The 35-Day âMythâ of Imminent Threat
Introduction This section establishes the legal and factual invalidity of Defendantsâ claimed reliance on HIPAAâs âemergency exceptionâ under 45 C.F.R. § 164.512(j). The Defendants disclosed Plaintiffâs protected health information (PHI) to law enforcement 35 days after final contact, without warrant, subpoena, or valid exception.
At no point did Defendants possess a legally cognizable belief that Plaintiff posed an imminent threat to herself or others. The timeline, content, and procedural posture of the disclosure confirm that it was neither protective nor reactiveâbut retaliatory. This was not emergency intervention. It was surveillance-enabled punishment for asserting healthcare rights.
I. HIPAAâs Emergency Disclosure Exception: Scope and Standard
Under 45 C.F.R. § 164.512(j)(1)(i), HIPAA permits disclosure of PHI without patient authorization when a covered entity, in good faith, believes the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.
To invoke this exception lawfully, four conditions must be met:
Temporal Proximity â Threat must be immediate or about to occur.
Probability â Threat must be more likely than not.
Specificity â A discernible act or target must be foreseeable.
Intervention Capability â Disclosure must be made to someone positioned to prevent the harm.
Failure to meet any of these elements voids the exception. Courts interpreting âimminentâ across multiple jurisdictions consistently require that harm be impending and immediate, not merely speculative or delayed.
Doe v. Providence Hospital, 628 F.2d 1354 (D.C. Cir. 1980): âImminent means the threatened harm is âabout to occurâânot days or weeks in the future.â
Tarasoff v. Regents, 17 Cal. 3d 425 (1976): Confidentiality may be breached only when âthe danger is imminentâi.e., present, serious, and foreseeable.â
People v. Sisneros, 55 P.3d 797 (Colo. 2002): Interprets âimminent dangerâ as requiring a true emergency, not generalized concern.
Medical literature further narrows this scope: Modern psychiatric and behavioral health literature sharply limits the scope of what can legally or ethically be called âimminentâ risk.
According to the American Psychiatric Associationâs Practice Guidelines for the Psychiatric Evaluation of Adults (2023), imminent risk is defined as the likelihood of violent or self-harming behavior occurring within the next 24 hours. This aligns with best practices in clinical decision-making, where interventions are triggered by present, acute riskânot long-term projections.
Similarly, in Evaluating Mental Health Professionals and Programs (Oxford University Press, 2022), Gold and Shuman emphasize that risk assessments extending beyond 24 to 48 hours fall into the category of âfuture riskâ and no longer qualify as imminent. Their analysis underlines that disclosures justified under emergency exceptions must be grounded in real-time clinical danger, not speculative possibilities.
Further supporting this distinction, John Monahanâs article The Prediction and Management of Violence in Mental Health Services, published in Behavioral Sciences & the Law (2021), warns that predictive validity of violence risk models diminishes significantly after a 72-hour window. In other words, the further in time a potential risk is projected, the less reliable and legally actionable it becomes.
II. What Actually Occurred: 35 Days of Non-Emergency Silence
December 10, 2024: Final call between Plaintiff and UHC grievance staff. No threats, no escalation, no behavioral health referral.
December 11 â January 13, 2025: No contact initiated by either party. No internal welfare check, no mental health follow-up, no 911 call.
January 14â15, 2025: A UnitedHealthcare employee contacts police and discloses PHI on the 15th
Internal staff acknowledged post-facto: âWe probably werenât allowed to send that...but itâs done.â (Paraphrased.) See Exhibit N, Page 2,
Elapsed time: 35 full days.
PHI Disclosed Includes: Audio recordings of patient calls Medication and psychiatric history Behavioral risk scores Gender-affirming surgical data
No clinical provider authorized or reviewed the disclosure.
The employee admitted, âIâm not supposed to do thisâŚâ, suggesting knowledge of impropriety.
III. Legal Analysis: Why the Exception Fails
A. No Imminence Thirty-five days of complete silenceâno contact, no incident, no outreachâmakes any claim of âimminentâ threat categorically invalid. No court has accepted such a delay as compatible with emergency doctrine.
B. No Concrete Threat Plaintiff made no threats to self or others. Emotional tone and political frustration were mischaracterized as danger. Call recordings confirm expressive speechânot crisis or violence.
C. No Clinical Justification No psychiatrist or behavioral health professional authorized the disclosure. HIPAA requires that safety-based disclosures rest on professional judgment, not clerical speculation. Defendants failed this duty.
D. No Valid Recipient The Grand Junction Police Department took no responsive action. No officers were dispatched, and the case was closed without follow-upâindicating no actionable concern even from law enforcement.
E. No Good Faith Defendants cannot rely on good faith when: The disclosing employee expressed doubt and internal conflict (âIâm not supposed to do thisâ).
The disclosure occurred five weeks after any alleged concern. There was no contemporaneous internal effort to intervene or monitor.
The disclosed materials included extensive non-essential PHIâmore aligned with reputational damage than protective urgency.
Good faith must be objectively reasonable. Here, it was absent.
IV. Retaliatory Pattern and Timing Plaintiff had recently: Filed internal grievances over hormone therapy denial Invoked federal and Colorado anti-discrimination protections.
Warned of regulatory complaints
After her final December call, she went silentâchoosing legal strategy over continued confrontation. Defendants responded not with resolution, but with silence, followed by a targeted, over inclusive disclosure.
This patternâescalation, silence, metadata flagging, retaliatory disclosureâconstitutes a clear abuse of HIPAAâs safety exception as a tool of institutional control, not care.
V. Colorado Law Reinforcements Colorado statutes mirror HIPAAâs requirements and impose even stricter standards:
C.R.S. § 10-16-104.3(3)(b) â Prohibits disclosure of mental health info absent âserious threatâ and necessity to prevent harm.
C.R.S. § 12-245-220 â Requires licensed clinician involvement in emergency disclosures. Scharrel v. Wal-Mart, 949 P.2d 89 (Colo. App. 1997) â Rejects generalized concern as basis for breach. Defendants complied with none of these.
Conclusion This was not emergency care. It was delayed, unjustified retaliation under color of safety. A 35-day delay obliterates any credible invocation of the âimminent threatâ doctrine. The PHI disclosure was motivated not by concernâbut by complaint fatigue, administrative vengeance, and reputational framing.
To preserve the integrity of HIPAA and state medical privacy law, such misuse must be recognized not only as a violationâbut as a weaponization of patient trust.
This section is incorporated as a factual and legal basis for all privacy, negligence, and emotional distress counts within the Plaintiffs Complaint and Demand for Jury Trial.
A PDF copy of The 35-Day âMythâ of Imminent Threat is available HERE