Article Updated: July 11, 2026

HIPAA Rules for Information Sharing in Psychiatric Practice

HIPAA permits psychiatrists to share Protected Health Information without patient authorization for treatment, payment, and healthcare operations, but disclosures outside those categories generally require written authorization, and the minimum necessary standard governs how much information may be shared once a disclosure is permitted. These rules apply across every information-sharing scenario a psychiatric practice encounters, from routine communication with other treating providers to responses for payers, attorneys, schools, and family members. Applying them correctly requires more than knowing the general categories, because psychiatric information carries a level of sensitivity that calls for additional judgment about what to disclose, to whom, and how much detail is appropriate for the purpose at hand.

Treatment-Related Disclosures Among Providers

The HIPAA Privacy Rule allows psychiatrists to share Protected Health Information with other treating providers without patient authorization when the purpose is diagnosis, treatment, or clinical consultation. This includes communication with therapists, primary care providers, inpatient teams, pharmacists, and case managers who are actively involved in the patient’s care. The recipient must be part of a HIPAA-regulated relationship, such as a covered entity or business associate, and individuals performing non-clinical functions, including housing support or benefits navigation, generally fall outside this category and require authorization before information is shared. The minimum necessary standard does not apply to treatment communications between providers, but psychiatrists should still exercise judgment about what level of clinical detail serves the recipient’s role.

Disclosures to Health Plans and During Utilization Review

When psychiatrists or their administrative staff respond to requests from health plans for prior authorizations, medication approvals, or claims processing, the minimum necessary standard applies directly, and disclosures should be limited to what supports the specific purpose of the request. Diagnostic information, treatment plans, and medication histories are commonly requested, and progress notes may also be requested in some circumstances. Psychotherapy notes remain outside the designated record set and are not subject to disclosure through this process. Limiting what is shared to what the payer’s criteria require protects patient privacy while supporting the approvals needed to continue treatment without unnecessary delay.

Responding to Requests From Outside the Treatment Relationship

Attorneys, employers, schools, and law enforcement agencies routinely request psychiatric records, and most of these requests require a valid, specific, signed patient authorization unless a legal exception applies. When information is released, the minimum necessary standard determines what should be shared, and the scope of disclosure should match the stated purpose of the request rather than the full content of the record. An employer verifying functional limitations for a workplace accommodation does not need a complete psychiatric history, and an attorney’s broad request should still be limited to what the patient has authorized or what the law requires. Subpoenas and other legal demands typically require review of validity before any information is released, and legal counsel involvement is common in determining the appropriate scope of response.

Safety-Related Disclosures Without Authorization

HIPAA permits psychiatrists to disclose information without patient authorization when necessary to address a serious and imminent threat to the patient or others. These disclosures may go to emergency personnel, crisis teams, law enforcement, or family members positioned to help prevent harm, and they should be limited to the information needed to manage the immediate concern. This permission exists alongside, and is sometimes shaped by, state-specific duty to warn and duty to protect laws that may require rather than simply permit disclosure under defined circumstances.

Specialist Training on Psychiatric Information Sharing

The HIPAA Journal’s HIPAA Training for Psychiatrists includes the Patient Confidentiality in Psychiatry specialist module as a required part of Section One, covering the full set of information-sharing scenarios psychiatric staff encounter, including care coordination, payer requests, third-party disclosures, safety exceptions, and pharmacy and hospital handoffs. The course also covers the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule as part of its core content. Practices in Texas or California can add optional state medical privacy modules at no additional cost, which become required training for all learners once selected, ensuring information-sharing decisions comply with both federal and state requirements.

Author: PJ Murray

PJ Murray is the founder and publisher of The HIPAA Journal. He has more than 10 years of experience writing about HIPAA, healthcare compliance, patient privacy, and the protection of medical records. Through The HIPAA Journal, PJ helps healthcare organizations, business associates, and their employees better understand HIPAA regulations, reduce compliance risks, and strengthen the safeguards used to protect patient information.

PJ has a background in software development, holds an engineering degree, and specializes in the cybersecurity aspects of HIPAA compliance, including data security, medical record protection, and workforce training. He has also played a leading role in the development and launch of The HIPAA Journal Training, which provides HIPAA and cybersecurity training for healthcare organizations, business associates, students, and healthcare-related workforces.

PJ's work focuses on making complex regulatory and technical requirements easier for healthcare professionals and organizations to understand and apply in practice.
Connect on LinkedIn.