When emergencies arise in therapy, balancing patient confidentiality with safety is critical. HIPAA provides clear guidelines for such situations, allowing therapists to share protected health information (PHI) under specific exceptions. Here’s what you need to know:

• Imminent Danger Exception: You can disclose PHI without consent to prevent serious threats to individuals or the public. Share only what’s necessary with those who can help, like law enforcement or family.
• Mandatory Reporting: Suspected abuse of children, elders, or dependent adults requires breaching confidentiality, regardless of patient consent.
• Documentation: Always record the reason, PHI shared, recipient, and date/time of disclosures to stay compliant.
• Emergency Preparations: Keep patient emergency contacts updated, train staff on HIPAA protocols, and maintain secure data backups.

HIPAA Rules and Exceptions for Emergencies

When You Can Disclose Patient Information

Therapists are permitted to disclose Protected Health Information (PHI) during emergencies under specific HIPAA exceptions. One important exception is the serious, imminent threat exception (45 CFR § 164.512(j)). This allows therapists to share PHI, including psychotherapy notes, if they reasonably believe it is necessary to prevent a serious, imminent threat to an individual’s or the public’s health or safety. Disclosures should be directed to those most capable of addressing the threat – such as law enforcement, family members, potential victims, or school administrators. Additionally, PHI can be shared to ensure treatment continuity during emergencies, such as evacuations or care transitions, enabling coordination with other healthcare providers. These disclosures must align with the minimum necessary standard, which is explained further in the next section.

Sharing Only What’s Necessary

The minimum necessary standard ensures that only the essential amount of information is disclosed during emergencies. However, this standard varies depending on the recipient. For example, when sharing PHI with another licensed healthcare provider for treatment purposes, the minimum necessary standard does not apply. According to HHS.gov, treatment-related disclosures are exempt from this rule.

For non-healthcare entities – like law enforcement, family members, or emergency shelters – disclosures should be limited strictly to the information needed to address the situation.

Using Professional Judgment in Crisis Situations

In emergencies, therapists must rely on their professional judgment to balance patient privacy with public safety. Assessing whether a threat qualifies as "serious and imminent" is critical before disclosing PHI without consent. Good faith is assumed when a therapist’s decision is based on direct patient interactions or credible reports. It’s equally important to identify the party best suited to manage the threat – for instance, contacting campus police for school-related risks or notifying family members if self-harm is a concern.

All emergency disclosures must adhere to state laws and professional ethical standards. If the situation falls short of meeting the "serious and imminent threat" threshold, therapists should explore other HIPAA provisions, such as those permitting disclosure to a minor’s personal representative. These judgment calls play a key role in creating an effective emergency action plan, ensuring therapists are prepared to document and manage disclosures appropriately during crises.

sbb-itb-b6e72a9

HIPAA Compliance for Therapists: Common Scenarios and What to Do

Steps to Maintain HIPAA Compliance During Emergencies

These steps are essential for ensuring HIPAA compliance during crises and should be part of a well-thought-out emergency action plan.

How to Document Emergency Disclosures

Every emergency disclosure must be carefully documented. Record the reason for sharing the information, the specific PHI disclosed, the recipient, and the date and time of the disclosure. For instance, note whether the disclosure was due to an imminent danger to the patient or others, or because the patient was unable to make decisions. Specify the exact PHI shared and identify the recipient, whether it was law enforcement, family members, or other healthcare providers. When sharing information with non-healthcare providers, ensure that only the minimum necessary information is disclosed.

This documentation process reflects your professional judgment and adherence to HIPAA guidelines. Additionally, written procedures for Emergency Mode Operations are critical to maintaining key business processes during electronic system failures.

Make sure patient emergency contacts and consent forms stay up-to-date as part of your preparations.

Keeping Emergency Contacts and Consent Forms Current

At intake, discuss emergency contacts and privacy preferences with patients, and have them sign a Privacy Release or ROI form. In an emergency, verify the identity of the contact person by cross-referencing intake information and asking non-sensitive questions about their relationship to the patient. If the patient is incapacitated, use your professional judgment to determine whether sharing limited information with family or friends aligns with the patient’s best interest.

Regularly review and update contingency plans and emergency contact procedures. This should happen annually or whenever there are major changes, such as relocating your office or upgrading your EHR system.

Staff training and breach response procedures are the final pieces of a strong compliance framework.

Staff Training and Breach Response Procedures

Regular training drills ensure your team is ready to handle emergencies. The HIPAA Security Rule mandates that practices maintain a formal contingency plan, including data backup, disaster recovery, and emergency mode operations. Conduct annual drills and tabletop exercises to prepare staff for manual workarounds in case systems go offline.

"A robust contingency plan is not just a checkbox. It’s a lifeline that ensures patients continue to receive quality care no matter what challenges arise." – Suzanne Applegate, Certified in Healthcare Compliance

Establish a recovery team with clearly defined roles to oversee the transition back to normal operations. Define your Recovery Time Objective (maximum allowable downtime) and Recovery Point Objective (maximum tolerable data loss) for critical systems. Use automated, encrypted backups – both cloud-based and local – and regularly test their integrity. Train all staff annually, and ensure new hires are quickly brought up to speed on emergency procedures.

Building HIPAA Compliance into Your Emergency Action Plan

An emergency action plan isn’t just a safety net for your patients and practice – it’s a legal obligation. Under 45 CFR § 164.308(a)(7), HIPAA mandates that covered entities maintain a formal contingency plan. This plan must include data backups for electronic protected health information (ePHI), a disaster recovery strategy to restore lost data and resume operations, and an Emergency Mode Operations Plan (EMOP) to handle alternative workflows, like switching to paper-based charts. Additionally, conducting an applications and data criticality analysis helps prioritize your systems based on their importance to patient care and practice operations.

Creating Emergency Response Checklists

To prepare for scenarios like system outages, natural disasters, security breaches, or public health emergencies, create detailed checklists. These should rank systems by their importance to patient care. For example:

• Identity services (e.g., login systems): Maximum downtime of 2 hours
• Electronic health records (EHR): 4 hours
• Telehealth platforms: 8 hours
• Billing systems: 24 hours
• Practice email: 48 hours

Include specific tasks with clear deadlines. For example, identify critical ePHI annually or after significant changes, test data restoration quarterly, and conduct staff drills once a year to identify procedural gaps. Update your checklists promptly after major events such as adopting a new EHR system, relocating your office, or significant staffing changes. Neglecting these steps isn’t just risky – it can lead to HIPAA violations with fines ranging from $100 to $50,000 per incident, capped at $1.5 million annually. Once your checklists are in place, align your technology and policies to support these plans.

Secure Technology for Sharing Patient Information

In emergencies, protecting patient data is critical. Encrypt all ePHI, whether it’s stored or being transmitted, to safeguard it from unauthorized access. Use role-based access controls to ensure staff only access the information they need. Follow the 3-2-1 backup rule: keep three copies of your data, stored on two different media types, with one copy located offsite. Ideally, the offsite backup should be at least 100 miles away or in a different geological risk zone.

Automated, encrypted backups are essential. Combining cloud-based storage (with a signed Business Associate Agreement) and secure offsite physical drives ensures quick local recovery while maintaining robust offsite protection. Critical systems like authentication services (e.g., Active Directory) should have aggressive recovery time objectives, as their failure can disrupt other clinical tools. Once your technology is secure, regularly review and update your policies to ensure they stay effective.

Regular Policy Reviews for All Practice Types

Annual reviews of your emergency action plan are essential, along with quarterly tests of your data restoration procedures to confirm backups are functioning correctly. Keep version-controlled documentation of all updates, tests, and changes to demonstrate compliance during audits. Define and regularly update your Recovery Time Objective (maximum allowable downtime) and Recovery Point Objective (maximum tolerable data loss) for each critical system as your practice evolves.

Finally, establish manual workarounds like using paper forms and alternative communication channels (e.g., landlines or satellite phones) to maintain patient care when digital systems fail. Consistent reviews and updates not only ensure HIPAA compliance but also strengthen your ability to respond effectively to emergencies.

Conclusion: Balancing Privacy and Safety in Emergencies

Handling emergencies in therapy practice involves a delicate balance between safeguarding patient confidentiality and ensuring safety. Contrary to common misconceptions, HIPAA isn’t a roadblock in these scenarios – it’s a guide that helps you take action responsibly. The Privacy Rule permits disclosures when there’s a serious and imminent threat, giving you the authority to rely on your professional judgment in critical moments. As Erin Jackson, Managing Partner at Jackson LLP, explains: "In a crisis, you may need to risk your patient’s trust to prevent worse harm".

Preparation is crucial. Knowing when and how to disclose information, sharing only what’s absolutely necessary, and carefully documenting your decisions provide a strong foundation for both patient safety and legal protection. Your emergency action plan should go beyond privacy concerns to include operational strategies, such as secure data backups and manual alternatives for system outages. These aren’t just compliance steps – they’re practical measures to keep your practice functional during unexpected events.

Thorough documentation is essential. Every emergency disclosure and risk assessment must be recorded and stored for at least six years. This record shows that you acted in good faith and followed established protocols, shielding you from potential penalties of up to $50,000 per violation.

Preparation also involves more than just policies. Regular staff training, routine system tests, and annual emergency drills ensure your team is ready to act when it counts. Discussing confidentiality boundaries during intake and keeping emergency contact details current allows patients to participate in planning before a crisis occurs.

Balancing privacy and safety requires both legal understanding and ethical responsibility. By weaving HIPAA compliance into your emergency planning, you’re not just avoiding fines – you’re creating a safety net that protects your patients and ensures your practice can withstand challenges when it matters most.

FAQs

What counts as a “serious and imminent threat” under HIPAA?

Under HIPAA, a "serious and imminent threat" arises when a healthcare provider, acting with honest intent, determines that sharing protected health information (PHI) is necessary to prevent or lessen a serious and immediate danger to the health or safety of the patient or others. Any disclosure must be directed to someone who is in a position to reasonably address or reduce the threat.

Who can I share PHI with in an emergency without written consent?

In urgent situations, it’s permissible to share Protected Health Information (PHI) with health care providers for treatment purposes without needing written consent. This applies when it’s essential to maintain continuity of care or to address a serious and immediate threat to someone’s health or safety. Additionally, PHI can be shared with law enforcement or family members if doing so helps reduce the risk and is considered appropriate by the provider.

What should I document after an emergency disclosure?

When documenting an emergency disclosure, make sure to include the following details:

• The specific PHI disclosed: Clearly identify what Protected Health Information (PHI) was shared.
• The recipient of the information: Record who received the disclosed information, including their name and role.
• The purpose of the disclosure: Note the reason for sharing the PHI, especially how it relates to the emergency situation.
• The date and time of the disclosure: Log the exact date and time when the disclosure occurred.

Keeping these details ensures adherence to HIPAA regulations and creates a reliable record for any necessary future review.

Related Blog Posts

• Best Practices For Client Onboarding In Therapy
• How to Choose HIPAA-Compliant Collaboration Tools
• Ultimate Guide to Client Communication in Private Practice
• California Remote Work Compliance Checklist for Therapists