The Tarasoff Duty to Warn: State-by-State Rules for Healthcare Providers
9 min read · Last reviewed May 23, 2026
The Tarasoff duty originated in Tarasoff v. Regents of the University of California (17 Cal. 3d 425, 1976) and now exists in some form in roughly two-thirds of states — codified, rejected, or left in common-law limbo. California's codification at Civ. Code § 43.92 limits the duty to credible threats of serious physical harm against reasonably identifiable victims. HIPAA at 45 CFR § 164.512(j) provides the disclosure permission once the state duty triggers.
What triggers the duty to warn
The duty triggers — in states that recognize it — when a patient communicates to a psychotherapist (or in some states, any clinician) a serious threat of physical violence against a reasonably identifiable victim. Three elements must align:
- Credibility of the threat — the threat must be serious, not casual venting. The clinical assessment is contemporaneous; the standard is what a reasonable practitioner would conclude in the moment.
- Identifiability of the victim — the threat must name or otherwise identify a person or limited group. "I want to kill my coworker John Smith" satisfies; "I hate the company" does not.
- Imminence and physical-violence character — the threat must be of physical violence, generally with a temporal proximity that distinguishes it from generalized hostility.
What clinicians most often miss is that California's Tarasoff codification at Civ. Code § 43.92 limits the duty to credible threats of serious physical harm — not all clinical concerns rise to that bar. A patient who expresses violent ideation without a target, without means, and without a plan does not generally trigger Tarasoff. The clinical safety planning is required by the standard of care; the third-party warning is not.
Who must report
Tarasoff most squarely applies to "psychotherapists" — psychologists, psychiatrists, LCSWs, LMFTs, LPCs, and psychiatric mental health nurse practitioners. California's Evidence Code § 1010 defines "psychotherapist" broadly enough to capture most mental health roles.
Several states extend the duty beyond mental health to any healthcare practitioner who learns of a credible threat in their professional capacity. The American Medical Association's Ethics Code Opinion 5.7 supports breaking confidentiality to protect identifiable third parties from imminent harm regardless of specialty.
Primary care physicians, EMS personnel, and emergency department staff who receive a threat communication during care should treat themselves as potentially within the duty in any state and document accordingly.
State-by-state framework
The Tarasoff landscape sorts into four buckets:
| State | Posture | Statute / Case | Trigger | |---|---|---|---| | California | Duty (codified) | Cal. Civ. Code § 43.92 | Serious threat against reasonably identifiable victim | | New Jersey | Duty (codified) | N.J.S.A. 2A:62A-16 | Serious threat against readily identifiable victim | | Massachusetts | Duty (codified) | M.G.L. c. 123, § 36B | Explicit threat against clearly identified or reasonably identifiable victim | | Nebraska | Duty (codified) | Neb. Rev. Stat. § 71-1,206.30 | Serious threat against reasonably identifiable victim | | Indiana | Duty (codified) | Ind. Code § 34-30-16-1 | Serious imminent threat against reasonably identifiable victim | | Michigan | Duty (codified) | MCL 330.1946 | Serious threat against reasonably identifiable third party | | Minnesota | Duty (codified) | Minn. Stat. § 148.975 | Specific serious threat against specific clearly identified person | | New Hampshire | Duty (codified) | N.H. Rev. Stat. § 329:31 | Serious threat against clearly identified victim | | Ohio | Duty (codified) | ORC § 5122.34 | Explicit threat against reasonably identifiable victim | | Washington | Duty (case law) | Volk v. DeMeerleer (2016) | Foreseeable harm to foreseeable victim — broader than CA | | Florida | Duty (case law / permissive) | Boynton v. Burglass (1991); F.S. § 491.0147 permits disclosure | Permissive disclosure for imminent threat | | Illinois | Permissive (codified) | 740 ILCS 110/11 | Disclosure permitted; not statutorily required | | Texas | No duty (case law) | Thapar v. Zezulka (1999); H&S Code § 611.004 permissive | No common-law duty; disclosure permitted but not required | | Virginia | No duty (case law) | Nasser v. Parker (1995) | Common-law duty narrowly construed | | Maryland | No duty (case law) | Boynton-following — no broad duty | Disclosure permitted under specific statutes | | North Carolina | No duty (case law) | Currie v. United States (1986) | Federal precedent declining duty |
A majority of states either codify the Tarasoff duty or recognize it through case law, but the contours vary materially. Washington's Volk v. DeMeerleer reads the duty more broadly than California's statutory cabin. Texas, Virginia, and a small group of states have declined to recognize a common-law third-party warning duty entirely.
Timeline
Where the duty applies, "immediate" is the operative timeline — the warning must be made in time to allow the third party (or law enforcement) to take protective action. There is no statutory hours-and-minutes window; the clinical judgment of imminence drives the response.
The discharge of the duty under CA Civ. Code § 43.92(b) requires "reasonable efforts to communicate the threat to the victim or victims and to a law enforcement agency." Reasonable efforts means good-faith attempts — leaving a voicemail when the victim does not answer plus a call to the relevant law enforcement agency typically satisfies. Some state statutes (NJ, MA) require warning to the victim, law enforcement, or both depending on circumstances.
What to report and how
The warning communication to the identifiable victim should include the existence of a threat and enough information to enable protective action — the warning need not include diagnosis or treatment history. The communication to law enforcement should include the patient identity, the nature of the threat, the identified target, and the basis for the clinical judgment of credibility.
The chart entry should document the threat as communicated by the patient (quoted), the clinical assessment of credibility, the identifiable victim or target group, the warning attempts (date, time, method, recipient), the law enforcement contact (date, time, agency, officer name), the patient's response when informed of the disclosure where applicable, and any safety planning or hospitalization assessment.
Federal vs state framework
There is no federal Tarasoff statute. The duty is entirely a state-law construct, anchored to the original California Supreme Court decision and the codifications and case law that followed in other jurisdictions.
The federal HIPAA layer permits the disclosure where the state duty triggers; it does not create the duty. 45 CFR § 164.512(j)'s "serious and imminent threat" carve-out is the federal harmonization that ensures HIPAA does not block a Tarasoff warning.
42 CFR Part 2 substance use disorder records require a separate analysis. The Part 2 medical-emergency disclosure rule at 42 CFR § 2.51 permits a Part 2 program to disclose patient identifying information to medical personnel to the extent necessary to meet a bona fide medical emergency. (Section 2.12 governs applicability of the Part 2 framework rather than the emergency carve-out itself.) Disclosure to a non-medical third-party victim from a Part 2 program generally requires patient consent or a court order — the medical-emergency exception does not, by its terms, authorize warnings to non-medical third parties.
Penalties for failure to warn
Tarasoff failure exposure is primarily civil — wrongful death and personal injury lawsuits by the victim's estate or surviving family. The original Tarasoff case itself resulted in liability against the Regents of the University of California after the murder of Tatiana Tarasoff. Recent settlements in CA, MA, and WA have run into seven figures.
Several states impose professional license discipline for failure to warn through the medical, psychology, or social work board. Criminal exposure is rare but possible in extreme cases where the failure rises to gross negligence.
In states that have rejected the duty (Texas, Virginia), the failure-to-warn case does not lie — but a malpractice case can still proceed on standard-of-care theory if the clinician's overall management of the threatening patient deviated from professional norms.
HIPAA permissible disclosure
The dispositive HIPAA carve-out for Tarasoff warnings:
- 45 CFR § 164.512(j)(1)(i) — disclosure consistent with applicable law and ethical standards to avert a serious and imminent threat to the health or safety of a person or the public, where the disclosure is to a person reasonably able to prevent or lessen the threat (including the target of the threat).
- 45 CFR § 164.512(f)(6) — disclosure to law enforcement about an individual who is suspected of being a perpetrator of a violent crime, or in connection with the apprehension of an individual.
- 45 CFR § 164.512(j)(4) — presumed-good-faith for disclosures made on the basis of actual knowledge or reasonable reliance.
The minimum-necessary standard at 45 CFR § 164.502(b) applies — disclose the threat and the necessary identifying information, not the entire treatment history.
OCR guidance on the "serious and imminent threat" carve-out confirms that the provider's good-faith determination of seriousness and imminence controls, even if subsequent events prove the threat was not carried out. The disclosure is permissible at the time the clinical judgment is made.
How d3rx fits
The d3rx compliance binder maintains the Tarasoff workflow inside the disclosure module: state-by-state duty matrix with statute and case citations, the credibility-assessment documentation template, the warning-script template for victim and law enforcement contact, the safety-planning checklist, the accounting-of-disclosures entry, and the 42 CFR Part 2 substance use disorder analysis where applicable. d3rx is an administrative documentation aid. It does not assess the clinical credibility of any threat and does not replace counsel.
D3rx compliance guides are administrative documentation aids. They do not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program.
Step 1 · Get the binder
Get the d3rx compliance binder for your practice
Pre-filled to address the gaps this guide covers — The Tarasoff Duty to Warn: State-by-State Rules for Healthcare Providers. We will email you the section preview and your binder intake link.
No PHI required. We use your email to send the binder preview and intake link only.
Frequently asked
What's my Tarasoff duty if my patient threatens 'someone' but won't name a target?
Under California's codified Tarasoff rule at Civ. Code § 43.92, the duty triggers only when the patient communicates a 'serious threat of physical violence' against a 'reasonably identifiable victim or victims.' A non-specific threat against an unnamed person generally does not satisfy the statute. The clinical duty to protect the patient and others still requires safety planning, voluntary hospitalization assessment, and consideration of involuntary commitment criteria — but the Tarasoff third-party warning does not fire absent an identifiable target.
Does HIPAA permit me to warn a third party about my patient's threat?
Yes. HIPAA at [45 CFR § 164.512(j)(1)(i)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.512) permits disclosure to avert a serious and imminent threat to the health or safety of a person, where the disclosure is to someone reasonably able to prevent or lessen the threat. State Tarasoff statutes are the additional 'authorized by law' anchor. 42 CFR Part 2 substance use disorder records require a separate analysis — the Part 2 medical-emergency disclosure rule lives at [42 CFR § 2.51](https://www.law.cornell.edu/cfr/text/42/2.51) and permits disclosure to medical personnel to the extent necessary to meet a bona fide medical emergency. Warning a non-medical third party from a Part 2 program's records is much narrower and generally requires patient consent or a court order.
Am I a Tarasoff reporter as a primary care physician, or only as a mental health professional?
Depends on the state. California's Civ. Code § 43.92 applies to 'psychotherapists' as defined in the Evidence Code — but that definition includes physicians providing mental health services, psychologists, LCSWs, LMFTs, LPCs, and psychiatric mental health nurses. New Jersey N.J.S.A. 2A:62A-16 takes the same approach. A few states (Nebraska, Texas in some readings) extend the duty more broadly to physicians providing general care where they learn of the threat in their professional capacity. The safer posture is to treat any clinician who learns of a credible threat as potentially within the duty.
What if my patient threatens themselves, not a third party — is that Tarasoff?
No. Tarasoff is specifically a third-party warning duty. Suicide risk runs on a separate clinical and legal track — typically governed by state mental-health-hold statutes (CA Welf. & Inst. Code § 5150, NY Mental Hygiene Law § 9.39) and the standard of care for suicide assessment. HIPAA at [45 CFR § 164.512(j)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.512) permits disclosure to avert a serious and imminent threat to the patient themselves, supporting disclosure to family or emergency services when clinically indicated.
If I warn the third party and the patient sues me, am I protected?
In Tarasoff-adopting states, generally yes. CA Civ. Code § 43.92(b) explicitly provides that a psychotherapist who discharges the duty by making reasonable efforts to communicate the threat to the victim and to law enforcement is immune from monetary liability. NJ, MA, NE, and most codifying states have parallel immunity provisions. The immunity is generally conditioned on good-faith compliance — not on the warning being ultimately correct. Document the threat communication, the identifiable target, the warning effort, and the law-enforcement contact.
Texas rejected Tarasoff. What's my duty there?
Texas in Thapar v. Zezulka (1999) declined to recognize a common-law duty to warn third parties of patient threats. Texas Health & Safety Code § 611.004(a)(2) permits — but does not require — disclosure to medical or law enforcement personnel where there is a probability of imminent physical injury. Practically, a Texas clinician facing a credible threat to an identifiable third party should still consider HIPAA-permissible disclosure under [45 CFR § 164.512(j)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.512) and document the clinical judgment. The absence of a statutory duty does not eliminate the standard-of-care analysis in subsequent malpractice or wrongful-death litigation.
Turn this into a review-ready binder
The Security Risk Analysis is where this guide becomes documentation you can actually hand to a reviewer — assembled into one review-ready binder. Source-grounded, citation-linked, and explicit about what it does and does not do.
Editorial process. This guide was drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and edited by the D3rx team for restraint and source fidelity. A named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged to verify citations — see the team page for status. Until that reviewer engagement is finalized, this page does not claim credentialed review.
This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, CMS, the Code of Federal Regulations, NIST, and state regulators.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
- 45 CFR § 164.512(j)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.512
- 45 CFR § 164.502(b)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.502
Sources verified as of May 23, 2026
This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.
Related Guides
Behavioral Health Compliance: 42 CFR Part 2 + HIPAA Together
8 min readCompliance FoundationsMandatory Child Abuse Reporting for Healthcare Providers (Federal + 50-State Overview)
9 min readCompliance FoundationsDomestic Violence Reporting for Healthcare Providers: When Reports Are Required
8 min readRelated across the archive
- ComplianceDomestic Violence Reporting for Healthcare Providers: When Reports Are RequiredMost states do NOT mandate DV reporting by healthcare providers — but injury-by-weapon, child-witness, and elder-victim statutes do. State-by-state map + 45 CFR § 164.512(c).
- ComplianceMandatory Child Abuse Reporting for Healthcare Providers (Federal + 50-State Overview)Federal CAPTA + state mandates: who reports, what triggers the duty, timeline, penalties, and the 45 CFR § 164.512(b)/(c) HIPAA carve-outs that permit disclosure to CPS.
- ComplianceHIPAA Subpoena Response: Court Order vs Administrative Subpoena (45 CFR § 164.512)Court order, civil subpoena, grand-jury subpoena, DEA administrative demand — each triggers a different HIPAA response path. Identify the type before you produce a single record.
- Glossary42 CFR Part 2 (SUD Records)Federal regulation providing heightened confidentiality protection for substance use disorder treatment records.
- ComplianceNotice of Privacy Practices (NPP) Template — 2026A 2026 Notice of Privacy Practices template aligned to 45 CFR 164.520, with every required header, the post-Dobbs reproductive-health content, and CMIA/HB 300 carveouts.
- SRAHIPAA Security Rule vs Privacy Rule: A Plain-English MapWhat the Security Rule at 45 CFR Part 164 Subpart C does, what the Privacy Rule at Subpart E does, where they overlap, and which rule the SRA actually answers to.
- RegulationHIPAA Disclosures Required by Law and Public Health (45 CFR 164.512)Disclosures permitted without authorization or opportunity to agree, including public health, judicial proceedings, law enforcement, and serious threats to health or safety.
- BillingWhat to Do When a Payer Says You're UnderbillingGot a letter saying you're underbilling? Here's what it actually means, whether you should worry, and what action to take.