Threat Assessment
Threat Assessment, HIPAA, and Information Sharing
Threat assessment teams must share information across HR, clinical, and safety without breaking HIPAA. Learn the permitted disclosures and a defensible information-sharing protocol.
A healthcare threat assessment team only works if its members share information — the nurse's observation, the behavioral-health evaluation, the HR context, the safety lead's access concern. Yet the moment patient information is involved, teams freeze, fearing HIPAA. That fear is usually misplaced. HIPAA is not a wall around threat management; it is a set of rules that permit the sharing a well-run team needs, provided the team knows which provision it is relying on and limits the disclosure to what the purpose requires. The risk is not sharing too freely — it is sharing without a basis, or refusing to share when the rules clearly allow it.
This article maps the permitted disclosures a threat assessment team relies on and lays out an information-sharing protocol that is both compliant and defensible. It is not legal advice; confirm application with qualified counsel.
#The misconception that paralyzes teams
The common belief is that HIPAA forbids disclosing any patient information without authorization. In reality, the Privacy Rule contains several permitted disclosures directly relevant to threat management. A team that understands them shares confidently and correctly; a team that does not either over-discloses out of panic or, more often, withholds information that the rules plainly allow — and a concern goes unmanaged because no one would speak.
#The permitted disclosures a team relies on
Three categories of permitted use and disclosure cover most of what a threat assessment team does:
| Basis | What it permits | Typical use |
|---|---|---|
| Treatment & care coordination | Sharing PHI among those involved in the patient's care | Care team and behavioral health coordinating on an agitated patient |
| Health-care operations | Internal uses for quality, safety, and operations among the workforce | The team reviewing a safety concern as a facility function |
| Serious & imminent threat | Disclosure to someone able to prevent or lessen a serious, imminent threat | Notifying law enforcement or a potential target when criteria are met |
For the first two, the sharing happens inside the covered entity among workforce members with a need to know — the everyday mode of a threat assessment team. The third reaches outside the entity and carries the higher bar of a serious and imminent threat; it overlaps with the law-enforcement and duty-to-warn decision and should always be coordinated with risk and legal.
#Minimum necessary: the discipline that keeps it clean
The companion to "you may share" is "share only what is needed." HIPAA's minimum necessary standard governs most internal sharing: the team should circulate the specific information relevant to managing the concern, not a member's entire record. In practice that means the behavioral-health lead conveys the risk-relevant assessment, not the full clinical history; the nurse reports the observed behavior, not unrelated diagnoses. Disciplined scoping is both compliant and protective — it keeps the case record focused and avoids the impression, in any later review, that the team trafficked in information it did not need.
#Staff information is a different track
Threats involving employees raise a separate confidentiality question. An employee's own health information may be protected, but the employment dimension of a Type III concern runs through HR and employment law, not the Privacy Rule. The protocol should keep the tracks distinct: clinical PHI handled under HIPAA bases, employment information handled under HR confidentiality, and the threat-management record documenting coordination without merging the two into an undifferentiated file.
#A defensible information-sharing protocol
A written protocol turns these rules into a routine the team can follow under pressure:
- Name the basis. For each disclosure, identify which permitted use applies — care coordination, operations, or serious-and-imminent-threat.
- Scope to minimum necessary. Share only the information the purpose requires; resist the urge to circulate full records.
- Route external disclosures. Any disclosure outside the entity — to law enforcement or a target — goes through a risk/legal check first, except in a genuine emergency where a member acts to avert imminent harm and documents it immediately after.
- Limit access. Case records live in a confidential file with defined access, not in general systems.
- Document the basis and scope. Record what was shared, with whom, on what basis, and why — so the disclosure is explainable later.
This mirrors the broader discipline in documenting threat assessments defensibly: the record should show not only what the team decided but that it handled information lawfully along the way.
#Why surveyors and litigation care
Under Texas HSC Chapter 331 and the Joint Commission's workplace violence requirements (effective Jan. 1, 2022 for hospitals), a facility is expected to report, manage, and follow up on concerns — which is impossible without lawful information sharing. A team that can show it shared appropriately, scoped to minimum necessary, and documented the basis demonstrates a program that functions and respects privacy. The opposite postures both fail: a team that withheld information and let a concern go unmanaged looks negligent, and a team that disclosed indiscriminately looks reckless. The protocol is what keeps the facility off both rocks.
#How VIGILO helps
VIGILO helps facilities build a compliant information-sharing protocol into a documented threat assessment program and the written WVP plan and policies — naming the permitted bases in plain terms, the minimum-necessary discipline, the risk/legal route for external disclosures, and the access and documentation rules — and train the team through staff education. The protocol is coordinated with your legal function and refreshed in an annual program review, and for Texas facilities it aligns with HSC Chapter 331. To pressure-test your current approach, start with the Chapter 331 compliance checklist.
VIGILO provides compliance, training, and consulting assistance and supports survey-readiness and preparedness; it does not provide legal advice, does not guarantee safety outcomes, and does not provide security guard, patrol, or investigative services. Information-sharing and disclosure decisions must be confirmed with qualified legal counsel against current law and your specific facts. Sources: HIPAA Privacy Rule, 45 C.F.R. Part 164 (permitted uses and disclosures for treatment and operations; minimum necessary, §164.502(b); disclosures to avert a serious and imminent threat, §164.512(j)); The Joint Commission Workplace Violence Prevention requirements (effective Jan. 1, 2022 for hospitals); Texas Health & Safety Code Chapter 331 (SB 240, 88th Leg., 2023).