PRIVACY RULES (HIPAA) by Karen Jordan
I recently completed the 12-week Family-to-Family basic course. The information and discussion was just what I needed. The personal stories shared by participants were both encouraging and discouraging. There are many loving, caring families of Persons with Mental Health Problems (PWMHP); many PWMHP undiagnosed and untreated in Oklahoma; few accessible, affordable, appropriate providers and facilities; and many families and caregivers left out of the care planning process when treated is provided. I know from professional and personal experience how frustrating, and dangerous, it is when the caregiver is not recognized as an essential member of the treatment and recovery process.
As a geriatric nurse specializing in dementia care, I see HIPAA regulations applied inappropriately in many settings. Sometimes the elder's rights to privacy and autonomy are ignored by well-meaning adult children and providers when discharging the elder from a hospital or transferring the elder to an extended care facility. Adult children who are long-distance caregivers depend on extended family, friends, and hired companions for first-hand information about the elder's well-being. When my dad was taken by ambulance to the emergency room 5 hours away, I was told that information about his presence or status could not be given to me "because of HIPAA". At that point, I knew enough to ask, "Is the crash cart in use in Mr. _____'s treatment room?" That is when I communicated his advance directive information to the attending physician.
This article hopes to clarify the use of HIPAA rules when related to mental health conditions and family/caregivers. NAMI uses the terms family member and caregiver interchangeably to refer to someone giving emotional, financial or practical support to a person with a mental health condition. Whether you're providing a lot of assistance or very little, the information here can help you better understand the issues that you might face.
This article is a summary of content from the department of health and human services office of civil rights webpage. (www.hhs.gov/ocr/privacy/hipaa). Persons with Mental Health Disorders and their caregivers have civil rights, even in acute and chronic situations.
The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule provides consumers with important privacy rights and protections with respect to their health information, includingimportant controls over how their health information is used and disclosed by health plans and health care providers. The Rule is carefully balanced to allow uses and disclosures of information—including mental health information—for treatment and other purposes with appropriate protections. This article addresses some frequently asked questions about when a health care provider should share information of a PWMHD.
Please note, there is a difference between HIPAA giving permission for a provider to share health information and HIPAA requiringproviders to disclose information in specific situations. Providers who are subject to more stringent privacy standards under other laws, such as certain state confidentiality laws would need to consider whether there is a similar disclosure permission under those laws that would apply in the circumstances.
I hope this article is helpful. I welcome your comments and suggestions for future topics.
• Questions and Answers about HIPAA and Mental Health
1. Does HIPAA allow a health care provider to communicate with a patient’s family, friends, or other persons who are involved in the patient's care?
Yes. The provider may
a) ask the patient’s permission to share relevant information with family members or others,
b) tell the patient he/she plans to discuss the information and give an opportunity to agree or object,
c) infer from the circumstances that the patient does not object.
A common example of the latter would be situations in which a family member or friend is invited by the patient and present in the treatment room with the patient and the provider when a disclosure is made.
If the patient is not present or is incapacitated, a health care provider may share information when the health care provider determines that doing so is in the best interests of the patient. The health care provider must be reasonably sure that the patient asked the person to be involved in his or her care.
In all cases, disclosures to family members, friends, or other persons involved in the patient’s care or payment for care are to be limited to only the protected health information directly relevant to the person’s involvement in the patient’s care or payment for care.
2. Does HIPAA provide extra protections for mental health information compared with other health information?
No. One exception to this general rule is for psychotherapy notes, which receive special protections. The Privacy Rule defines psychotherapy notes as notes recorded by a mental health professional documenting or analyzing the contents of a conversation during a private counseling session or a group, joint, or family counseling session and that are separate from the rest of the patient’s medical record. Psychotherapy notes do not include any information about medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, or results of clinical tests; nor do they include summaries of diagnosis, functional status, treatment plan, symptoms, prognosis, and progress to. Psychotherapy notes also do not include any information that is maintained in a patient’s medical record.
A notable exception exists for disclosures required by other law, such as for mandatory reporting of abuse, and mandatory “duty to warn” situations regarding threats of serious and imminent harm made by the patient (State laws vary as to whether such a warning is mandatory or permissible).
3. Is a health care provider permitted to discuss an adult patient’s mental health information with the patient’s parents or other family members?
Yes. If the patient does not object. Refer to Question #1.
In all cases, the health care provider may share or discuss only the information that the person involved needs to know about the patient’s care or payment for care. It is important to remember that other applicable law (e.g., State confidentiality statutes) or professional ethics may impose stricter limitations on sharing personal health information, particularly where the information relates to a patient’s mental health.
4. Can the provider disclose information when a patient is experiencing temporary psychosis or is intoxicated does not have the capacity to agree or object to a health care provider sharing information with a family member, but the provider believes the disclosure is in the patient’s best interests?
YES. When a patient is not present or is unable to agree or object to a disclosure due to incapacity or emergency circumstances, the provider may determine whether disclosing a patient’s information to the patient’s family, friends, or other persons involved in the patient’s care or payment for care, is in the best interests of the patient. Circumstances many include when a person is suffering from temporary psychosis or is under the influence of drugs or alcohol. In making this determination about the patient’s best interests, the provider should take into account the patient’s prior expressed preferences regarding disclosures of their information, if any, as well as the circumstances of the current situation. Once the patient regains the capacity to make these choices for herself, the provider should offer the patient the opportunity to agree or object to any future sharing of her information.
5. If a health care provider knows that a patient with a serious mental illness has stopped taking a prescribed medication, can the provider tell the patient’s family members?
YES. If the provider believes that the patient does not have the capacity to agree or object to sharing the information at that time, and that sharing the information would be in the patient’s best interests, the provider may tell the patient’s family member. In either case, the health care provider may share or discuss only the information that the family member involved needs to know about the patient’s care or payment for care.
If the patient objects to the provider sharing information, the provider may share the information if the provider has a good faith belief that the patient poses a threat to the health or safety of the patient or others, and the family member is reasonably able to prevent or lessen that threat. However, absent a good faith belief that the disclosure is necessary to prevent a serious and imminent threat to the health or safety of the patient or others, the doctor must respect the wishes of the patient with respect to the disclosure.
6. Can a minor child’s doctor talk to the child’s parent about the patient’s mental health status and needs?
YES, NO, MAYBE. With respect to general treatment situations, a parent, guardian, or other person acting in loco parentis usually is the personal representative of the minor child, and a health care provider is permitted to share patient information with a patient’s personal representative under the Privacy Rule. However, the Privacy Rule contains several important exceptions to this general rule. A parent is not treated as a minor child’s personal representative when:
• State or other law does not require the consent of a parent or other person before a minor can obtain a particular health care service, the minor consents to the health care service, and the minor child has not requested the parent be treated as a personal representative;
• Someone other than the parent is authorized by law to consent to the provision of a particular health service to a minor and provides such consent;
• A parent agrees to a confidential relationship between the minor and a health care provider with respect to the health care service. For example, if State law provides an adolescent the right to obtain mental health treatment without parental consent, and the adolescent consents to such treatment, the parent would not be the personal representative of the adolescent with respect to that mental health treatment information.
A parent also may not be a personal representative if there are safety concerns. Regardless, the Privacy Rule defers to State or other applicable laws that expressly address the ability of the parent to obtain health information about the minor child. In situations where a minor patient is being treated for a mental health disorder and a substance abuse disorder, additional laws may be applicable. The Federal confidentiality statute and regulations that apply to federally-funded drug and alcohol abuse treatment programs contain provisions that are more stringent than HIPAA.
7. Does a parent have a right to receive a copy of psychotherapy notes about a child’s mental health treatment?
No, copy to parents. It does not provide a right of access to psychotherapy notes, which the Privacy Rule defines as notes recorded by a health care provider who is a mental health professional documenting or analyzing the contents of a conversation during a private counseling session or a group, joint, or family counseling session and that are separate from the rest of the patient’s medical record. Parents are able to receive a copy of their child’s mental health information contained in the medical record, including information about diagnosis, symptoms, treatment plans, etc.
Yes, permission to copy to patient. HIPAA generally gives providers discretion to disclose the individual’s own protected health information (including psychotherapy notes) directly to the individual or the individual’s personal representative. As any such disclosure is purely permissive under the Privacy Rule, mental health providers should consult applicable State law for any prohibitions or conditions before making such disclosures.
8. What options do family members of an adult patient with mental illness have if they are concerned about the patient’s mental health and the patient refuses to agree to let a health care provider share information with the family?
HIPAA in no way prevents health care providers from listening to family members or other caregivers who may have concerns about the health and well-being of the patient, so the health care provider can factor that information into the patient’s care.
In the event that the patient later requests access to the health record, any information disclosed to the provider by another person who is not a health care provider that was given under a promise of confidentiality (such as that shared by a concerned family member), may be withheld from the patient if the disclosure would be reasonably likely to reveal the source of the information. This exception to the patient’s right of access to protected health information gives family members the ability to disclose relevant safety information with health care providers without fear of disrupting the family’s relationship with the patient.
9. Does HIPAA permit a doctor to contact a patient’s family or law enforcement if the doctor believes that the patient might hurt herself or someone else?
Yes. The Privacy Rule permits a health care provider to disclose necessary information about a patient to law enforcement, family members of the patient, or other persons, when the provider believes the patient presents a serious and imminent threat to self or others. The scope of this permission is described in a letter to the nation’s health care providers issued on January 15, 2013. http://www.hhs.gov/ocr/office/lettertonationhcp.pdf.
10. If a law enforcement officer brings a patient to a hospital or other mental health facility to be placed on a temporary psychiatric hold, and requests to be notified if or when the patient is released, can the facility make that notification?
YES. A facility may disclose specified health information in response to a law enforcement official’s request, for the purpose of locating or identifying a suspect, fugitive, material witness, or missing person. However, a facility may not disclose information related to DNA or DNA analysis, dental records, or typing, samples, or analysis of body fluids or tissue. The law enforcement official’s request may be made orally or in writing.
The Privacy Rule permits a covered health care provider to disclose a patient’s protected health information to avert a serious and imminent threat to the health or safety of the patient or others. Such disclosures may be to law enforcement authorities or any other persons, such as family members, who are able to prevent or lessen the threat.
11. If a doctor believes that a patient might hurt himself or herself or someone else, is it the duty of the provider to notify the family or law enforcement authorities?
YES. This is called “duty to warn”. HIPAA permits the provider to warn the appropriate person(s) of the threat, consistent with his or her professional ethical obligations and State law requirements. In addition, even where danger is not imminent, HIPAA permits a provider to communicate with a patient’s family members, or others involved in the patient’s care, to be on watch or ensure compliance with medication regimens, as long as the patient has been provided an opportunity to agree or object to the disclosure and no objection has been made.
12. Does HIPAA prevent a school administrator, or a school doctor or nurse, from sharing concerns about a student’s mental health with the student’s parents or law enforcement authorities?
No. Parents generally are presumed to be the personal representatives of their unemancipated minor child so designated persons may disclose the minor’s protected health information to a parent. In addition, disclosures to prevent or lessen serious and imminent threats to the health or safety of the patient or others are permitted for notification to those who are able to lessen the threat, including law enforcement, parents or others, as relevant. Student health information held by a school generally is subject to the Family Educational Rights and Privacy Act (FERPA), not HIPAA. HHS and the Department of Education have developed guidance clarifying the application of HIPAA and FERPA. http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hipaaferpajointguide.pdf.
If you have additional questions or suggestions for purposes of informing future guidance, send an e-mail to OCRPrivacy@hhs.gov and FERPA@ed.gov.