Message to Our Nation’s Health Care Providers:
In light of recent tragic and horrific events in our nation, including the mass shootings in
Newtown, CT, and Aurora, CO, I wanted to take this opportunity to ensure that you are aware
that the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule does not
prevent your ability to disclose necessary information about a patient to law enforcement, family
members of the patient, or other persons, when you believe the patient presents a serious danger
to himself or other people.
The HIPAA Privacy Rule protects the privacy of patients’ health information but is balanced to
ensure that appropriate uses and disclosures of the information still may be made when necessary
to treat a patient, to protect the nation’s public health, and for other critical purposes, such as
when a provider seeks to warn or report that persons may be at risk of harm because of a patient.
When a health care provider believes in good faith that such a warning is necessary to prevent or
lessen a serious and imminent threat to the health or safety of the patient or others, the Privacy
Rule allows the provider, consistent with applicable law and standards of ethical conduct, to alert
those persons whom the provider believes are reasonably able to prevent or lessen the threat.
Further, the provider is presumed to have had a good faith belief when his or her belief is based
upon the provider’s actual knowledge (i.e., based on the provider’s own interaction with the
patient) or in reliance on a credible representation by a person with apparent knowledge or
authority (i.e., based on a credible report from a family member of the patient or other person).
These provisions may be found in the Privacy Rule at 45 CFR § 164.512(j).
Under these provisions, a health care provider may disclose patient information, including
information from mental health records, if necessary, to law enforcement, family members of the
patient, or any other persons who may reasonably be able to prevent or lessen the risk of harm.
For example, if a mental health professional has a patient who has made a credible threat to
inflict serious and imminent bodily harm on one or more persons, HIPAA permits the mental
health professional to alert the police, a parent or other family member, school administrators or
campus police, and others who may be able to intervene to avert harm from the threat.
In addition to professional ethical standards, most states have laws and/or court decisions which
address, and in many instances require, disclosure of patient information to prevent or lessen the
risk of harm. Providers should consult the laws applicable to their profession in the states where
they practice, as well as 42 CFR Part 2 under federal law (governing the disclosure of substance
abuse treatment records) to understand their duties and authority in situations where they have
information indicating a threat to public safety. Page 2 – Nation’s Health Care Providers
We at the Office for Civil Rights understand that health care providers may at times have
information about a patient that indicates a serious and imminent threat to health or safety. At
those times, providers play an important role in protecting the safety of their patients and the
I hope this letter is helpful in making clear that the HIPAA Privacy Rule
does not prevent providers from sharing this information to fulfill their legal and ethical duties to
warn or as otherwise necessary to prevent or lessen the risk of harm, consistent with applicable
law and ethical standards.
THE LETTER WAS SIGNED BY: Leon Rodriguez