FAQs about Privacy and Communication 

People experiencing mental health crises are often comforted by the presence of family members in emergency rooms.  Unless the person objects, HIPAA does not require a hospital to have a policy preventing family members from being present when a person is being evaluated in an emergency room. Therefore, this would be a hospital policy.

However, the policy could be driven by a HIPAA requirement to safeguard patient privacy. [1]  Specifically, HIPAA requires health care providers to safeguard against disclosures of protected health information.  But, it does not say that every single possible accidental disclosure must be prevented at all costs.  That is because the Department of Health and Human Services recognizes that patients are often near each other.  And, they know that could result in some information being viewed or overheard.  [1]  

Therefore, one might question whether a hospital’s policy exceeds the standard required by HIPAA.  But, that said, there might be other practical reasons for a hospital to implement such a policy.  

Further details, including quotes from HHS

HIPAA requires health care providers to have in place the following.  “… appropriate administrative, technical, and physical safeguards that protect against uses and disclosures not permitted by the (HIPAA) Privacy Rule, as well as that limit incidental uses or disclosures.” [1]  

However, these safeguards are meant to be reasonable…

“It is not expected that a covered entity’s (health care provider’s) safeguards guarantee the privacy of protected health information from any and all potential risks.  …   Many health care providers and professionals have long made it a practice to ensure reasonable safeguards for individuals’ health information – for instance:

• By speaking quietly when discussing a patient’s condition with family members in a waiting room or other public area;

• By avoiding using patients’ names in public hallways and elevators, and posting signs to remind employees to protect patient confidentiality; …” [1]

So, you can see why a hospital might forbid access to your loved one who is in an examination room.  However, that is not necessarily something that they must do, under HIPAA.  

[1]  “Incidental Uses and Disclosures,” United States Department of Health and Human Services Office of Civil Rights, https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/coveredentities/incidentalu%26d.pdf.

Yes.  If a state rule is more strict than the Federal HIPAA Privacy Rule, the state rules must be followed.

Finding state health laws related to privacy

George Washington University maintains a clearinghouse of state health laws here:  http://www.healthinfolaw.org/state.  We think it might be a handy resource for you.  When you link to that site, you will see a United States map of the states.  Next, click on the state you are interested in.  After that, you will see a menu of options including “privacy and confidentiality.”  We can’t say for sure that the information is completely up to date.  However, there’s a good chance you can find the section of your state law that addresses privacy and confidentiality.  Unfortunately, it is not the easiest site in the world to navigate.  But, it is still a good place for those who want to look into their state’s laws in greater detail.  

Further details – Quote from HHS

“The HIPAA Privacy Rule provides a Federal floor of privacy protections for individuals’ individually identifiable health information where that information is held by a covered entity or by a business associate of the covered entity. State laws that are contrary to the Privacy Rule are preempted by the Federal requirements, unless a specific exception applies. These exceptions include if the State law:

1.  relates to the privacy of individually identifiable health information and provides greater privacy protections or privacy rights with respect to such information,

2.  provides for the reporting of disease or injury, child abuse, birth, or death, or for public health surveillance, investigation, or intervention, or

3.  requires certain health plan reporting, such as for management or financial audits. In these circumstances, a covered entity is not required to comply with a contrary provision of the Privacy Rule.” [1]

[1]  “Does the HIPAA Privacy Rule Preempt State Laws?” US Department of Health and Human Services Office of Civil Rights, https://www.hhs.gov/hipaa/for-professionals/faq/399/does-hipaa-preempt-state-laws/index.html.

1.  What can I do if the doctor does not want to listen to me? 

It is important to know that HIPAA in no way prevents health care providers from listening to you.  They can consider your concerns about the health and well-being of your loved one.  And, they can factor that information into your child’s care. [1]  However, HIPAA does not require doctors to listen to you.

It is our opinion that caring doctors will want information from you.  This is based both on common sense and from speaking with doctors about this subject.  If a doctor does not appear to want the family’s insight, you may want to look for another doctor.  That is, if that is an option.

2.  Will information I provide to the doctor be kept confidential?  

If you want information to be confidential, let the doctor know.   Ask the doctor to promise that they will not tell your loved one about the conversation.  If the doctor agrees not to tell the loved one that they received information from you, they do not have to inform the patient about the conversation.

Further details – Quote from HHS

“In the event that the patient later requests access to the health record, any information disclosed to the provider by another person who is not a health care provider that was given under a promise of confidentiality (such as that shared by a concerned family member), may be withheld from the patient if the disclosure would be reasonably likely to reveal the source of the information.  …  This exception to the patient’s right of access to protected health information gives family members the ability to disclose relevant safety information with health care providers without fear of disrupting the family’s relationship with the patient.” [1]

[1]  “HIPAA Privacy Rule and Sharing Information Related to Mental Health.” US Department of Health and Human Services Office of Civil Rights,  https://www.hhs.gov/sites/default/files/hipaa-privacy-rule-and-sharing-info-related-to-mental-health.pdf.

It depends.

a.  If your loved one is present and has the capacity to make health care decisions:

HIPAA says that capable patients need to agree before their health information is shared.  However, HIPAA does not specifically require signed consent.  Rather, consent can be obtained three different ways. [1]

Signed consent

Patients often give consent by signing a release-of-information form.  Health care providers often have a policy of requiring signed consent before they will talk with family or caregivers.

Verbal consent

Alternately, a provider may ask for a patient’s permission to discuss their health information with caregivers.  For support, see the answer to this question in Reference [2].

Implied consent

A health care provider is allowed to use their professional judgment to decide whether a patient has given implied consent. For instance, a doctor may assume they can share health information with a caregiver if that person is in the room while the doctor is talking with the patient.  Or, a provider might mention that they would like to share information with you.  As long as the patient does not object, the provider can talk with you. Read Question and Answer #1 in [1].  

Interestingly …

HIPAA does not even require that a health care provider document the patient’s agreement or lack of objection. See Question and Answer #3 in [1].

b.  If your loved one is not present, is incapacitated, is unavailable to give consent because of some emergency situation, or presents a threat of harm to themself or others:

The health care provider may tell you relevant information if, based on professional judgment, the disclosure is in the patient’s best interest. [1, 3, 4]

Further Thoughts from HIPAA for Caregivers (based on discussions with health care providers, with community mental health, with those living with mental illness, and in NAMI Family-to-Family class)

It is very helpful if you can establish yourself as part of your child’s care team even before an emergency occurs. For instance, if you believe that your child is experiencing mental illness, it could be a good idea to talk with your local mental health agency.   You could explain the situation, giving them your child’s name and your contact information, and ask for advice.  By doing this, you can potentially obtain valuable information  about how to address your family’s situation.  Simultaneously, you position yourself as part of the care team.

If you believe your loved one would be willing to sign a release-of-information (ROI) form, ask them to do that.   Doctors working in inpatient or outpatient situations will usually require a signed form before they will talk with caregivers.  Unfortunately, that is true even though, as shown above, HIPAA allows verbal and implied consent.  Most health care providers in inpatient or outpatient settings will only feel comfortable talking with you once they have a signed ROI.

Or, look into psychiatric advance directives.  People with mental health challenges can create these while they are well.  The directives specify many aspects of treatment, should an individual become incapacitated.  It’s important to know that each state within the United States will have its own requirements.  

Doctors in an emergency room (ER) are the most likely to feel comfortable talking with you without a signed ROI.  That is because “emergencies” are listed as exceptions to HIPAA’s Privacy Rule.   And, it is quite clear-cut that patients in the ER would fall into the “emergency” category.  

[1]  “Communicating with a Patient’s Family, Friends, or Others Involved in the Patient’s Care.” US Department of Health and Human Services Office of Civil Rights, https://www.hhs.gov/sites/default/files/provider_ffg.pdf.

[2]  “Disclosures to Family and Friends.” US Department of Health and Human Services Office of Civil Rights, https://www.hhs.gov/hipaa/for-professionals/faq/disclosures-to-family-and-friends/index.html.

[3]  “When Your Child, Teenager, or Adult Son or Daughter has a Mental Illness or Substance Use Disorder, Including Opioid Addiction:  What Parents Need to Know about HIPAA.” US Department of Health and Human Services Office of Civil Rights, https://www.hhs.gov/sites/default/files/when-your-child.pdf.

[4]  “HIPAA Privacy Rule and Sharing Information Related to Mental Health.” US Department of Health and Human Services Office of Civil Rights,  https://www.hhs.gov/sites/default/files/hipaa-privacy-rule-and-sharing-info-related-to-mental-health.pdf.

As a first case, unconsciousness would definitely constitute incapacity.  But, psychosis and being under the influence of drugs or alcohol also qualify.  Additionally, hospitals may consider patients in the psychiatric emergency room as automatically falling under the emergency exception to the HIPAA Privacy Rule. [1].  A decision that a person is incapacitated can be made by a doctor and does not require a court order.

Further details – Quote from HHS

“The HIPAA Privacy Rule permits a health care provider, when a patient is not present or is unable to agree or object to a disclosure due to incapacity or emergency circumstances, to determine whether disclosing a patient’s information to the patient’s family, friends, or other persons involved in the patient’s care or payment for care, is in the best interests of the patient.  Where a provider determines that such a disclosure is in the patient’s best interests, the provider would be permitted to disclose only the PHI that is directly relevant to the person’s involvement in the patient’s care or payment for care.

This permission clearly applies where a patient is unconscious. However, there may be additional situations in which a health care provider believes, based on professional judgment, that the patient does not have the capacity to agree or object to the sharing of personal health information at a particular time and that sharing the information is in the best interests of the patient at that time. These may include circumstances in which a patient is suffering from temporary psychosis or is under the influence of drugs or alcohol. … In making this determination about the patient’s best interests, the provider should take into account the patient’s prior expressed preferences regarding disclosures of their information, if any, as well as the circumstances of the current situation. Once the patient regains the capacity to make these choices for herself, the provider should offer the patient the opportunity to agree or object to any future sharing of her information.” [1]

[1]  “HIPAA Privacy Rule and Sharing Information Related to Mental Health.” US Department of Health and Human Services Office of Civil Rights,  https://www.hhs.gov/sites/default/files/hipaa-privacy-rule-and-sharing-info-related-to-mental-health.pdf.

Health care providers are allowed to share information with you if your adult child (usually the case, in threats of harm) presents a serious and imminent threat of harm to themselves or others.  This is true as long as you are in a position to lessen the threat.  

Doctors are also allowed to take the initiative to notify you if your loved one has been taken to the hospital due to a threat of harm.

Further Details – Quotes from HHS

“Anytime there is a threat of serious and imminent harm to a son or daughter’s health or safety (or to others, including a parent), HIPAA allows their health and mental health providers to share information with parents, if the parents are in a position to prevent or lessen the threat. … For example, if an adult son or daughter threatens to commit suicide by cutting, and the parent is in a position to remove knives and sharp objects from the home, the provider may notify the parent to enlist their assistance with removing dangerous objects and to discuss a plan for obtaining a higher level of care for the patient.” [1]

“HIPAA expressly defers to the professional judgment of health professionals in making determinations about the nature and severity of the threat to health or safety posed by a patient. OCR would not second guess a health professional’s good faith belief that a patient poses a serious and imminent threat to the health or safety of the patient or others and that the situation requires the disclosure of patient information to prevent or lessen the threat. Health care providers may disclose the necessary protected health information to anyone who is in a position to prevent or lessen the threatened harm, including family, friends, caregivers, and law enforcement, without a patient’s permission.” [2]

[1]  “When Your Child, Teenager, or Adult Son or Daughter has a Mental Illness or Substance Use Disorder, Including Opioid Addiction:  What Parents Need to Know about HIPAA.” US Department of Health and Human Services Office of Civil Rights, https://www.hhs.gov/sites/default/files/when-your-child.pdf.

[2] “HIPAA Privacy Rule and Sharing Information Related to Mental Health.” US Department of Health and Human Services Office of Civil Rights,  https://www.hhs.gov/sites/default/files/hipaa-privacy-rule-and-sharing-info-related-to-mental-health.pdf.

It depends.  HIPAA’s Privacy Rule treats different circumstances differently: 

a.  People calling to inquire about patients who are already admitted to the hospital 

HHS says, “The Privacy Rule does not stop calls or visits to hospitals by family, friends, clergy or anyone else.  Unless the patient objects, basic information such as phone number, room number and general condition can be listed in the hospital directory and be given to people who call or visit and ask for the patient.” [1]

b.  Notifying family, friends, or caregivers that a patient was admitted or discharged

Notification of caregivers is a little different than inquiries by caregivers.

One HHS document addresses the case of adult children who have become ‘disoriented, delirious, or unaware of their surroundings.”  It notes that, if they arrive in an emergency room for treatment, “doctors, nurses, and social workers may notify you of their location and general condition.”  [2]. A longer quotation is below.

A second HHS document discusses notification of caregivers about a patient who has been hospitalized for a psychiatric hold.  Four circumstances for notifying caregivers of admittance or discharge are listed – (1) when the patient has a personal representative, (2) when the patient agrees or does not object to family involvement, (3) when the patient becomes unable to agree or object and there has already been family involvement, and (4) when notification is needed to lessen a serious and imminent threat of harm to the health or safety of the patient or others. [3]

c.  When substance use is involved

Doctors will not talk with you without permission if your loved one is at a federally-assisted program that provides diagnosis and treatment for substance use.  For more information about privacy policies related to substance use, see the next FAQ – #8.

Further details – Quote from HHS

[1]  “Fast Facts for Covered Entities,” US Department of Health and Human Services Office of Civil Rights, https://www.hhs.gov/hipaa/for-professionals/covered-entities/fast-facts/index.html.

[2]  “When Your Child, Teenager, or Adult Son or Daughter has a Mental Illness or Substance Use Disorder, Including Opioid Addiction:  What Parents Need to Know about HIPAA.” US Department of Health and Human Services Office of Civil Rights, https://www.hhs.gov/sites/default/files/when-your-child.pdf.

[3]  “HIPAA Privacy Rule and Sharing Information Related to Mental Health.” US Department of Health and Human Services Office of Civil Rights,  https://www.hhs.gov/sites/default/files/hipaa-privacy-rule-and-sharing-info-related-to-mental-health.pdf.

The short answer is, “It depends.”

Before we get into the nitty-gritty, it’s important to talk about consent.  As always, if your loved one says doctors can talk with you, doctors can involve you in treatment.  It doesn’t matter if substance use is involved.  But, let’s assume that your loved one has not given consent to share information.

In most situations, especially emergencies, HIPAA will be the applicable law.  

However, there are times when a regulation called 42 CFR Part 2 takes precedence.  That happens when a patient is at an alcohol or drug treatment program or unit. And, 42 CFR Part 2 has a very strict privacy rule – far stricter than HIPAA.  

A couple examples …

For these examples, we assume your loved one has not said that doctors can share information with you.  However, your loved one falls under a HIPAA exception. So, doctors are allowed to talk with you if they choose to.

In example one, your loved one is at local hospital – a general medical care facility.  Even if drugs are involved or rehab is in your loved one’s past, doctors can talk with you.  There is one case when that is not true.  That is if your loved one is in a unit in the hospital that is a federally-assisted program that diagnoses or treats substance use.  That unit would be governed by 42 CFR Part 2.

In example two, your loved one was brought to a federally-assisted program that diagnoses or treats substance use.  In this case, you will not get any information.  Providers aren’t even allowed to say whether or not your loved one is at that center.  That is because these locations are subject to the strict privacy rules of 42 CFR Part 2.

Further details about 42 CFR Part 2 and its relationship with HIPAA

42 CFR Part 2 (where CFR stands for the Code of Federal Regulations) sets different privacy standards than HIPAA.  Specifically, it does this for programs that are federally assisted and provide alcohol or drug abuse diagnosis, treatment or referral for treatment.  Part 2 protects all information about any person who has applied for, or been given diagnosis or treatment for, alcohol or drug abuse at such a program.  Unlike HIPAA, the only allowance for disclosure of health information under 42 CFR Part 2 in the case of medical emergencies is “to medical personnel who have a need for the information about a patient for the purpose of treating a condition which poses an immediate threat to the health of any individual and which requires immediate medical intervention.” [1]   Therefore, if your child arrives at a place subject to Part 2 regulations, people there are not allowed to talk with you at all without your child’s permission.  

When a substance use crisis occurs, the patient is usually initially brought to an emergency room.  HIPAA rules almost always apply there, as opposed to 42 CFR Part 2.  

“… hospitals, trauma centers, or federally qualified health centers would generally be considered ‘general medical care’ facilities. Therefore, primary care providers who work in such facilities would only meet Part 2’s definition of a program if 1) they work in an identified unit within such general medical care facility that holds itself out as providing, and provides, alcohol or drug abuse diagnosis, treatment or referral for treatment, or 2) the primary function of the provider is alcohol or drug abuse diagnosis, treatment or referral for treatment and they are identified as providers of such services.” [2]

Further Details about communicating with doctors in the case of substance use

The US Health and Human Services (HHS) publication “How HIPAA Allows Doctors to Respond to the Opioid Crisis” [3] discusses doctors’ ability to talk with caregivers.  It says, “HIPAA allows health care professionals to disclose some health information without a patient’s permission under certain circumstances, including:

[1]  “The Confidentiality of Alcohol and Drug Abuse Patient Records Regulation and the HIPAA Privacy Rule:  Implications for Alcohol and Substance Abuse Programs.” US Department of Health and Human Services Substance Abuse and Mental Health Services Administration Center for Substance Abuse Treatment, June 2004, https://www.samhsa.gov/sites/default/files/samhsapart2-hipaacomparison2004.pdf.

[2]  “Substance Use Confidentiality Regulations.”  US Department of Health and Human Services Office of Civil Rights, https://www.samhsa.gov/about-us/who-we-are/laws-regulations/confidentiality-regulations-faqs.

[3]  “How HIPAA Allows Doctors to Respond to the Opioid Crisis.”  US Department of Health and Human Services Office of Civil Rights, https://www.hhs.gov/sites/default/files/hipaa-opioid-crisis.pdf.

The federal regulation governing student records is the Family Educational Rights and Privacy Act, or FERPA.

Until your child is 18 years old, parents are entitled to their child’s school records.  After the student turns 18, parents no longer have that right.

Every record that a college maintains on a student is governed by FERPA.  For example, consider a student visit to a doctor in a university’s health clinic.  One might think that HIPAA rules would apply.  But they don’t.  Those visits are considered “treatment records” under FERPA. 

There are only a few examples where HIPAA and FERPA intersect.  The most common example is when a treatment record under FERPA is transferred to a medical facility outside the school.  At that point, the record becomes subject to HIPAA.  [1]

Further Details – FERPA privacy rules for students over 18 years old

In general, student records are private once the student is 18 years old.  A college student may grant permission for sharing their educational or treatment records with their parents.  However, they may also decline to give permission.

Much like HIPAA, there are some exceptions to FERPA privacy rules. In these instances, the school is allowed to talk with parents about their children’s records without the student’s permission.  Some of the most relevant exceptions to FERPA privacy rules are:

• Schools are allowed to share your child’s education records with you, without their consent, if your child is claimed as a federal dependent. [1]. A HIPAA for Caregivers hint:  You may want to document this in writing to the educational institution your child is attending.  Something like “I am writing to notify you that I/we claim our child as a dependent on our federal taxes and therefore request to be provided with information about educational progress and any health or mental health issues that arise during her/his time as a student.”  

• FERPA permits schools to disclose information from education records to you, without the consent of your child, in connection with a health or safety emergency.  However, this is only the case if your knowledge of the records is necessary to protect the health or safety of your child or other persons. [1]

• If your child is under the age of 21, FERPA permits a college or university to inform you that your child has violated any law or policy concerning the use or possession of alcohol or a controlled substance if the institution determines that your child committed a disciplinary violation with respect to that use or possession. [1]

• Nothing in FERPA prohibits a teacher or school official from sharing information with you that is based on that official’s personal knowledge or observation.  The knowledge must not be based on information contained in an education record.  [1]

Additional helpful information

A great resource is NAMI’s Guide, “Starting the Conversation: College and Your Mental Health.”  While the Guide more broadly addresses mental health issues that may arise during college years, there is an excellent section on FERPA and HIPAA, pp. 15-21, that explains the applicability of these laws to college students in a clear and informative way.  Here is the link, https://www.nami.org/Support-Education/Publications-Reports/Guides/Starting-the-Conversation/CollegeGuide.

[1]  “Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) And the Health Insurance Portability and Accountability Act of 1996 (HIPAA).” US Department of Health and Human Services Office of Civil Rights, December 2019, https://www.hhs.gov/sites/default/files/2019-hipaa-ferpa-joint-guidance.pdf.

Generally, you are your minor child’s personal representative.  And, that fact gives their health care provider permission to talk with you.  [1]

However, there are some exceptions.

• • If you are not your child’s legal guardian, then the doctor is not permitted to talk with you.

  • In rare circumstances, a provider might decide not to treat you as a personal representative.   For example, this could happen if they have concerns that doing so might endanger the child. 

  • HIPAA generally follows state law about parents’ authority over their minor children’s treatment. Sometimes, state law gives a minor child the ability to consent to their own treatment and that child consents.  In that situation, HIPAA does not give you the right to access information about your child’s treatment. [1]

Finally …  HIPAA defers to state law with regard to when a child is considered an adult. In most states, that age is 18 years old. [2]

[1]  “HIPAA Privacy Rule and Sharing Information Related to Mental Health.” US Department of Health and Human Services Office of Civil Rights,  https://www.hhs.gov/sites/default/files/hipaa-privacy-rule-and-sharing-info-related-to-mental-health.pdf.

[2]  “Am I my child’s ‘personal representative’ under HIPAA?”  US Department of Health and Human Services Office of Civil Rights, https://www.hhs.gov/sites/default/files/am-i-my-childs.pdf.