The Office of Civil Rights (OCR — the HIPAA People) have declared their intent to make some changes to HIPAA’s Privacy Rule. See our article here for details, if you’re so inclined.
As promised, the Person Centered Tech crew drafted and submitted some comments to help make sure the regulators know some ways that mental health clients may be impacted by their ideas.
The OCR is very interested in making the exchange of records between providers smoother and quicker. The goal is a valuable one: improve the efficiency of care coordination and case management. They proposed several ideas that have to come to mind for making this process go more quickly. Most of the ideas seem to us to be positive and in line with mental health ethics and values.
One idea seemed problematic to us, however:
…Promoting information sharing for treatment and care coordination and/or case management by amending the Privacy Rule to encourage, incentivize, or require covered entities to disclose PHI to other covered entities.
(emphasis added by me)
Remember that HIPAA’s Privacy Rule already allows clinicians to release records, without clients’ prior consent, for coordination of care. That’s been the norm for several years. If a request for records from another clinician triggered a requirement that we perform the release, however, there could be problems.
Our entire set of comments for the OCR focuses on these potential problems. Please read on to see what we submitted. We hope you find it to be valuable reading.
— The below is a verbatim copy of comments that Person Centered Tech submitted regarding docket HHS-OCR-2018-0028-0001 —
Input on 2019 Proposed HIPAA Privacy Rule Changes
Submitted by: Roy Huggins, LPC NCC and Liathana Dalton of Person Centered Tech
Context and Identity of Commenters
This comment provides input regarding the needs of non-medical mental health providers by the leadership team of Person Centered Tech: Roy Huggins, LPC NCC and Liathana Dalton.
In this case, “non-medical mental health providers” refers to doctoral- and masters-level, independently licensed professionals who practice mental or behavioral health. This includes psychologists, counselors, clinical social workers, marriage and family therapists, addictions specialists, and more. In the United States, there are hundreds of thousands of such professionals in independent private practice; and even more are working in hospitals, government agencies, and integrated care settings.
Person Centered Tech has been working for 8 years to provide consulting and continuing education for the mental health community on HIPAA compliance and other topics related to Health IT.
Huggins is an Oregon Licensed Professional Counselor (License #C3375) and an adjunct instructor at Portland State University’s Department of Counselor Education where he teaches the core professional ethics course as well as an elective course on Health IT for counselors. In addition to expertise in professional ethics, Huggins has a background as a programmer and currently provides inter-professional advising to colleagues, licensing boards, and several state professional associations on issues surrounding Health IT, HIPAA, and “digital ethics.”
Dalton has worked with Person Centered Tech for 3 years and has provided consultation on Health IT issues for hundreds of mental health professionals from a variety of professions.
A high-level summary of our input:
- Required release of PHI, as described in the RFI, may open up significant risks of undesired PHI release, including abuses.
- Keeping Psychotherapy Notes, as currently defined, will probably not protect sensitive information from required releases of information.
- Authentication of the clinicians requesting PHI is difficult without ROI from the client/patient
- Requiring mental health professionals to release PHI to other covered entities with or without the client/patient’s affirmative informed consent will create conflicts with codes of ethics and, in many cases, state laws.
- State laws may preempt any new rules requiring the release of PHI with or without client/patient consent.
- Requiring the release of records regarding couples and family therapy to other covered entities can violate individuals’ privacy rights.
- Requiring PHI release from mental health providers to other covered entities with or without the client/patient’s specific informed consent will conflict with 42 CFR part 2.
These comments are meant to provide input on the OCR’s proposal of “Promoting information sharing for treatment and care coordination and/or case management by amending the Privacy Rule to … require … covered entities to disclose PHI to other covered entities.”
It is our opinion that requiring such disclosures would create untenable ethical and logistical conflicts for mental health providers. We do believe, however, that incentivizing or smoothing the process of disclosing records, in appropriate circumstances, would be in accordance with the general ethical principles of mental health professionals in the United States.
Required release of PHI, as described in the RFI, may open up significant risks of undesired PHI release, including abuses
The RFI describes an idea of requiring clinicians to release records to coordinating clinicians. Depending on how the final requirement is written, there is a strong potential for mental health clinicians to feel compelled to release information that clients/patients do not wish to have released.
Many individuals do not want their whole distributed care team to know about their mental health treatment, although they may wish for all their providers to know about other medical issues and treatments. This suggests that omitting mental health records from any release requirement could be necessary.
In fact, a common standard for records releases among psychotherapy professionals is to suggest to the client/patient that the clinician can write a letter describing the client/patient’s case and the progress of care in lieu of a verbatim release of the client/patient’s mental health treatment records. This is intended to allow clients/patients more control over what is released. As many mental health clinicians say, “The client’s story is theirs to tell.” This principle extends into how many mental health professionals manage the release of records to coordinating providers.
What’s more, an individual or organization with the necessary status to request records from a mental health clinician could potentially abuse their position in order to obtain information about an individual’s mental health status and history. This also suggests that omitting mental health records from any release requirement could be necessary.
Keeping Psychotherapy Notes, as currently defined, will probably not protect sensitive information from required releases of information
Although the Privacy Rule allows mental health professionals to keep certain kinds of records, called Psychotherapy Notes, separate from the client/patient record, and these notes are generally not subject to release of records requirements (with certain exceptions), we believe that Psychotherapy Notes as they are currently defined will not provide relief from the conflicts described in these comments.
First, the kinds of information that must be included in the designated record set for mental health treatment still fall under the protection of professional ethics codes, laws of numerous states, and 42 CFR Part 2 as described below.
Second, it is our anecdotal experience from working with hundreds of mental health professionals that such professionals rarely keep Psychotherapy Notes (as they are defined in the Privacy Rule.) This is because such notes are still subject to required disclosure by courts and other authorities and therefore it may be risky to the welfare of clients/patients to maintain them; and because knowledge of HIPAA’s rules for how to keep Psychotherapy Notes is poor amongst mental health professionals.
Third, we have heard many reports from mental health professionals we consult with that popular EHR systems used in hospitals (in the Pacific Northwest region, at least) are configured to provide separated data entry spaces for psychiatrists to enter Psychotherapy Notes but not for most other mental health professionals. Also, most popular practice management systems used by mental health professionals do not provide separated data entry spaces in which to enter Psychotherapy Notes.
Authentication of the clinicians requesting PHI is difficult without ROI from the client/patient
When a request for records is received from coordinating clinicians, a vital security protocol is to authenticate the requester as both the party they claim to be and as an actual clinician serving the individual for whom they are requesting records.
Outside of circumstances where coordination of care is already established, and thus ROI would likely be already executed, the most reliable and responsible method of authenticating the requesting party is to ask the client/patient, “Are you receiving care from this clinician and do you want me to send them your records?”
Any covered entity must be cautious about releasing records to unauthenticated parties. Mental health clinicians must also consider the increased risk of stigma or harm that may arise from the unauthorized disclosure of PHI.
Required release of PHI can conflict with professional ethics and state law
The default assumption across mental health professions is that we do not release records without client consent, except where the law requires it for the protection of the client or a vulnerable population, e.g. for reporting of child abuse. In the References below, we have included relevant citations (in alphabetical order) from the professional codes of ethics of the American Association for Marriage and Family Therapy (AAMFT)(1), the American Counseling Association (ACA)(2), the American Psychological Association (APA)(3), and the National Association of Social Workers (NASW)(4). We assert that parallel citations may also be found in the codes of ethics for a wide variety of mental and behavioral health professionals.
Presently, HIPAA’s Privacy Rule permits the disclosure of PHI, without the client/patient’s informed consent, for coordination of care. Despite this fact, mental health professionals generally recognize an ethical duty to acquire some form of consent from the individual, if not an authorization for release of information, before performing such disclosures. Providers may choose to go ahead with such disclosures without client/patient consent if it is in the specific, time-sensitive interests of the client and the client is unavailable or unable to provide consent. That is an exception to the ethical rule, however.
While all the cited ethics codes state that client/patient consent for disclosures is not required when the disclosure is required by law, that is generally intended to cover the typical limits to confidentiality such as mandated reporting of potential harm to vulnerable populations or the protection of the client or other individuals from harm. It is our opinion that if disclosures of PHI to other covered entities becomes required with or without client consent, that will conflict with the intent of the ethical codes. We also believe that non-compliance by mental health professionals with such a requirement would be somewhat high.
In addition, many state licensing boards require that licensees acquire client/patient informed consent before disclosing their information (except where confidentiality is limited by state laws, as stated above.) This requirement is generally written into the licensing boards’ administrative rules. Many licensing boards, especially psychology and social work licensing boards, also adopt the codes of ethics of their professional associations into administrative rule. So for these clinicians, the code of ethics is also state law.
What’s more, those state laws provide privacy rights more stringent than those provided by HIPAA to the clients/patients of these licensees. As such, they may preempt changes to the HIPAA Privacy Rule which require releases of information with or without client/patient consent.
Required release of PHI can violate privacy of individuals in family and couples therapy contexts
When releasing records of couple or family therapy sessions, consent for all individuals involved must be acquired. (For one example, see section 2.3 of the AAMFT Code of Ethics, below.)
Imagine a situation where a marriage and family clinician who serves a couple or family receives a request for records from a fellow clinician who is serving an individual member of that couple or family. The marriage and family clinician would normally be required to get consent for such a records release from all members of the couple or family who are competent to give consent.
If such a release becomes required by the HIPAA Privacy Rule, but not all family members consent to the release, how should the marriage and family clinician resolve this conflict?
Bear in mind that the marriage and family clinician’s requirement for consent from all parties may come from state law.
Required release of PHI by mental health providers without specific consent can violate 42 CFR part 2
42 CFR Part 2 restricts the disclosure of certain types of health information without specific consent from clients/patients. Mental health information and substance use treatment information, among other types of health information, are protected by 42 CFR Part 2.
We hope that when the OCR updates HIPAA’s Privacy Rule, you bear in mind that PHI handled by mental health professionals almost universally falls under the more restrictive protection of 42 CFR Part 2.
(1) American Association for Marriage and Family Therapy Code of Ethics
2.2 Written Authorization to Release Client Information.
Marriage and family therapists do not disclose client confidences except by written authorization or waiver, or where mandated or permitted by law. Verbal authorization will not be sufficient except in emergency situations, unless prohibited by law. When providing couple, family or group treatment, the therapist does not disclose information outside the treatment context without a written authorization from each individual competent to execute a waiver. In the context of couple, family or group treatment, the therapist may not reveal any individual’s confidences to others in the client unit without the prior written permission of that individual.
2.3 Client Access to Records.
Marriage and family therapists provide clients with reasonable access to records concerning the clients. When providing couple, family, or group treatment, the therapist does not provide access to records without a written authorization from each individual competent to execute a waiver…
2.7 Confidentiality in Consultations.
Marriage and family therapists, when consulting with colleagues or referral sources, do not share confidential information that could reasonably lead to the identification of a client, research participant, supervisee, or other person with whom they have a confidential relationship unless they have obtained the prior written consent of the client, research participant, supervisee, or other person with whom they have a confidential relationship. Information may be shared only to the extent necessary to achieve the purposes of the consultation.
(2) American Counseling Association Code of Ethics
B.1.c. Respect for Confidentiality
Counselors protect the confidential information of prospective and current clients. Counselors disclose information only with appropriate consent or with sound legal or ethical justification.
B.2.a. Serious and Foreseeable Harm and Legal Requirements
The general requirement that counselors keep information confidential does not apply when disclosure is required to protect clients or identified others from serious and foreseeable harm or when legal requirements demand that confidential information must be revealed…
B.2.d. Court-Ordered Disclosure
When ordered by a court to release confidential or privileged information without a client’s permission, counselors seek to obtain written, informed consent from the client or take steps to prohibit the disclosure or have it limited as narrowly as possible because of potential harm to the client or counseling relationship.
B.2.e. Minimal Disclosure
To the extent possible, clients are informed before confidential information is disclosed and are involved in the disclosure decision-making process. When circumstances require the disclosure of confidential information, only essential information is revealed.
(3) American Psychological Association Ethical Principles of Psychologists and Code of Conduct
(a) Psychologists may disclose confidential information with the appropriate consent of the organizational client, the individual client/patient, or another legally authorized person on behalf of the client/patient unless prohibited by law.
(b) Psychologists disclose confidential information without the consent of the individual only as mandated by law, or where permitted by law for a valid purpose such as to (1) provide needed professional services; (2) obtain appropriate professional consultations; (3) protect the client/patient, psychologist, or others from harm; or (4) obtain payment for services from a client/patient, in which instance disclosure is limited to the minimum that is necessary to achieve the purpose. (See also Standard 6.04e, Fees and Financial Arrangements.)
When consulting with colleagues, (1) psychologists do not disclose confidential information that reasonably could lead to the identification of a client/patient, research participant, or other person or organization with whom they have a confidential relationship unless they have obtained the prior consent of the person or organization or the disclosure cannot be avoided, and (2) they disclose information only to the extent necessary to achieve the purposes of the consultation. (See also Standard 4.01, Maintaining Confidentiality.)
(4) National Association of Social Workers Code of Ethics
1.07 Privacy and Confidentiality
(b) Social workers may disclose confidential information when appropriate with valid consent from a client or a person legally authorized to consent on behalf of a client.
(e) Social workers should discuss with clients and other interested parties the nature of confidentiality and limitations of clients’ right to confidentiality. Social workers should review with clients circumstances where confidential information may be requested and where disclosure of confidential information may be legally required. This discussion should occur as soon as possible in the social worker-client relationship and as needed throughout the course of the relationship.
(h) Social workers should not disclose confidential information to third-party payers unless clients have authorized such disclosure.
(j) Social workers should protect the confidentiality of clients during legal proceedings to the extent permitted by law. When a court of law or other legally authorized body orders social workers to disclose confidential or privileged information without a client’s consent and such disclosure could cause harm to the client, social workers should request that the court withdraw the order or limit the order as narrowly as possible or maintain the records under seal, unavailable for public inspection.