Is it Impermissible to Disclose a Risk to Public Safety?

Veriphyr proactively reports impermissible use of PHI the first time it happens. 

If a mental heath patient poses a risk to the safety of themselves or the public, is it impermissible for their doctor to disclose the information? Does it matter to whom they disclose it?


A Potential Threat

Dr. Richard Kaye, a psychiatrist, was indicted by a federal grand jury for disclosing the personal medical information of a former patient. In February of 2008, he communicated his concerns over a former patient’s mental health to her employer, saying she was of “serious and imminent threat to the safety of the public”. The case against him claimed he disclosed the information under false pretenses (a).

The former patient in question had been the victim of a horrific, three day long break in and assault in her home in 2007. Soon after this experience she was hospitalized and treated by Dr. Kaye at Sentara Obici Hospital in Suffolk, Virginia.

Shortly after she was released from her 48 hour stay there, Kaye called her supervisors to warn them of her mental state. The patient is a Virginia state trooper.


Was He Guilty?

The case hinged on whether Kaye’s call were based on false pretenses, whether he knew it was untrue that the trooper was a danger, or that he made the call with reckless indifference.

In 2011, the federal judge threw out all charges against Dr. Kaye, as he was found to have believed what he said when he warned the trooper’s superiors (b).


The Law Says…

According to the HIPAA privacy rule, a doctor may

“disclose PHI, including psychotherapy notes, when the covered entity has a good faith belief that the disclosure: (1) is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others and (2) is to a person(s) reasonably able to prevent or lessen the threat.  This may include, depending on the circumstances, disclosure to law enforcement, family members, the target of the threat, or others who the covered entity has a good faith belief can mitigate the threat” (c).

As Kaye  made the call in good faith, with the belief that the woman was a threat, the court found him innocent.


The Crime

This being said, impermissible access to patient data is still a crime. When employees snoop in the records of patients’ who aren’t theirs, even with the belief that the patient may be a public safety threat, their employer is considered responsible for a HIPAA violation.

An organization not properly protecting patient data is legally equivalent to impermissible disclosure of the protected health information (PHI).

Thankfully, Veriphyr’s advanced data analytics can protect hospitals from employee snooping by spotting impermissible use the first time it happens.



(a) The Virginian Pilot – June 23, 2011

(b) The Virginian Pilot – November 2, 2011

(c) The Department of Health and Human Services – November 25, 2008