Back Helpline
Helpline
Back Events
Events
Home » Resources » HIPAA

HIPAA

System Navigation
photo of a person wearing a surgical mask displaying a business card with 'HIPAA' written on it, symbolizing the barriers created by HIPAA for families trying to access confidential medical information of their loved ones with severe mental illness

Learn about HIPAA and how to approach patient confidentiality
when trying to support a loved one with SMI.

What is HIPAA?  

The Health Insurance Portability and Accountability Act (HIPAA) protects health information and patient records. Some providers treat HIPAA as a blanket nondisclosure policy, but families need to know that HIPAA was never intended to block care coordination and there are important allowances related to psychiatric treatment.  

Providers are allowed to use professional judgment about what needs to be shared with care partners to lessen a serious threat to health or safety or to support a safe and appropriate discharge. Information can also be shared in situations where the patient does not object to information being shared with their caregivers, when offered the option, regardless of whether a formal release of information (ROI) has been signed. 

The U.S. Department of Health and Human Services (HHS) provides a 13-page question-and-answer handout with specific information about permitted disclosures related to mental health. Included is this statement: “In recognition of the integral role that family and friends play in a patient’s health care, the HIPAA Privacy Rule allows these routine – and often critical – communications between health care providers and these persons.” 

Federal guidance specifies when a provider may share information for a patient who does or doesn’t have the capacity for informed decision-making. “Where a patient is present and has the capacity to make health care decisions,” the document states, “health care providers may communicate with a patient’s family members, friends, or other persons the patient has involved in his or her health care or payment for care, so long as the patient does not object.” 

Additionally, the document clarifies, “Where a patient is not present or is incapacitated, a health care provider may share the patient’s information with family, friends, or others involved in the patient’s care or payment for care, as long as the health care provider determines, based on professional judgment, that doing so is in the best interests of the patient.” 

Why does HIPAA keep getting in the way? 

HIPAA was enacted in 1996 as a response to the increasingly frequent need to transfer health information from provider to provider, often because people move or change jobs. In 2003, as electronic records became the norm, HIPAA’s privacy rule was added to make providers accountable for safeguarding patient information against data breaches.  

HIPAA enforcement expanded in 2009, when the Office for Civil Rights took over responsibility for enforcement. Adding legal complexities, some states have their own confidentiality statutes or professional ethics standards. The unfortunate outcome is that many providers are vigilantly afraid of violating confidentiality laws and adopt strict and unnecessary nondisclosure policies, even as they negatively impact the care and treatment of some individuals with severe mental illness (SMI).  

Those who fair the worst are people who lack self-awareness due to a common SMI symptom called anosognosia. During mental health emergencies, some people are unable to make reality-informed statements about their medical history, care preferences, or whom they rely on for support. They may become so delusional or paranoid that they actively refuse to communicate with their most consistent support people.  

All of this means that caregivers are frequently shut out when the person they care for loses touch with reality and enters the system through a crisis. Some caregivers call this “HIPAA handcuffs” or refer to clinicians as “hiding behind HIPAA.” If their loved one is admitted into a psychiatric hospital, for example, the facility might read a HIPAA statement and immediately hang up the phone or refuse to “confirm or deny” that the person has been admitted.  

This makes it critical for caregivers to have accurate information about HIPAA.  

Here are key points:  

    • HIPAA has always allowed some information sharing based on a clinician’s professional judgment.   
    • The law never barred families from sharing information with providers.   
    • Advocacy is needed for improved provider training about how to exchange information to improve patient outcomes. 

What information can I share with providers?  

HIPAA does not restrict “family” from sharing information with providers. Please note that family might mean anyone actively engaged in caregiving: parents, siblings, spouses, adult children, partners, significant others, close friends…  

Maintaining an up-to-date  mental health history to share with providers is an excellent way to advocate for better care. If a provider says they cannot speak with you due to HIPAA, calmly explain that you aren’t asking for confidential medical information; you are offering to share information to help them provide good patient care. See below for further guidance and a sample template for faxing information to a facility.  

Sometimes family members are reluctant to share medical information with providers because they are afraid their loved one might be angry or feel betrayed. Federal rules have accounted for that concern by giving providers a right to withhold certain information from their clients when sharing might violate trusted relationships. The Code of Federal Regulations (45 CFR 164.524(a)(2)(v)) allows a provider to receive information from someone other than their patient and keep the source of that information private: 

“An individual’s access may be denied if the protected health information was obtained from someone other than a health care provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information.” 

If you are sharing information with a provider and don’t want your loved one to know that the information came from you, be sure to explain to the provider that you are sharing this information confidentially.  

What can providers share with me?  

In general, HIPAA allowances specific to mental health permit health providers and agencies to:  

    • Communicate with family or friends involved in the patient’s care. 
    • Consider the patient’s capacity to agree or object to the sharing of their information. 
    • Involve caregivers in dealing with a patient who fails to adhere to treatment. 
    • Listen to family members about their loved ones receiving mental health treatment. 
    • Communicate with family members, law enforcement, or others when the patient presents a serious and imminent threat of harm to self or others. 
    • Communicate to law enforcement about the release of a patient brought in for an emergency psychiatric hold. 

In 2016, Congress passed the21st Century Cures Act, which acknowledged provider misunderstandings about HIPAA and called for “compassionate communication.” In Title XI, the act states:  

“There is confusion in the health care community regarding permissible practices under the regulations promulgated under [HIPAA]. This confusion may hinder appropriate communication of health care information or treatment preferences with appropriate caregivers.”  

That same section of the Cures Act holds HHS responsible for creating and sharing resources explaining how and when doctors can include families in medical discussions. In its explanatory document about HIPAA exceptions related to mental health, for example, HHS explains when providers can use professional judgment about communicating with care partners when a patient lacks capacity:  

“If the provider believes the patient cannot meaningfully agree or object to the sharing of the patient’s information with family, friends, or other persons involved in their care due to her current mental state, the provider is allowed to discuss the patient’s condition or treatment with a family member, if the provider believes it would be in the patient’s best interests. In making this determination about the patient’s best interests, the provider should take into account the patient’s prior expressed preferences regarding disclosures of their information, if any, as well as the circumstances of the current situation.” 

Note that although the privacy rule allows for these communications, it doesn’t require providers to share information. Unfortunately, providers may sometimes decline to communicate with family members because of the time required, especially with widespread provider shortages. Because of these realities, families may need to consider whether nondisclosure is contributing to a situation where patient care is compromised or if a discharge may be inappropriate or unsafe. Attorneys who specialize in medical malpractice may be able to provide further guidance.  

There have been a number of advocacy initiatives aimed at clarifying that health care providers can and should share information more broadly under specific circumstances (as detailed above) to promote collaboration with caregivers and loved ones. 

What if I’m a legal guardian or have power of attorney?  

Providers are responsible to share information with any individual who has a specific legal contract making them a “personal representative,” such as someone with guardianship, conservatorship, or power of attorney. According to the U.S. Department of Health and Human Services (hhs.gov), the HIPAA Privacy Rule states that a “personal representative must be treated as the individual.”   

To clarify, this federal guidance document explains that a personal representative “stands in the shoes of the individual and has the ability to act for the individual and exercise the individual’s rights.”  

Those rights can be for medical decision-making as well as for information sharing. When seeking guardianship, power of attorney, or a psychiatric advance directive, any person signing up to become a personal representative (sometimes called a “designated agent”) for the person with SMI will want to clarify exactly what rights are being granted through the contract. Be prepared to share that paperwork with anyone providing care.   

How can I get around HIPAA barriers?  

If your loved one’s providers are reluctant to speak with you, a short letter sent by fax can be a place to begin. See the sample below. You may choose to senda concise mental health history with your note.TAC providesmore information and a fillable form:mental health history.  

You might also research whether the provider agency has a risk management or legal office that you can contact. A conversation or email to someone in that office might go something like this:“I’m calling [or writing] because the staff I’ve spoken with at this agency seem misinformed on the legal requirements outlined by HIPAA. Please understand that I’m not requesting access to protected medical records. I have important information to share with the staff caring for my loved one and want to participate in care planning, in the interests of good patient care. I’m deeply concerned that a lack of coordination with me, as my loved one’s primary caregiver, will have a negative impact on the outcomes of their treatment. I’m wondering if you can support staff to better understand what HIPAA allows. 

If you havepower of attorney, guardianship, or conservatorship, be sure to mention it. You can ask how the HIPAA compliance office supports staff in understanding how to apply those conditions when engaging with family caregivers. Be prepared to share paperwork and explain how the contract specifies that you have a right to medical information. 

In some states, apsychiatric advance directive(PAD) might give power of attorney to a designated agent. Those documents also should be shared and explained: Do not assume that providers understand what to do with these, as they are newly emerging and not fully integrated into health care systems and training.   

Another idea is to ask for general information related to your loved one’s condition. Providers can answer educational questions even if they cannot answer specific questions about your loved one’s medical information. Here are some examples:  

    • “What would be good for us to know about this diagnosis or condition?”   
    • “What should we be watching out for if our loved one is on a new psychiatric medication?”   

If there isn’t anyone to speak with, you can attempt to open up communication by sending a fax. Faxing is more secure than an email, ensures delivery of the document, and is accepted as evidence of “receipt” in most courts and by most regulatory agencies. Providers are responsible to file written documents with information about a patient in their care. Once in a file, multiple people will see, read, and potentially use the information.  

Below is suggested language for a short starter letter, which can be adjusted as needed for your specific circumstances. Attach mental health history, documentation of power of attorney, etc., as appropriate. You can adjust the language to refer to your specific family member: For example, you might prefer to write “son” or “wife” instead of “loved one.” If you aren’t entirely sure that your loved one is in the facility, the first line could be written to say, “My loved one may be in your facility.” 

[Date]   

To the treatment team of [Name]:   

My loved one is in your facility. I understand that your facility is bound by confidentiality laws. As their family member, I have historical information that is pertinent to treatment. I would be happy to speak with you by phone and/or through email to support my loved one’s treatment.I have attached a concise medical history to support a deeper understanding of their illness and what has worked and not worked in the past. 

Regards,   

[Your Name]   

[Your phone, email]  

Resources  

A website begun by families for families,HIPAA for Caregivers, provides additional information specifically for people caring for someone with a mental illness. 

The Caregiver Action Network offers an online course, “Navigating HIPAA as a Family Caregiver: Supporting a Loved One with Schizophrenia.”  

HHS.govprovides information and fact sheets about HIPAA, including one quoted in this article:HIPAA Privacy Rule and Sharing Information Related to Mental Health 

For those with guardianship, power of attorney, or another formal agreement making them a personal representative: Guidance: Personal Representatives | HHS.gov 

From the Office for Civil Rights: A Patient’s Guide to the HIPAA Privacy Rule: When Health Care Providers May Communicate About You with Your Family, Friends, or Others Involved in Your Care  

Episode 118 of the podcast “Schizophrenia: Three Moms in the Trenches” addresses topics related to HIPAA. 

 

Save as PDF
Share