Understanding Fundamentals of the HIPAA Privacy Rule
The Privacy Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), promulgated by the Department of Health and Human Services (HHS), went into effect in April 2003. The Privacy Rule sets standards for when and how to disclose patient information to third parties. It also defines patients’ rights to access and control their own health information.
The Privacy Rule is distinguishable from the HIPAA Security Rule in several respects. While the Privacy Rule focuses on intentional disclosures of patient information, the Security Rule (which went into effect in 2005) focuses on managing the risk that patient information will unintentionally or maliciously become disclosed, altered, or destroyed. The Security Rule is also distinct in that it applies only to electronic protected health information (PHI), while the Privacy Rule applies to all forms of health information (paper, electronic, and oral). Thus, the Security Rule applies primarily to mental health practitioners who transmit or store patient information electronically.
Some aspects of the Privacy Rule were, or will eventually be, modified by The HIPAA Final Omnibus Rule (Final Rule) regulations issued in January 2013. The Final Rule has a September 23, 2013. The Rule was the latest of a series of regulations issued under the regulations under the Health Information Technology for Economic and Clinical Health (HITECH) Act of February 2009. Further information on the Final Rule changes and how to comply with them is available on the second Web site listed in the references and resources section at the end of this chapter. That Web site, as well as the others listed, provides more detailed information regarding the Privacy Rule and compliance with the rule.
The Privacy Rule, or at least the issues around it, will likely change further as the health care world increasingly adopts electronic health records and systems allowing for a freer exchange of health information. This will affect the operation of the Rule in ways (p. 666) not contemplated when it first became effective in 2003.
Who Must Comply?
HIPAA and the Privacy Rule apply to “covered entities,” a category that includes health plans, health care clearinghouses, and certain health care providers. The Final Rule also makes “business associates” directly regulated under HIPAA, as described later in this chapter.
Most mental health practitioners who become covered entities do so by (1) electronically transmitting (2) protected health information (PHI) (3) in connection with insurance claims or other third-party reimbursement. The key terms, PHI and electronic transmission, are discussed later. Many practitioners forget the third requirement and do not realize that electronic submissions of PHI that are not associated with a claim or third-party reimbursement will not make them a covered entity. For example, e-mailing records to another practitioner for a consultation will not trigger the need to comply with HIPAA and the Privacy Rule.
Protected health information (PHI) is an important term, not only because it defines which providers are covered entities but also because it defines the type of health information to which the Privacy Rule applies. Because of the way the Privacy Rule broadly defines PHI, most information in a patient’s file constitutes PHI. The key elements of the PHI definition include the following:
• Information that relates to (a) the past, present, or future physical or mental health condition of a patient; (b) providing health care to a patient; or (c) the past, present, or future payment for the patient’s health care
• Information that identifies the patient or could reasonably be used to identify the patient
Under this broad definition, patient contact information and patient lists are considered PHI.
The most common form of electronic transmission for mental health practitioners occurs via the Internet (e.g., e-mail or transactions on an insurance company Web site). Paper faxes (i.e., by inserting paper into a fax machine and sending) do not qualify as electronic submissions. However, computer-generated faxes (i.e., when transmitting a document already in electronic form by fax directly from a computer) do constitute electronic submissions.
If someone acting on behalf of the practitioner, such as a billing service, electronically submits PHI (in connection with a specified transaction), this makes the practitioner a covered entity subject to HIPAA.
Once a practitioner becomes a covered entity, the Privacy Rule applies to all of the PHI in his or her practice. The Privacy Rule does not permit an individual practitioner to segregate that part of his or her practice to which the Privacy Rule applies.
Some mental health practitioners still seek to avoid HIPAA and the electronic world, but this will become increasingly difficult to continue as electronic submissions become more ubiquitous. Even for those practitioners not technically covered, the Privacy Rule may well become a standard of care for protecting patient privacy, in terms of licensing board complaints or lawsuits. Finally, some practitioners who do meet the definition of covered entity have not bothered to become Privacy Rule compliant. Ignoring the rule in this way is strongly discouraged in light of enforcement provisions discussed later in this chapter.
Preemption Analysis—State-Specific Information
The Privacy Rule establishes a national floor of privacy protection and rights for patients. Accordingly, the Privacy Rule will not preempt state law provisions that provide higher levels of privacy protections to patients in terms of shielding their PHI from third parties. Additionally, state laws that allow patients greater access to, or control over, their PHI will not be preempted. Conversely, provisions of the Privacy Rule that give patients greater privacy protection or greater access to their records will preempt the corresponding provisions of state law. Note, however, that the Privacy Rule (p. 667) specifically does not preempt certain types of state laws, such as laws giving or denying parents access to their children’s records, regardless of whether they provide greater privacy protection. The key result of these complicated preemptions: Practitioners must remain aware of how disclosing and protecting PHI flows from a mixture of Privacy Rule and state privacy law provisions.
Consent and Authorization
The two types of patient permission to release PHI are consent and authorization. Consent is a general prospective agreement signed by the patient, typically at the start of treatment or when the patient applies for health insurance. The patient agrees to a variety of types of releases that might become necessary in the future (e.g., disclosures to insurers and to other treating providers). Authorization, by contrast, includes a detailed form that the patient signs at the time of, or just before, a particular disclosure. It describes in detail what information will be released to whom, for what purposes, during what timeframe, and under what conditions.
An important principle of the Privacy Rule is that routine releases within the health care system for treatment and payment purposes should be carried on relatively freely, without the delay and burden of having to obtain patient authorization for each release. The same principle applies to releases for the broader category of “health care operations,” which includes an array of administrative and quality control functions, such as audits.
State consent laws apply to releases of PHI (other than psychotherapy notes) for these treatment, payment, and health care operations purposes. In other words, the mental health practitioner simply needs to have whatever consent state law requires before releasing PHI. (In a number of jurisdictions, like California and the District of Columbia, an authorization is necessary for most releases of PHI.)
The Privacy Rule requires mental health practitioners to obtain written authorization for any use or disclosure of patient information not for the purpose of treatment, payment, or health care operations. An authorization is also required for releasing psychotherapy notes, as described later.
The Privacy Rule requires practitioners to make reasonable efforts to limit the amount of patient information they release to the “minimum necessary” to accomplish the intended purpose of a disclosure. The “minimum necessary” standard does not apply to (1) disclosures made to other health care providers for treatment purposes; (2) disclosures permitted by a written authorization; and (3) disclosures required by law.
The original Privacy Rule did not state who decided exactly what this vague “minimum necessary” standard meant. Thus, for example, mental health practitioners often disagreed with insurance companies over the scope of information necessary for the company to determine whether care for a patient qualified as medically necessary. The HITECH Act specified that minimum necessary would now be determined from the perspective of the party disclosing the information. In most situations, that disclosing party will be the practitioner. The Final Rule, however, does not provide further guidance on this change.
The Privacy Rule allows, but does not require, mental health practitioners to give heightened protection to certain sensitive patient information. Psychotherapy notes receive several forms of increased protection. First, with limited exceptions, practitioners must obtain a written authorization for any disclosure of psychotherapy notes. That authorization must be separate from any other authorization for releasing PHI. Second, health plans and third-party payers may not condition treatment, payment, enrollment, or eligibility for benefits on obtaining information in psychotherapy notes. For example, a health insurer cannot tell a patient that he or she will only authorize further therapy sessions if the patient signs an authorization to release (p. 668) psychotherapy notes about his or her treatment. Finally, the Privacy Rule does not give patients the right to access their psychotherapy notes, but in the majority of states preemption rules grant patients broad access to psychotherapy notes.
Psychotherapy notes are (1) notes by a mental health professional; (2) documenting or analyzing the contents of conversation during a private counseling session (including group, joint, or family counseling sessions); (3) kept separated from the rest of the patient’s mental health record.
Specifically excluded from the definition are (a) any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date; (b) the modalities and frequencies of treatment furnished; (c) results of clinical tests; (d) counseling session start and stop times; and (e) medication prescription and monitoring.
The special protection accorded to psychotherapy notes flows from their content, which typically includes highly sensitive communications whose confidentiality is essential to successful psychotherapy, and that these notes are intended as the therapist’s private notes for his or her own use. They contain details not needed by others in the health care delivery system such as third-party payers and other health care professionals. By contrast, the items excluded from psychotherapy notes protection include basic elements of the separate “clinical record” appropriate for sharing with other treating providers and health insurers.
As required by the HITECH Act, HHS has considered whether to give similar heightened protection to psychological test data. The Final Rule does not address test data and at the time of this writing there has been no update from HHS regarding this issue. Thus, it is unclear whether HHS will decide to provide additional protection for test data.
A “business associate” is an organization or person outside of the mental health practitioner’s practice to whom the practitioner sends PHI (or provides access to PHI) so that the outside entity can provide services to the practitioner. Examples include accountants, lawyers, billing services, collection agencies, and computer repair services. Other health care providers are not considered business associates.
Under the original Privacy Rule, business associates were beyond the regulatory reach of HIPAA (which previously governed only actors in the health care arena such as health care providers and insurers). The Rule required covered entities to have “business associate agreements” with these entities. These agreements contractually obligated the business associates to protect the privacy of PHI they handled and obligated them not to make any releases of PHI that violate the Privacy Rule. However, the HITECH Act made business associates directly regulated under the Privacy Rule. While this would seem to make the business associate agreements unnecessary, the Final Rule still requires that providers enter into business associate agreements with their business associates.
One other major Final Rule change affecting mental health practitioners is known as the breach notification rule. This rule may require the practitioner to give timely notice to his or her patients if or when a “breach” involving the PHI occurs. A breach is defined as (1) the acquisition, access, use or disclosure of PHI; (2) that violates the Privacy Rule; and (3) involving PHI that has not been “secured” by HHS-approved encryption (or other technologies that make the PHI unusable to unauthorized users). Upon learning of a breach, a practitioner must conduct a 4-point risk assessment. If that assessment fails to establish a low probability that unsecured PHI has been compromised, the practitioner must give a specified notice of the breach to patients whose PHI is implicated and to HHS. Further information on this rule is available at the second Web site listed in the References for this chapter.
The key administrative requirements under the Privacy Rule involve (1) designating a “privacy (p. 669) officer” within the practice responsible for developing, implementing, and overseeing written privacy policies and procedures (a contact person should also be designated for receiving and documenting complaints from patients); (2) training employees (if any) in the practice’s written privacy policies and procedures so that each member may carry out his or her respective functions; (3) taking reasonable steps to safeguard all PHI from those who do not need or are not permitted access; and (4) providing patients with information about their privacy rights and explaining how their personal information may be used, as described in the next section.
Notice of Privacy Practices
The Privacy Rule requires mental health practitioners in direct treatment relationships with patients to give a Notice of Privacy Practices to each patient by the date of first service delivery and to make a good-faith effort to obtain each patient’s written acknowledgment of receipt of the notice. The notice must contain specific core elements, including each patient’s rights in relation to his or her health information and the practitioner’s duties to patients. The Final Rule added further statements that must be included in the Notice, if they are applicable to the practitioner. Practitioners are required to abide by the terms of their current privacy notice. Additionally, practitioners who maintain an office must also post the notice in the office in a clear and prominent location. In practice, the HIPAA privacy notice has become a piece of required paperwork that most patients never read.
Mental health practitioners are not required to eliminate all risks of “incidental uses and disclosures” of their patients’ information. Any use or disclosure of patient information “incident to” another permitted use or disclosure is permitted so long as “reasonable safeguards” to protect patient information have been adopted by the practitioner. An example of a permitted incidental disclosure might occur when an individual in the practitioner’s waiting room accidentally overhears a confidential conversation between another patient and the doctor.
Scalability of the Privacy Rule
To ease the burden of compliance, the Privacy Rule requirements are “scalable” to apply to the various types and sizes of practices. The scalability of the Privacy Rule allows for flexibility in the practice’s internal written policies and procedures. For instance, the privacy officer in a solo practitioner’s practice will, in most instances, be the solo practitioner; the privacy official in a large group practice may be a receptionist, the office manager, a practitioner, or if the practice is large enough, a full-time employee solely dedicated to HIPAA compliance.
HHS has responsibility for enforcement of the Privacy Rule. In response to complaints about lax HIPAA enforcement, the Final Rule Act increased enforcement in several key respects. For example, it creates a system of tiered civil penalties based in part on the willfulness of the covered entity’s violation. In cases of “willful neglect,” the maximum penalty is $1.5 million per violation. In addition, the government must consider letting individuals affected by the violation share in civil penalties, which would create whistleblower type incentives for reporting violations. Finally, HHS is required to conduct periodic audits of covered entities and business associates, rather than relying primarily on complaints to find violations, as it had done prior to HITECH.
This chapter is not intended to provide legal advice or to give full details regarding HIPAA, the Privacy Rule or the Final Rule. It is likely that HHS will provide further clarification regarding the Final Rule. For information on relevant updates, see the second Web site listed (p. 670) in the references. Rather it provides an overview of basic aspects of, and some common issues under, the Privacy Rule. Legal and regulatory issues are complex and highly fact specific and require legal expertise that cannot be provided by any single book. The information in this chapter should not be used as a substitute for obtaining personal legal advice and consultation prior to making decisions regarding individual circumstances.
References and Readings
American Psychological Association Insurance Trust. (n.d.). Health Insurance Portability and Accountability Act. Retrieved February 2013, from www.apait.org/apait/resources/hipaa/
American Psychological Association Practice Organization. (n.d.). Practice central: Business of practice. Retrieved February 2013, from www.apapracticecentral.org/business/hipaa/index.aspx
US Department of Health and Human Services. (n.d.). Health information privacy. Retrieved February 2013, from www.hhs.gov/ocr/hipaa
Chapter 127, “Elements of Authorization Forms to Release or Request Client’s Records”