Those of us trained as providers of mental health services have been indoctrinated about the need to maintain the privacy of our patients. Unfortunately, changes in law and in rules mean that the way in which we were trained may no longer fit the realities on the ground. It is essential that you stay up-to-date on the requirements of your state (especially if those requirements are more stringent than HIPAA) and on the requirements of HIPAA for protecting the privacy of your patients.
The Office of Civil Rights (OCR) and Health and Human Services (HHS) has issued Guidance regarding the HIPAA Privacy Rule and Mental Health information. This is information you will want to read. The Department specifically addressed issues that are directly pertinent to behavioral health providers of every ilk.
In this guidance, we address some of the more frequently asked questions about when it is appropriate under the Privacy Rule for a health care provider to share the protected health information of a patient who is being treated for a mental health condition. We clarify when HIPAA permits health care providers to:
- Communicate with a patient’s family members, friends, or others involved in the patient’s care;
- Communicate with family members when the patient is an adult;
- Communicate with the parent of a patient who is a minor;
- Consider the patient’s capacity to agree or object to the sharing of their information;
- Involve a patient’s family members, friends, or others in dealing with patient failures to adhere to medication or other therapy;
- Listen to family members about their loved ones receiving mental health treatment;
- Communicate with family member, law enforcement, or others when the patient presents a serious and imminent threat of harm to self or others; and
- Communicate to law enforcement about the release of a patient brought in for an emergency psychiatric hold.
The Question & Answer format is a helpful way to quickly review the relevant information. You might take particular note of the section on the protection of psychotherapy notes. Some providers have chosen to believe that any note they write about the psychotherapy provided is protected and that they do not have to release such information when it is requested. This Guidance spells out what this does NOT mean. In other words, it specifies all the information that is not a ‘psychotherapy note’ for the purposes of the rule. You might be surprised to find, for instance, that symptoms, prognosis and progress to date cannot be considered part of the psychotherapy note.
Psychotherapy notes do not include any information about medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, or results of clinical tests; nor do they include summaries of diagnosis, functional status, treatment plan, symptoms, prognosis, and progress to date. Psychotherapy notes also do not include any information that is maintained in a patient’s medical record.
Reading this new Guidance is the easiest way for you to quickly review just what your responsibilities are under HIPAA and HITECH for maintaining patient privacy. Do take a look when you get a chance, and feel free to share your comments below.