HIPAA and Mental Health Records: Why Healthcare Providers Must Know the Law
by Wendy Hoke
What is HIPAA?
The Health Insurance Portability and Accountability Act, commonly known as HIPAA, gives consumers certain privacy protections and rights regarding their health information, and this includes mental health information. Congress enacted HIPAA in 1996; however, its Privacy Rule that governs specific identifiable health information became effective in 2001. The Privacy Rule sought to create a balance between allowing the sharing of health information to ensure quality treatment and protecting a patient’s privacy.
How Does HIPAA Apply to Patients with Mental Health Disorders?
Typically, a patient has a right to review, inspect and receive copies of medical records, except psychotherapy notes. HIPAA says psychotherapy notes are those recorded by a mental health professional who is analyzing or documenting the contents of a conversation that took place during a private counseling session, or a joint, group or family counseling session. These notes remain separate from the billing and medical records and cannot be made available for review or inspection by the patient. The Privacy Rule significantly limits the provider from disclosing notes to others without the patient’s authorization. This includes disclosures to family members or other health care providers.
This does not mean the information about a patient’s mental health cannot be divulged to other health care providers, family members or insurance companies. The constraints on psychotherapy notes do not exclude the release of information on medications, counseling session stop and start times, monitoring, the frequency and type of treatment, summaries of diagnosis, results of clinical tests, treatment plans, prognosis, symptoms, functional status, and progress to date.
What About Disclosure of Information to Others?
HIPAA regards the release of information to family members that same way, regardless of the situation or health condition of the patient. The law allows a mental healthcare provider to discuss or share a patient’s mental health information with family only if the patient does not object. If the patient objects, the provider is under an ethical and legal duty to comply with the desires of the patient.
Even with express authorization from the patient, the provider may share or discuss only information to the extent that a family member must know to assist with care or pay for care. The exception is if the patient specifically authorizes the release of additional information.
For instance, a provider may share a patient’s medication plan to ensure compliance for treatment of schizophrenia; however, the therapist could not share private conversations between the patient and therapist relating to the patient’s symptoms, such as auditory or visual delusions experienced by the patient.
How a Provider may Approach Privacy
An effective way to approach medical records in relation to HIPAA is to compare it to the many safety precautions doctors already take within a clinical care setting, such washing hands and surgical preparations (gloves, cleansing, gown, mask and sharps disposal). These represent universal precautions taken with all patients, regardless of any condition they may present with.
There may be situations that call for greater protection. For instance, if a patient has tuberculosis, a different kind of mask is required, in addition to double gloves and a face shield. In the same way, mental health records require greater care, greater protections. The reason is the subjective and sensitive nature of the information recorded therein.
With very few exceptions, the HIPAA Privacy Rule allows the patient and an authorized person to “review, inspect, and receive a copy of the medical records and billing records that are held by health plans and healthcare providers covered by the Privacy Rule.” As noted above, psychotherapy notes taken by a mental healthcare provider during a conversation relating to treatment of the patient “are kept separate from the patient’s medical and billing records.” Specific portions of the regulations related to psychotherapy records are 45 C.F.R. §§ 164.508, 164.524, and 164.526.
Section 164.524 addresses the access to a patient’s protected health information (PHI). While most of the information within the records can be obtained and reviewed, the exceptions for psychotherapy notes also include information that may be compiled in for use in, or in reasonable anticipation of, a criminal, civil, or administrative proceeding.
Section 168.508(a)(2) addresses the authorization requirements for the use of the psychotherapy notes. While the notes must be kept separate from the other records, they can be used to “to carry out treatment, payment, or healthcare operations,” and they can be used internally for legal proceedings or training purposes.
With the higher penalties associated with the HIPAA law, healthcare providers, business associates, subcontractors and other entities must use precautions. A breach of mental health information could cause harm to the patient whose PHI is released, and in turn, the healthcare provider could face increased civil or criminal penalties.