hipaa and mental health

A Comprehensive Guide to Understanding the Connection Between HIPAA and Mental Health

Did you know that roughly half of all people in the United States will face a mental health illness within their lifetime?

Like any medical condition, mental health cases fall under the protection offered by HIPAA. HIPAA, or the Health Insurance Portability and Accountability Act, is a federal law passed in 1996.

The Act established national standards when it comes to protecting a patient’s medical records and information.

So what do you need to know when it comes to HIPAA and mental health? In this article, we’ll walk you through everything you need to know.

HIPAA and Mental Health Overview

There are plenty of horror stories when it comes to HIPAA violations. A breach of confidentiality can not only endanger the reputation of the practice, but it can lead to jail time.

As such, healthcare providers must know all the ins and outs when it comes to policies they follow. Most HIPAA regulations deal with restricting information to unauthorized parties.

But what about the authorized parties?

Family and friends typically play a vital role in a patient’s health care, so most of the HIPAA information about mental health addresses how sensitive information can be shared amongst these networks.

In certain cases, a patient may not have the capacity to make healthcare decisions for themselves. In these cases, it becomes necessary to share the information. For a full list of the HIPAA privacy rules that accompany sharing mental health details, you can visit this link here.

Frequently Asked Questions

It’s easy to get bogged down in the intricacies of HIPAA law and how it relates to mental health. To make things a little easier we included the answers to seven questions that people usually ask.

1. Is a healthcare provider allowed to share any mental health information with a patient’s friends or family?

A healthcare provider is allowed to share a patient’s mental health information with their family and friends. However, they must make sure that the patient does not object to the sharing.

2. Is signed consent required to share this information with family and friends?

No, healthcare providers do not require a signed consent form to share mental health information with a patient’s family or friends. However, they still must go through the process of asking or inferring.

There are three things a provider can do to gain consent. First, they can flat-out ask the patient if it’s all right to share the information.

Second, they can state their intention to discuss medical information and give the individual a chance to refuse.

Third, using their professional judgment, a provider can infer that the person will not object. An example of this method might occur if a patient invites their friends or family to a treatment session.

3. What happens if the patient refuses to consent to share information with family and friends?

If the patient who refuses consent is capable of making healthcare decisions, then you may not share any mental health information with family or friends.

However, if the healthcare provider believes the patient isn’t capable of making decisions for themselves, then they may share the information.

A court order isn’t required to share this information, but you must exercise your best judgment when making this decision.

Is sharing the information in the patient’s best interest? You can learn more about how to determine if your patient is capable of decision-making here.

4. What kind of information is the healthcare provider allowed to share with a patient’s friends and family?

A healthcare provider can share pertinent medical records with family and friends. However, they should exercise caution before sharing more personal psychotherapy notes.

These observations may contain private or sensitive information so they are treated differently than standard medical information. As such, a provider will most likely need to obtain consent before sharing psychotherapy notes.

5. Can friends and family share pertinent medical information with a patient’s mental healthcare provider?

Yes, if family or friends are worried about an individual receiving treatment, then they can contact the patient’s healthcare provider. The provider doesn’t need to share who provided this information with the individual, so there is a degree of confidence retained.

6. How old does a patient need to be to be considered an adult decision-maker?

A child must reach the age of eighteen before they can make healthcare decisions for themselves. Before they reach this age, a parent, guardian or personal representative is also privy to this personal information.

7. Can a healthcare provider share mental health information with the police?

Yes, if a patient is deemed a risk to themselves or others, then healthcare providers can give any necessary information to law enforcement officials.

Check Your Local State Laws Before Referring to HIPAA Standards

While HIPAA protections provide a baseline set of regulations, it’s vital that healthcare providers first check their local state laws before proceeding with treatment.

Certain state laws that deal with privacy supersede HIPAA laws. You should also make sure to consult federal laws as well since some of these also supersede HIPAA protections.

For example, drug and alcohol treatment programs come with strict confidentiality guidelines.

Need Help With HIPAA Assessment, Documentation or Training? Contact HIPAA Security Suite

We hope this article helped you learn more about the general policies that accompany HIPAA and mental health issues. Unfortunately, while many of the HIPAA standards are common sense, healthcare providers will still accidentally make numerous violations.

Many of these violations occur due to poor electronic security or documentation efforts. So how can you make sure that your healthcare practice is following all the necessary precautions to protect your patients’ medical information?

One solution is the HIPAA Security Suite. We provide a wide range of services — from risk assessment to documentation, to training for all your HIPAA needs.

With help from the professionals at HIPAA Security Suite, you can greatly reduce the risk of legal action against your practice. Contact us through this link here and learn more about services.

Leave a Comment

HIPAA Security Reminders


HIPAA Security Suite has developed a weekly HIPAA Security Reminder series that’s FREE for all of us who are responsible for, or engaged in, the use and protection of PHI.

Pursuant to Section 164.308(a)(5) of the HIPAA Security Rule, the Standard states: Implement a security awareness and training program for all members of its workforce (including management).

This standard is part of our Best Practices Recommendations for HIPAA Security Suite users, but it’s available for FREE to anyone who wants to comply with HIPAA using the easiest, best tools available.

Sign Up

Scroll to Top