HIPAA in Mental Health Care

JenniferPhotoJennifer Bernstein, JD, MPH
Senior Attorney, The Network for Public Health Law – Mid-States Region
University of Michigan School of Public Health

This is the second of three posts discussing privacy rights for mental health care provided by Attorney Jennifer Bernstein. Read the first installment from earlier this week. Additionally learn more by reading FAQs from the U.S. Department of Health & Human Services.

When and How Can A Family Member Become Involved in Care?
Now that we have discussed some of the basics of the HIPAA Privacy Rule, let’s consider some specific concerns that family members often have regarding treatment and care of their adult family members with a mental health disorder. Generally, HIPAA gives ultimate deference to a patient’s wishes as to the sharing of their health information. There are some exceptions that are important for the family members of individuals with mental illness.

When does mental illness constitute incapacity under the Privacy Rule?
The HIPAA Privacy Rule does make allowance for when a patient is unable to authorize disclosure due to incapacity. A major determining factor on whether to disclose a patient’s information to the their family, friends or other persons involved in their care is whether or not the disclosure is in the best interests of the patient.  Incapacity criteria may include when a patient is incoherent or suffering from psychosis.

When a provider determines that such a disclosure is in the patient’s best interests, the provider is permitted to disclose only information that is directly relevant to the person’s involvement in the patient’s care or payment for care.

What if the patient is not incapacitated and objects to disclosure of information, but sharing information may still be in the best interest of the patient?
In instances when the patient has capacity and objects to the sharing of information, the provider may share the information only when the following guidelines are met:

  • doing so is consistent with applicable law and standards of ethical conduct
  • the provider has a good faith belief that the patient poses a threat to the health or safety of themselves or others, and
  • the person to whom the information is disclosed is reasonably able to prevent or lessen the threat

Note, though, that the Privacy Rule does not prevent providers from listening to concerns raised by family or friends about the health of the patient. These concerns may provide the health care provider with additional information that better informs their evaluation of the patient and any potential threat the patient may pose to the health and safety of themselves or others. These concerns can be withheld from the patient if the disclosure of such information would be reasonably likely to reveal the identity of the concerned individual.

What is a personal representative under HIPAA?
A personal representative is a person legally authorized to make health care decisions on an individual’s behalf. The Privacy Rule allows a covered entity (e.g., health care provider) to treat a “personal representative” of a patient in the same manner as the patient. This includes providing the personal representative with the same rights of disclosure and review as the patient. Personal representatives can include:

  • health care power of attorney
  • court appointed legal guardian
  • general power of attorney, or
  • durable power of attorney that includes the power to make health care decisions

The “personal representative” exception reminds us that advance planning is essential. Laws for appointing or designating a personal representative vary by state, so consult with an attorney regarding the requirements for designating a personal representative.

The final post in this series will discuss some innovative state laws that seek to assist the family members of patients with mental illness in taking an active part in the treatment and care of their loved ones.

Your Turn

  • What experience, negative or positive, have you had in dealing with HIPAA while obtaining mental health care?
  • What do you think needs to change about the HIPAA law?
  • How do you think the balance should be struck between patient rights and families seeking to ensure prompt and appropriate treatment?

Facebook Comments


Doctors determine capacity.  Just because a patient has psychosis does not mean they lack capacity.  For example, a patient's baseline while not psychotic may be to oppose the use of zyprexa due to risk of diabetes.  Would you say that just because that person became psychotic they should no longer be taken seriously when they say they don't want zyprexa due to risk of diabetes?  Psychosis does not affect every decision a person makes, and the patient even while psychotic may have a very valid reason why they do not want their family involved.  If they have capacity, they have the right to say I don't want family involved.

It's really scary how there is a push to take even more rights away from people with a diagnosis of mental illness.  If they keep it up, no one will voluntarily see a mental health professional.


As a health care provider and past administrator, I have found it tough to find the balance to be struck between patient rights and families seeking to ensure prompt and appropriate treatment. As a hearth care provider with direct treatment responsibilities, I feel it is imperative to draft policies and procedures that explain at what point privacy practices must be given, and at what point what should be done if a patient refuses to acknowledge the notice of privacy policies, or, under what circumstances protected health information may be needed. This would include how entities will use, maintain and share information and what the patient's rights are to limit uses and disclosures. Any other decisions should be made thoughtfully, and not on an ad hoc basis. Binding documents, policies and procedures and the person acting as a central point of accountability is vital to protect a person's privacy. I think that sanctions should occur when there are violations concerning the uses and disclosures of protected health information. If a patient's family acts intentionally in a reckless fashion, or acts in reckless disregard of the patient, or uses the individual's identifiable information to act toward malicious harm or person gain, they need to face fines, or whatever penalties the federal and state law states. 


1. The only negative experience I can think of--and this example may include a general medical issue as well--is being asked the same questions repeatedly. I was in outpatient surgery. My anxiety ascended as I experienced the questioning by a nurse with a rapid, robotic voice. It was early morning. l challenged them. The nurse said, "It's because of HIPSS." However, she did then go look in my records, and a compassionate nurse took over.

2.Having traveled around the HIPAA site, barely touching the surface, planning to return to spend more than 14 minutes, I must say that the structure strikes me as intricate. I am interested in knowing the process of putting it together, including information about the amount of time and of people it took. Whereas when our civilization began we were hunterers/ gatherers, we are now digital processors. Security and safety are top priorities. Yet, sadly, we will never erase the presence of evil overall. Now, segue to #3.

3. Thanks to DBSA's commitment to training us as advocates, and our commitment to focus on the training, we increase the chances of more success stories. We will help make more success stories known; we will educate and urge citizens in our states to be reasonable--to erase fallacies inculcated a long time ago, and reinforced in the current day as people communicate minus the truth. Per the question specifically, I read in the HIPPA site that family DO have rights--and please correct me if I'm wrong--when it comes to the dangerous situation of a person being psychotic. Psychosis occurs because mental illness has gone on too long untreated. Sad results do occur. I feel sad about the recent mass shooting in California, the perspective taken on a Friday night radio round table that--again--our culture has allowed this fallacy of entitlement to permeate. The participants included the fact that most movie directors are men in their 20s, pushing  the lie of a male fantasy that the hunks get the girls. Aspects of philosophy and religion, on the other hand, posit that an individual is charged with finding serenity foremost as an individual. Life's joys and struggles must first learned to be handled by the individual. And there is no time frame on marriage/ partnership--IF that is in the individual's path. Ultimately the balance should be struck between parents who first take care of their health, and secondly love each child unconditionally. Then we move into the next layer of community--church or neighborhood, for example. We are called to look out for and to be engaged with each other, especially if that means cutting down time spent with video games, t.v., movies, and computer.


  1. […] HIPAA Privacy Rule does make allowance for when a patient is unable to authorize disclosure due to […]