Introduction to HIPAA Handcuffs


(PDF Version)


  • When a mentally ill child (over 18) goes missing families can’t find him because hospitals and shelters can’t disclose
  • When institutions release mentally ill to a families care, they can’t inform parents first
  • When the child is given meds or a follow up appointment the parents can’t be told and therefore can’t ensure they get the meds or get to the next appointment.

Additional frustration about privacy laws stems from lack of understanding.

Privacy laws do block some attempts to share information but contain some provisions that allow for sharing. But covered entities default to nondisclosure —even when laws permit disclosure. Sometimes this is done out of ignorance of the law, and sometimes intentionally because it serves the purposes of the individual or organization. Further, there is nothing in HIPAA that prevents providers from receiving info from family members, but again, many claim HIPAA does. This misunderstanding should be clarified.

As a result of real and perceived HIPAA handcuffs, families of the mentally ill are given the responsibility to provide care for their loved ones are not given the information or authority to do it.


Treatment providers should have complete discretion to reveal to family members, caregivers, law enforcement or potential victims any clinical information that is necessary or helpful in managing that patient’s care in a community to which the patient belongs.

  • This should be true regardless of whether the patient knows about the disclosure or objects to it.
  • If disclosure of information is in the best interests of the patient, then the provider should be able to disclose.
  • Some sacrifice in privacy is the price that a patient must reasonably pay to receive effective care outside of an institution.
  • Many treatment providers do not want this discretion because they feel it is a breach of trust with the patient or will impose liability on the provider for having failed to communicate a threat to someone who later becomes a victim.

The latter concern can be addressed by making it clear that the provider is not liable for failing to make the disclosure in those instances where the threat is not serious or imminent and the disclosure would, in the provider’s good faith judgment, interfere with the ability to render effective care.

HIPAA should include “safe harbor” provisions.

The provisions should insulate a person or organization from liability (or loss of funding) for making a disclosure with a good faith belief that the disclosure was necessary to protect the health, safety, or welfare of the person involved or members of the general public.

Laws protecting good-faith disclosure for health, safety, and welfare can help combat any bias toward nondisclosure.

Remove the HIPAA rule that prohibits treatment providers from releasing threatening information to potential victims or to law enforcement unless the threat is both “serious and imminent.”

  • Treatment providers should have discretion to communicate freely with family members and care givers about how to manage their relationships to a seriously ill friend or family member — regardless of whether threatening behavior is in the picture.
    • The lack of this rule impeded those who treated Seung Hui Cho before Virginia Tech.  Because Cho was an adult, HIPAA prevented providers from communicating to his parents without a release from Cho.  Had they called the parents, they would have learned of his extensive history of mental illness.  Without that, they assumed wrongly that this was a recent, temporary and perhaps non-serious psychotic break. They parents said that if they had known what was going on at college, they would have brought him to treatment by those who knew his history.  No one, including their son, was reporting any difficulties to them, they assumed Cho had recovered and was doing fine.

HIPAA rules for front line providers should be short, simple and memorable.  
They should not require three pages of size 10 font just to print turgid extracts containing dozens of impenetrable cross references.

While the right to privacy is important, it must be balanced with society’s obligation to provide effective care to the mentally ill in the least restrictive setting.  Current HIPAA rules — written by obsessive civil libertarians — prevent well meaning providers from rendering effective care and, worse still, create constant, real and present dangers to our society.

Prepared by Mental Illness Policy Org., with appreciation to Peter Mills, Former State Legislator, Maine