Threat Assessment
Duty to Warn in Texas: Threats and Healthcare
Texas limits a mental-health provider's duty to warn — but threat assessment teams still need a clear, documented protocol. How Texas law shapes your healthcare threat response.
"Duty to warn" is one of the most misunderstood concepts in healthcare threat management. Many clinicians assume Texas imposes the broad, mandatory Tarasoff duty familiar from California case law. It does not. Texas instead takes a narrower, permissive approach — and that distinction shapes how a healthcare threat assessment team handles a credible threat against an identifiable person. The practical answer is not "you must warn" or "you cannot disclose," but a trained, documented protocol that reflects what Texas law actually allows.
This article explains, in compliance terms, how Texas treats the duty-to-warn question and why a facility still needs a clear protocol even though the mandatory duty most people imagine does not exist here. It is not legal advice; confirm application to your facts with qualified counsel.
#The Tarasoff baseline — and why Texas differs
The Tarasoff line of cases established, in some states, an affirmative duty for a mental-health professional to take steps to protect an identifiable third party from a patient's serious threat. Texas has charted a different course. Texas courts have generally declined to recognize a common-law duty for mental-health professionals to warn third parties of a patient's threats. At the same time, the Texas Health & Safety Code (§611.004) permits — it does not compel — disclosure of confidential mental-health information to medical or law-enforcement personnel when the professional determines there is a probability of imminent physical injury to the patient or others, or a probability of immediate mental or emotional injury to the patient.
The result is a permissive framework: Texas gives the professional discretion to disclose to defined recipients in defined circumstances, rather than imposing a blanket duty to warn the potential victim. That discretion is precisely why a protocol matters — discretion exercised without structure is hard to apply consistently and harder to defend.
#Why "no mandatory duty" does not mean "no protocol"
A facility might wrongly conclude that because Texas imposes no broad duty to warn, no protocol is needed. The opposite is true. Three things still have to be right every time:
- The clinical and threat-assessment judgment about imminence and risk.
- The disclosure decision — whether to share information with medical or law-enforcement personnel under the permissive statute.
- The documentation of the reasoning, whether or not a disclosure is made.
A protocol gives clinicians and the team a consistent way to reach and record those judgments. Without one, two clinicians facing identical facts may respond differently, and neither response is easy to explain afterward. With one, the facility can show it applied a recognized, lawful process — the heart of a defensible posture.
#Where this sits in the threat assessment process
The duty-to-warn question is a specialized branch of the broader law-enforcement and disclosure decision the team already makes. Fold it into the facility's five-step process:
| Step | Duty-to-warn consideration |
|---|---|
| Identification | A threat against an identifiable person is flagged |
| Triage | Is there a probability of imminent physical injury (the statutory trigger)? |
| Assessment | The team weighs imminence, specificity, target identifiability, and means |
| Management | Coordinate with risk/legal on whether a permitted disclosure is warranted |
| Documentation | Record the analysis and the decision — to disclose or not — and the basis |
The clinician and the team do not make the legal call alone. The protocol routes the disclosure question to risk and legal, who confirm how the statute and HIPAA apply to the specific facts.
#The HIPAA overlay
State confidentiality law is only half the picture. HIPAA separately permits a covered entity to disclose protected health information when the provider, in good faith, believes it is necessary to prevent or lessen a serious and imminent threat to a person or the public — to someone reasonably able to prevent or lessen the threat, including the target or law enforcement. A defensible disclosure satisfies both Texas confidentiality law and HIPAA. Because the two frameworks use related but not identical triggers, the protocol should require a brief risk/legal check before any disclosure of clinical information, and the case record should note the basis relied upon.
#Documenting the decision either way
As with the broader law-enforcement question, the decision not to disclose is the one facilities most often fail to record — and the one discovery most often probes. A defensible record states the threat, the imminence and specificity analysis, the recipients considered, the legal basis weighed, and the conclusion, with a review trigger that would change it. The discipline mirrors documenting threat assessments defensibly: factual, reasoned, owned, and written with the awareness it may be read later.
#Building the protocol into the program
The duty-to-warn protocol is not a standalone document; it lives inside the WVP plan and threat assessment program. Train clinicians and the team on what Texas law permits, when to escalate to risk/legal, and how to document — so the response is consistent across shifts and departments. Coordinating the relationship with law enforcement and counsel in advance, rather than mid-crisis, is what makes the protocol usable when it is needed.
#How VIGILO helps
VIGILO helps facilities build a Texas-appropriate duty-to-warn and disclosure protocol into a documented threat assessment program and the written WVP plan and policies — defining the statutory and HIPAA triggers in plain terms, the route to risk and legal, and the document-the-decision discipline — and train staff through education. The protocol is coordinated with your legal function and refreshed in an annual program review, and for Texas facilities it aligns with HSC Chapter 331. To pressure-test your current approach, start with the Chapter 331 compliance checklist.
VIGILO provides compliance, training, and consulting assistance and supports survey-readiness and preparedness; it does not provide legal advice, does not guarantee safety outcomes, and does not provide security guard, patrol, or investigative services. Duty-to-warn and disclosure decisions must be confirmed with qualified legal counsel against current law and your specific facts. Sources: Texas Health & Safety Code §611.004 (permitted disclosures of mental-health information); HIPAA Privacy Rule, 45 C.F.R. §164.512(j) (disclosures to avert a serious and imminent threat); The Joint Commission Workplace Violence Prevention requirements (effective Jan. 1, 2022 for hospitals); Texas Health & Safety Code Chapter 331 (SB 240, 88th Leg., 2023).