Does HIPAA require a mental health provider to let a patient know that the provider is going to share information with others before disclosing PHI to prevent or lessen a serious and imminent threat?
Not at the time of disclosure; however, the Notice of Privacy Practices should contain an example of this type of disclosure so patients are informed in advance of that possibility. See 45 CFR 164.520(b). In situations that also involve reports to the appropriate government authority that the patient may be an adult victim of abuse, neglect, or domestic violence, the mental health provider must promptly inform the patient that a report has been or will be made, unless:
- informing the patient would create a danger to the patient; or
- the provider would be informing a personal representative, and the provider reasonably believes the personal representative is responsible for the abuse, neglect, or other injury, and that informing such person would not be in the best interests of the patient is determined by the provider, in the exercise of professional judgment. See 45 CFR 164.512(c).
Other standards, such as clinical protocols, ethics rules, or state laws, may also be applicable to patient notification about disclosures in situations involving threats of imminent harm.