HIPAA and the Tarasoff Duty: When Mental Health Professionals May Disclose to Warn or Protect

HIPAA Overview

HIPAA sets national rules for safeguarding Protected Health Information (PHI) while allowing limited, purpose‑driven disclosures. For mental health professionals, the law balances confidentiality with safety when a disclosure could prevent harm.

Most uses or disclosures require Patient Authorization. However, HIPAA also recognizes narrowly tailored Confidentiality Exceptions, including disclosures to avert a Serious Imminent Threat to health or safety. Even then, the Minimum Necessary Standard applies: share only what is reasonably needed for the purpose.

Core HIPAA concepts relevant to safety

• Protected Health Information: individually identifiable data relating to a patient’s health, care, or payment.
• Patient Authorization: signed permission typically required for non‑routine disclosures.
• Confidentiality Exceptions: limited pathways permitting disclosure without authorization, such as preventing or lessening a Serious Imminent Threat.
• Minimum Necessary Standard: limit the scope of PHI disclosed to what is necessary to accomplish the safety objective.

Tarasoff Duty Explained

The Tarasoff duty arises when a patient communicates a credible threat of serious violence toward Identifiable Victims. Depending on state law, clinicians may have a duty to warn the potential victim, to protect them, or both.

“Warn or protect” can include notifying the threatened person, contacting law enforcement, increasing treatment intensity, or arranging hospitalization. The common thread is a professional effort to reduce foreseeable risk to Identifiable Victims.

Duty to Warn vs. Duty to Protect

• Duty to Warn: communicate the threat to the potential victim or others who can intervene.
• Duty to Protect: take reasonable steps (e.g., safety planning, hospitalization, notifying authorities) to prevent harm.

Disclosure Under HIPAA for Tarasoff Duty

HIPAA permits disclosure when, in good‑faith professional judgment, it is necessary to prevent or lessen a Serious Imminent Threat. In Tarasoff situations, you may disclose PHI to the threatened individual, law enforcement, or others able to mitigate the danger.

If state law requires a Duty to Warn or protect, HIPAA also allows disclosure as “required by law.” Whether permitted or required, apply the Minimum Necessary Standard and tailor the message to the safety objective.

Who you may disclose to

• Identifiable Victims or those reasonably able to warn or shield them.
• Law enforcement or campus/public safety when they can intervene quickly.
• Caregivers or persons involved in the patient’s care when their involvement can reduce risk.

Conditions for Disclosure

Before disclosing PHI without authorization under HIPAA in a Tarasoff context, ensure these conditions are satisfied and documented:

• Serious Imminent Threat: a credible, near‑term risk of substantial harm to the patient or others.
• Identifiable Victims: the potential target is specific or reasonably determinable.
• Good‑Faith, Professional Judgment: the decision is grounded in clinical assessment, not speculation.
• Ability to Lessen the Threat: recipients are positioned to act (e.g., the victim, police, security, or caregivers).
• Minimum Necessary Standard: disclose only information needed to warn or protect.
• Consistency with Law and Policy: follow applicable state Duty to Warn/Protect statutes and organizational policies.
• Documentation: record the threat, risk formulation, recipients, content disclosed, and rationale.

Practical disclosure content

• The nature and credibility of the threat (what, when, means, and context).
• The identity of the patient only if necessary to enable protection.
• Specific, actionable information the recipient needs to warn or protect.

Mental Health Professionals’ Role

Your role is to identify risk early, intervene clinically, and disclose narrowly when required or permitted. Clear protocols help you act decisively while honoring confidentiality.

Clinical actions

• Conduct a structured violence risk assessment and update safety plans promptly.
• Increase therapeutic containment: closer follow‑up, involve supports, or arrange higher levels of care.
• Consult with supervisors or legal/risk management when time permits.

Communication and follow‑through

• When disclosure is justified, contact those able to lessen the threat and convey only necessary PHI.
• Document decisions, attempted contacts, and outcomes; continue monitoring risk after disclosure.
• Debrief with the patient when clinically appropriate to rebuild trust and clarify safety boundaries.

Legal and Ethical Balance

Ethically, you weigh respect for confidentiality against the obligation to prevent foreseeable harm. Legally, you navigate HIPAA’s exceptions alongside state Duty to Warn/Protect requirements.

Proportionality is key: choose the least intrusive, most effective step that can reasonably reduce risk. Transparent, well‑documented reasoning demonstrates good‑faith judgment if your actions are later reviewed.

Risk‑management practices

• Explain Confidentiality Exceptions and the Duty to Warn during informed consent.
• Use decision aids or checklists for Serious Imminent Threat determinations.
• Align policies, training, and after‑hours coverage with state law and HIPAA.

Impact on Patient-Provider Relationship

Disclosures to warn or protect can strain trust, yet honest communication often preserves the alliance. Patients are more likely to remain engaged when you explain the safety rationale and the Minimum Necessary Standard you applied.

Proactively setting expectations at intake helps. After a warning, invite the patient to process the event, reaffirm commitment to care, and revisit collaborative safety plans.

FAQs.

When can mental health professionals disclose information under HIPAA for the Tarasoff duty?

You may disclose PHI without Patient Authorization when, in good‑faith professional judgment, disclosure is necessary to prevent or lessen a Serious Imminent Threat to an Identifiable Victim. If state law imposes a Duty to Warn or protect, HIPAA permits disclosure to satisfy that requirement, provided you limit the disclosure to the Minimum Necessary Standard.

What conditions must be met to justify disclosure?

There must be a credible, near‑term risk of serious harm; the potential victim is identifiable; the recipient can act to reduce the danger; and the disclosure is limited to what is necessary. Your decision should reflect professional judgment, relevant state law, and documentation of the threat, rationale, recipients, and information shared under applicable Confidentiality Exceptions.

How do providers balance confidentiality with the duty to protect?

Start with clinical interventions that reduce risk, disclose only when needed, and select the least intrusive, most effective step to protect safety. Explain exceptions to confidentiality upfront, apply the Minimum Necessary Standard if you must warn or notify, and document your good‑faith reasoning—thereby honoring both HIPAA and the Duty to Warn while supporting the therapeutic relationship.