- HIPAA Guidelines on Mental Health
- Congressional Bills Currently Under Discussion
- Maintaining HIPAA Compliant Technology
HIPAA compliance is fundamental for healthcare companies and the business associates who handle their patient information, but mental health is a special case.
Specific considerations for mental health include:
- Determining what is acceptable in terms of informing caregivers and family
- Figuring out how records can be transferred to other practices
- Understanding whether sharing between providers is allowable.
HIPAA Guidelines on Mental Health
HIPAA discusses the requirements of covered entities related to mental health records. This information is often especially sensitive compared to other health data.
The federal regulations are designed to maintain security and privacy of information but to also aim for transparency when appropriate. The HIPAA Privacy Rule states that covered entities can discuss mental health issues directly with loved ones and professionals caring for the patient.
According to the mental-health guidance on the HIPAA site, mental health facilities can ask the patient if it is okay to communicate particular details to people involved in their daily care. Doctors can also inform the patient that they are going to make disclosures, allowing them a chance to say that it’s unacceptable. Another option is that they can “infer from the circumstances, using professional judgment, that the patient does not object,” states the HHS guidelines. “A common example of the latter would be situations in which a family member or friend is invited by the patient and present in the treatment room with the patient and the provider when a disclosure is made.”
It’s also permissible for a covered entity to reveal mental-health details when the patient is absent or unconscious – as long as the patient’s best interests remain the top priority. Also, it’s only acceptable to relay information that specifically applies to the third party’s involvement in billing or the care continuum.
Now, for the most part, mental health and physical health are treated the same under the law. But notes from mental therapy sessions are given specific focus in the regulations.
Notes taken during psychotherapy sessions are considered to be in a different category from the rest of mental health records for two reasons, according to the HHS: “both because they contain particularly sensitive information and because they are the personal notes of the therapist that typically are not required or useful for treatment, payment, or health care operations purposes, other than by the mental health professional who created the notes.”
Healthcare organizations have to get authorization signed for any disclosure of these notes – except for cases in which other laws demand their disclosure, as when the patient admits to harming someone or makes threatening statements. The specific rule is that healthcare providers generally can’t give any information to relatives or caregivers that the patient does not want them to have, but they can do so if there is an imminent threat that third parties might help to mitigate.
Similarly, it’s okay for covered entities to listen to the perspectives of family and others to better design treatment plans. Notes related to those additional perspectives are protected within the law as well.
“[A]ny information disclosed to the provider by another person who is not a health care provider that was given under a promise of confidentiality … may be withheld from the patient if the disclosure would be reasonably likely to reveal the source of the information,” states the HHS.
Congressional Bills Currently Under Discussion
As of June 2015, two bills being discussed in US Congress could change how mental health is handled. First, the Including Families in Mental Health Recovery Act is intended to make it more clear when it’s acceptable to share information and provides $30 million of funds to train relevant parties on what sharing is allowable under HIPAA.
Second, the proposed objective of the Helping Families in Mental Health Crisis Act is to clarify that it’s okay to share protected health information when specific parameters are met:
- The information that is disclosed is related specifically to diagnosis; courses of treatment; setting dates for visits; or pharmaceuticals and directions for their use. No mental therapy notes can be included.
- Sharing the information is critical to safeguard the patient or others.
- Sharing will be helpful in the care the patient receives for additional illnesses.
- It will improve consistency and quality throughout the care continuum.
- Failing to disclose the details could lead to additional health problems.
- Due to the mental condition, the patient is unable to grasp to the doctor’s instructions or could suffer disability if the treatment isn’t completed.
Keep in mind that, as of this writing, both of the above are still moving their way through the congressional process.
“Until any changes are made final,” explained HIT writer Elizabeth Snell, “healthcare providers must keep themselves educated on how to maintain HIPAA compliance while caring for patients being treated for mental health conditions.”
Maintaining HIPAA Compliant Technology
Obviously much of the concern about mental health, as discussed above, has to do with whether or not it’s okay to communicate information to additional parties. Determining what parties have access to information is just one element of the law. The core concern with information itself is the security of IT systems.
That’s our specialty. Our HIPAA compliance-ready solutions provide secure cloud and data center hosting practices to help healthcare providers achieve HIPAA compliance.
By Kent Roberts