Patient Confidentiality vs. Public Safety: When Can You Legally Break HIPAA? The "Duty to Warn" That Supersedes Privacy.

Patient Confidentiality vs. Public Safety: When Can You Legally Break HIPAA? The “Duty to Warn” That Supersedes Privacy.

by

Patient confidentiality is a bedrock of care. People tell the truth when they trust their clinician. But privacy is not absolute. When someone is in danger, safety can—and sometimes must—come first. In the United States, HIPAA sets the federal privacy baseline, and state law can add a separate “duty to warn” or “duty to protect.” This article explains when you may legally break HIPAA, when you must, and how to do it correctly without disclosing more than necessary.

The core rule: HIPAA protects privacy—until safety is at stake

HIPAA generally prohibits sharing a patient’s protected health information (PHI) without authorization. That protects dignity and encourages honest disclosure. But HIPAA also recognizes emergencies. It allows certain disclosures without consent when they help prevent serious harm or when law requires reporting.

Think of HIPAA as a “permit, don’t require” framework for emergencies. It gives you permission to disclose in specific situations. Whether you must disclose usually comes from state law or professional duty, not HIPAA itself.

The “duty to warn” and “duty to protect”: what they are

In many states, mental health professionals have a legal duty to warn a potential victim or protect the public when a patient makes a credible threat of violence. This idea comes from the Tarasoff case, which held that protecting an identifiable victim can outweigh confidentiality.

States differ. Some make warning or protective action mandatory, some make it permissive, and some specify who must be warned (the target, law enforcement, or both). The common thread is the same: when a patient poses a serious, foreseeable risk, you may need to act. HIPAA does not block you from doing so; it permits disclosures that help prevent harm.

When HIPAA allows disclosure to prevent harm

HIPAA lets you disclose PHI without authorization to prevent or lessen a serious and imminent threat to the health or safety of the patient or others, if you believe in good faith that disclosure is needed, and you share it with someone who can act on it.

  • Serious and imminent: The danger is substantial and near-term, not a vague future risk. Look for a plan, means, and intent.
  • Good faith belief: You do not have to be right. You must have a reasonable clinical basis at the time.
  • Right recipient: Share with someone who can reduce the risk—often the target, law enforcement, a hospital, or a caregiver.

Examples:

  • A patient says, “I’m going to shoot my supervisor, Chris, tomorrow. The gun is in my trunk.” You may contact law enforcement and the identified supervisor to avert the threat. You may also take clinical action (e.g., emergency evaluation).
  • A patient with severe depression says, “I swallowed a bottle of pills,” or “I will kill myself tonight.” You may call 911, mobile crisis, or alert a family member who can intervene, and arrange emergency care.
  • A patient intoxicated in your clinic insists on driving. You may notify law enforcement to prevent imminent harm and arrange safe transport.

Why the rule exists: timely, targeted disclosure can save lives. The law balances privacy with the duty to prevent predictable harm.

Who you can tell—and how much to share

Share information only with those who can reduce the danger, and only what they need to know to act.

  • Law enforcement: When there is a serious, imminent threat or as required by law. Provide the minimum details to allow intervention (identity, nature of threat, location, means).
  • Potential victim(s): If state law imposes a duty to warn or protect, you may alert the identifiable target and provide practical safety information.
  • Other clinicians or hospitals: For coordination of emergency care, you can share relevant clinical details.
  • Family or caregivers: If they are involved in the patient’s care and disclosure is needed to prevent harm. Use judgment—do not create new risks (for example, in domestic violence situations).

Do not disclose a full record when a concise warning will do. The standard is practical: share what is reasonably necessary to prevent or lessen the danger.

When disclosure is required by law

Sometimes you do not have a choice: state or federal laws require reporting. In those cases, HIPAA allows the disclosure because it is “required by law.” Common mandates include:

  • Child abuse or neglect: Mandatory reporting to child protective services or law enforcement.
  • Elder or dependent adult abuse: Mandatory reporting to adult protective services or law enforcement.
  • Domestic violence: Some states require reporting certain injuries or situations; others restrict reporting without the victim’s consent. Know your state’s rules.
  • Certain injuries or crimes: Gunshot wounds, stab wounds, or injuries from a crime may require reporting.
  • Public health: Reporting of specified infectious diseases to health departments.
  • Court orders: A judge can compel disclosure through a valid order.
  • Firearm risk (“red flag”) processes: In some states, clinicians can initiate or must cooperate with extreme risk protection orders; disclosures tied to those processes are permitted or required by law.

When a disclosure is required by law, follow the statute or order exactly and share only what it specifies.

Law enforcement requests that do not involve an imminent threat

Police often ask for records. HIPAA permits disclosures in certain, limited situations, even without patient authorization:

  • Court order or warrant: You must comply within the scope of the order.
  • Subpoena or administrative request: Additional safeguards apply (such as patient notice or protective order). Verify these before disclosing.
  • To locate a suspect, fugitive, witness, or missing person: You can provide basic identifying information, not full records.
  • Crime on premises or against staff: You may report details of the incident and limited identifying information.

When in doubt, ask for the legal authority in writing, verify identities, and limit the disclosure to what the law allows.

Special records with extra protections

  • Substance use disorder (SUD) records (42 CFR Part 2): These programs have stricter rules than HIPAA. Disclosures often require patient consent or a specific court order. There are narrow exceptions (for example, medical emergencies and crimes on program premises). If you work in or with a Part 2 program, you may not be able to warn third parties without the patient’s consent or a court order unless an applicable exception clearly fits.
  • Psychotherapy notes: These have special protection under HIPAA. Do not disclose full therapy notes unless required by law or with specific authorization. For safety warnings, you can disclose necessary information without sharing the notes themselves.
  • HIV/STI results: Many states impose special confidentiality rules. Reporting to public health is allowed, but disclosure to third parties may be restricted unless needed to avert a serious threat or required by law.

Bottom line: HIPAA is the floor. Other laws may be stricter. Know the layers that apply to your setting.

Does the duty to warn apply to suicide risk?

Yes, but the focus shifts to protecting the patient. HIPAA permits disclosure to prevent or lessen a serious and imminent threat to the patient’s own safety. Appropriate steps can include:

  • Arranging emergency evaluation or hospitalization.
  • Contacting 911 or a mobile crisis team.
  • Notifying a caregiver who can remove means (e.g., firearms, pills) and supervise.
  • Limiting access to lethal means and documenting a plan for safety.

As always, disclose only what is necessary for the person to act. Consider whether contacting certain family members could increase risk (for example, in abusive households).

A practical decision path

  • Assess: Is the threat serious and imminent? Is there a plan, means, and intent? Who is at risk?
  • Check law: Do state statutes create a duty to warn/protect? Is reporting mandated (abuse, certain injuries)? Are special records involved (Part 2)?
  • Decide recipients: Who can reduce the risk—target, law enforcement, crisis services, caregivers, another clinician?
  • Disclose minimally: Share only what is needed to prevent or lessen the danger.
  • Act clinically: Consider hospitalization, increased monitoring, or changes to treatment.
  • Document: Record your assessment, legal basis, what you disclosed, to whom, when, and why.

How to document a disclosure for safety

Good documentation shows you acted reasonably and lawfully. Include:

  • Risk assessment: Facts supporting seriousness and imminence (patient statements, observed behavior, access to means).
  • Legal basis: HIPAA provision you relied on (e.g., preventing serious and imminent threat; required by law) and any relevant state duty-to-warn statute.
  • Recipients: Who you notified and why each recipient was chosen.
  • Scope: Exactly what you disclosed.
  • Outcome: Actions taken by recipients (when known) and your follow-up plan.
  • Consultation: If you consulted a supervisor, legal counsel, or ethics resource, note it.

Common pitfalls—and how to avoid them

  • Over-disclosure: Do not send full charts when a precise warning suffices. Share only what is necessary.
  • Delay: Waiting can increase risk. Make the warning promptly once you have a good-faith basis.
  • Ignoring state law: HIPAA permits many disclosures, but state law may require specific actions—or restrict others.
  • Not verifying identity: Confirm you are speaking to the right person before sharing sensitive details.
  • Forgetting special protections: Substance use disorder records and psychotherapy notes have extra rules.
  • Poor documentation: If it is not in the record, it did not happen. Document your reasoning and steps.
  • No plan for next time: Train staff, create scripts, and set up a quick legal/ethics consult pathway.

The bottom line

Privacy is the default. Safety is the exception. HIPAA allows you to disclose without authorization to prevent a serious and imminent threat, and when reporting is required by law. State “duty to warn/protect” rules may require action. When you disclose, tell the right people, share the minimum necessary details, act promptly, and document your reasoning. Done well, these steps honor both confidentiality and the obligation to protect life.

Leave a Comment

PRO
Ad-Free Access
$3.99 / month
  • No Interruptions
  • Faster Page Loads
  • Support Content Creators
Subscribe Now