures that facilitate warnings or take protective action so long as they aim to prevent or lessen a serious and imminent threat. Under HIPAA, disclosures can extend beyond law enforcement to include family members or others who may help reduce the risk or are at risk themselves.

Another scenario involves situations where a patient’s behavior signals danger to themselves, such as discontinuing psychotherapy without contact and posing a risk of self-harm. HIPAA allows clinicians to use their professional judgment to decide whether contacting a family member is appropriate, especially if such contact could prevent harm. A clinician may consider a patient’s desire not to divulge such information; however, a clinician may ignore prior discussions on the topic if they believe it is in the best interest of the patient, according to their professional judgement. 

HIPAA’s emergency disclosure provisions also address community-wide crises, such as natural disasters or mass casualty events. In such severe disasters, covered entities may share information as necessary to coordinate treatment, notify family members of a patient’s location and condition, and support emergency response. These allowances help ensure continuity of care and public safety during extraordinary conditions.

In sum, HIPAA balances individual privacy with the need to protect health and safety, allowing PHI disclosures in clearly defined emergencies. Understanding these exceptions, especially duty to warn obligations under state law, such as for mental health professionals, is essential for compliant, ethical practice.

• Definitions and scope of HIPAA privacy protections
• Emergency disclosures under HIPAA (serious and imminent threats)
• Good faith belief standard for emergency disclosure
• Duty to Warn and how HIPAA supports necessary disclosures
• Permissible recipients of emergency disclosures (family, law enforcement, others)
• Use of professional judgment in deciding to disclose
• Emergencies in disasters (location, condition, coordinating care)
• Public health emergency waivers and limits 

Know your patient’s privacy rights under HIPAA, and when you can breach that confidentiality in an emergency situation, and what you can and need to do in an emergency.

Find out how HIPAA rules and exceptions emerge when situations turn into emergencies and how the duty to warn applies when such an exemption is invoked.

Healthcare practitioners who may work in emergency environments or who may have patients who find themselves in emergencies.