The HIPAA Privacy Rule permits providers to handle protected health information (PHI) of mental health patients in much the same way as providers handle PHI for patients with other ailments according to guidance from the U.S. Department of Health and Human Services (HHS).
On February 20, 2014, HHS released new guidance on how the Privacy Rule protects patients’ rights to mental health information and in what circumstances the Privacy Rule allows providers to communicate with others, including friends and family members. According to HHS, the new guidance addresses some of the more frequently asked questions regarding mental health information and the Privacy Rule. The new guidance is generally consistent with HHS’s previous guidance concerning communication with patients and families. HHS notes that except for “psychotherapy notes” (personal notes of a therapist), the Privacy Rule gives the same protection to all PHI, including mental health records.
Providers and other HIPAA covered entities should keep in mind that the latest HHS guidance does not affect obligations that may arise under stricter state or federal statutes and regulations governing behavioral health (including mental health and substance abuse) records or information. For example, the stricter requirements of federal rules governing release of substance abuse information (42 C.F.R. Part 2) and similar state laws still apply and may not allow the disclosures HHS describes in its latest guidance.
The new HHS guidance provides answers to eight questions, including clarification regarding when HIPAA permits health care providers to:
-
Communicate with patient’s family, friends or other involved in a patient’s care:
HIPAA allows providers to talk with persons involved in a patient’s care if the patient had had a chance to object and does not do so. The new HHS guidance confirms that this is also true for mental health patients. Of course, if the patient does object, such communication should cease. According to HHS, if the patient is incapacitated, a provider may still share information if, in the provider’s professional judgment, doing so is in the patient’s best interests. HHS cautions that disclosures must be limited to PHI “directly relevant” to the person’s involvement in care or payment.
-
Communicate with the parent of a patient who is a minor:
The guidance notes that the Privacy Rule typically defers to state law regarding who is a minor patient’s authorized representative and under what circumstances a minor may consent to treatment and authority to prevent a parent from accessing PHI. Absent state law restrictions, a provider generally may communicate with parents or other authorized representatives. In situations where a parent might not be an authorized representative, HHS notes that providers may still have discretion to communicate with the parent if doing so is consistent with state law and the decision is made by a licensed professional exercising professional judgment. However, neither parents nor patients have the right to see or obtain “psychotherapy notes.”
-
Involve a patient’s family members, friends, or others in dealing with patient failures to adhere to medication or other therapy:
As long as the patient does not object, a provider may share or discuss the patient’s mental health information. However, the information should be limited to the information that the family member involved needs to know about the patient’s care or payment for care.
If a provider believes a patient does not have capacity to object, the provider may share information if the provider believes, based on professional judgment, that sharing information is in the patient’s best interest.
If the patient objects, providers generally may not share absent circumstances involving a good faith belief that the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others.
-
Listen to family members about their loved ones receiving mental health treatment:
HIPAA does not prevent a health care provider from listening to family members – or other caregivers who may have concerns about the health and well-being of the patient – to enable the health care provider to factor such information into the patient’s care.
-
Communicate with family members of an adult patient if the patient objects to the disclosure:
The HIPAA Privacy Rule permits a health care provider to disclose information to family members of an adult patient who objects to the disclosure only to the extent that the provider perceives a serious and imminent threat to the health or safety of the patient or others and the family members are in a position to prevent or lessen the threat. In all other situations, the provider must respect the patient’s wishes.
-
Communicate with family members, law enforcement, or others when the patient presents a serious and imminent threat of harm to self or others:
The new guidance reiterates advice that HHS has given before: when the provider believes a patient presents a serious and imminent threat to self or others, the Privacy Rule permits a health care provider to disclose necessary information about a patient to law enforcement, family members of a patient, or other persons whom the provider believes are reasonably able to prevent or lessen the threat.
HHS issued a letter to health care providers on January 15, 2013 on this subject. To read the HHS letter and for a more in depth discussion on this subject, please see the von Briesen health blog post available here.
-
Communicate to law enforcement:
The guidance indicates that a provider generally may communicate the date and time of admission and discharge in response to a law enforcement official’s oral or written request, for the purpose of locating or identifying a suspect, fugitive, material witness, or missing person. In this situation, a covered entity may disclose the following information: name and address; date and place of birth; social security number; blood type and rh factor; type of injury; date and time of treatment (includes date and time of admission and discharge) or death; and a description of distinguishing physical characteristics (such as height and weight). However, a provider may not disclose any information related to DNA or DNA analysis, dental records, or typing, samples, or analysis of body fluids or tissue. The law enforcement official’s request may be made orally or in writing.
Other Privacy Rule provisions also may be relevant depending on the circumstances, such as where a law enforcement official is seeking information about a person who may not be a suspect, fugitive, material witness, or missing person, or needs PHI not permitted under the above provision. For example, a provider is permitted to respond to an administrative request from a law enforcement official, such as an investigative demand for a patient’s PHI, provided the administrative request includes or is accompanied by a written statement specifying that the information requested is relevant, specific and limited in scope, and that de-identified information would not suffice in that situation.
The Privacy Rule also permits providers to respond to court orders and court-ordered warrants, and subpoenas and summonses issued by judicial officers and to make disclosures required by state law.