|
|
| |
|
Select A Topic . . .
|
|
|
|
Archive Categories
|
|
|
|
|
|
|
| | |
|
| |
| |
by Richard S. Leslie, J.D. Click here for profile.
Attorney at Law - "At the Intersection of Law and Psychotherapy"
HIPAA
(April 2005
, Volume 2)
… Now that I mentioned HIPAA, why are so many practitioners under the impression that they are “covered providers” under HIPAA (the “Privacy Rule”) when they are in fact not? In essence, a covered provider is someone who practices health care and transmits any health information in electronic form (for example, via the Internet or Extranet, dial-up lines) in connection with a transaction for which the Secretary (of the U.S. Department of Health and Human Services) has adopted standards. Some therapists only deal with cash paying clients while others may only bill insurance by paper and the mail. State law may differ from HIPAA regulations. If I were not a “covered provider” under HIPAA, I probably would not want to voluntarily comply with the HIPAA requirements, but would want to continue to comply with state law. See http://www.hhs.gov/ocr/hipaa for more information about HIPAA.
|
HIPAA
(May 2005
, Volume 1)
… What is the difference between the way that HIPAA treats the subject of parental access to a minor’s records and the way your state law treats the issue? Likely none, since HIPAA essentially defers to state law regarding the subject. Not so with other issues, where state law and HIPAA may conflict. If one is a “covered provider,” for example, state law may have to give way to HIPAA requirements, like in those states where HIPAA provides the adult patient with greater rights to access his or her records than does the state law.
… If a health care provider transmits health information in electronic form with respect to one transaction with an insurance company for which the Secretary of the U.S. Department of Health and Human Services has adopted standards, is the health care provider covered by the requirements of the HIPAA “Privacy Rule” with respect to his or her entire practice, even though all other patients pay in cash or by check? The answer, in short, is “yes!”
|
HIPAA - Patient Access to "Psychotherapy Notes"
(June 2005
, Volume 2)
… Under federal regulations implementing HIPAA, a patient has certain rights with respect to inspecting and copying their health records when they make a specific request to do so in writing. Those regulations also make clear, among other things, that the provider does not have to give the patient a copy of the “psychotherapy notes,” which are defined as the notes recorded in any medium by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical (includes mental health) record.
Be careful – under the HIPAA regulations you must distinguish between “psychotherapy notes” and “psychotherapy records” - they are not the same. “Psychotherapy records” would include, for instance, any summary of the diagnosis, functional status, the treatment plan, symptoms, prognosis and progress to date. It would also include the results of clinical tests, the modalities and frequencies of treatment furnished, and counseling session start and stop times. Remember, HIPAA applies to those who are “covered providers.”
|
HIPAA - Subpoena for Records and Notes
(June 2005
, Volume 2)
… Suppose the therapist’s mental health records and notes regarding the patient are subpoenaed by the defendant (the former employer) during the patient’s civil suit against her former employer. The patient alleges that the employer’s sexual harassment and other wrongful conduct caused her to suffer mental and emotional distress. Suppose further that you are covered by HIPAA regulations (“The Privacy Rule”) and that your patient and her attorney tell you that they are waiving the psychotherapist-patient privilege and that they want you to comply with the subpoena. Is the defendant entitled to the “psychotherapy notes” as well as the “psychotherapy records”?
The general answer is “yes,” but therapists should first talk with the patient and the patient’s attorney in order to get clarity on what the waiver of privilege includes. Although there are exceptions that may apply, the general rule is that the defendant will be entitled to such “records” and “notes” if the subpoena is broad enough and is properly issued and served. The protected status of “psychotherapy notes” under HIPAA does not generally extend to civil litigation brought by the patient where the health records may contain relevant evidence and where the privilege has been waived (e.g., where the patient is suing for alleged mental or emotional distress). Of course, if the psychotherapist-privilege is not waived by the patient and the patient’s attorney, the therapist will likely be asserting the privilege on behalf of the patient and resisting release of the records.
|
HIPAA - Right to Amend Records
(October 2005
, Volume 1)
… How does your state’s law differ from HIPAA regulations on the issue of the right of the patient to amend your mental health treatment records? Do you need to know the answer to this question? Yes you do, especially if you are a “covered provider” under HIPAA regulations. If you are not a “covered provider,” then you need to know what the law is in your state. Some states may not specifically grant to patients the right to amend records. One state, for instance, allows the patient to submit an addendum to the records, but not to obtain an amendment. Do you know what the law is in your state?
The general rule under HIPAA is that a patient has the right to have a “covered” therapist amend personal health information or a record about the patient for as long as the information is maintained. This right to amend is not without limitation. For instance, the therapist would be able to deny a request for amendment if it pertains to “psychotherapy notes” (which are not available for inspection or copying by the patient, at the discretion of the therapist) or if the therapist takes the position that the records are accurate and complete. If the request to amend records is denied by the therapist, the HIPAA regulations provide for a process for both the patient and the therapist to follow.
|
HIPAA - Psychotherapy Notes/Records
(August 2005
, Volume 1)
… In a prior Avoiding Liability Bulletin (June, 2005 - Volume No.2), under the topic of “HIPAA – Patient Access to Records,” the definition of “psychotherapy notes” was included, since under HIPAA regulations “covered providers” are permitted to deny access to their “psychotherapy notes” when patients demand a copy of all treatment records.
Excluded from the definition of “psychotherapy notes” are: documentation of counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, medication prescription and monitoring, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis and progress to date. These excluded items essentially constitute the typical content of “psychotherapy records.” Under HIPAA regulations, patients are generally to be informed in the Notice of Privacy Practices that psychotherapy records (but not “psychotherapy notes,” unless pursuant to a valid authorization form signed by the patient) will be released to insurers for purposes of payment, without the patient’s signed authorization.
|
HIPAA - Enforcement
(June 2006
, Volume 1)
… On March 16, 2006 the final rule on Enforcement under HIPAA became effective. This enforcement rule (federal regulation) relates not only to the Privacy Rule, but also to other rules adopted by the Secretary of the U.S. Department of Health and Human Services to implement the Administrative Simplification provisions of HIPAA (for example, the Security and Transaction Rules). If a complaint is filed against a “covered entity” (private practitioner health care providers may or may not be a “covered entity” – depending upon whether or not they transmit any health information in electronic form in connection with specified insurance – related transactions), an investigation may begin.
Suppose that a “covered” practitioner failed to give a patient the Notice of Privacy Practices on the patient’s first visit, or perhaps the therapist or counselor failed to provide the patient with timely access to his/her mental health treatment records. If a patient were to file a complaint with the Secretary of Health and Human Services (Office for Civil Rights), it is possible that the practitioner would ultimately be assessed a fine (called a “civil money penalty”) for an alleged violation. It is also possible that the matter will be resolved amicably without the imposition of a civil money penalty, even if the practitioner did violate the Privacy Rule.
While the regulations provide for a formalized, adversarial process where a proposed civil monetary penalty is contested, the government’s general approach to complaints is that they will work with covered entities to help them achieve compliance. They will do this when the non-compliance is due to “reasonable cause” and not “willful neglect” and is corrected over a certain period of time after the covered entity knew or should have known of the compliance failure. If the violation is intentional or due to “willful neglect,” however, the government will likely pursue the civil money penalty approach. In such a case, the practitioner has specified rights, including the right to a hearing before an Administrative Law Judge (ALJ) and the right to appeal the ALJ’s decision.
Those who are “covered providers” need to have a more in depth knowledge about these recently effective federal regulations for a variety of reasons, not the least of which is to know how to navigate the system should one suddenly and unexpectedly be the subject of a complaint. Even those who are not “covered entities” should be aware of these regulations, since the government may wrongly assume or wrongly assert that one is a covered entity when in fact that is not the case. Additionally, there are some possible implications with regard to one’s licensing board, since whenever a proposed penalty is final, HHS will notify the public and the appropriate state licensing agency of the penalty and the reason why it was imposed. Finally, be mindful that your malpractice carrier may cover you for some aspect of such an investigation and proceeding by the federal government.
|
HIPAA, FERPA, and Student Health Records
(February 2009
, Volume 1)
…
As a result of confusion among health care professionals and school
administrators throughout the country, the U.S. Department of Education and the
U.S. Department of Health and Human Services have issued a joint guidance
(November 2008) on the application of two federal acts – the Family Educational
Rights and Privacy Act (FERPA) and the Health Insurance Portability and
Accountability Act of 1996 (HIPAA) – to student health records. I have used the
content of this written guidance, often “word for word,” quite liberally in
this article so as to avoid inaccuracies. The intersection of these two laws
has caused some confusion, primarily for school administrators, when faced with
questions about the release of student health records to parents and/or to
third parties. This article touches upon only some of the aspects of this
rather complex subject matter.
FERPA
protects the privacy of students’ “education records,” which term is defined
broadly enough (e.g., records that are directly related to a student and
maintained by an educational agency or institution or by one acting for the
agency or institution) to include certain student health records. HIPAA, among
other things, deals with the privacy of mental health records maintained by
those mental health practitioners (and other “covered entities”) who are
“covered providers” because they transmit health information in electronic form
with respect to specified transactions related to insurance billing. The HIPAA
Privacy Rule specifically excludes from its coverage those records that are
protected by FERPA – that is, “education records.” (The HIPAA Privacy Rule also
excludes “treatment records,” as defined in FERPA, from its coverage.)
These
two federal laws intersect with each other when a school that is covered by
FERPA (generally, educational institutions/agencies that receive funds from the
U.S. Dept. of Education, such as virtually all public schools and school
districts and most private and public postsecondary institutions, including
medical and other professional schools) provides health care to students in the
normal course of business and conducts covered transactions electronically in
connection with that health care.
One
of the areas clarified by the joint guidance is whether the HIPAA Privacy Rule
applies to elementary or secondary schools that maintain health records of
students. Generally, the HIPAA Privacy Rule does not apply to these schools.
This is typically so because the school is not a “covered entity,” or if a
“covered entity,” the health information maintained on students is contained in
records that are considered “education records” under FERPA, which are not
subject to the HIPAA Privacy Rule. Also, elementary or secondary schools may
employ mental health practitioners to provide therapy or counseling services to
students, but if the school or the provider does not bill a health plan
electronically for such services the school is not a “covered entity” under
HIPAA.
A
different example would be where a public high school employs a mental health
practitioner that bills Medicaid electronically for services provided to a
student under IDEA (Individuals with Disability Education Act). In that case,
the school is a HIPAA “covered entity” and would be subject to HIPAA
requirements concerning transactions, but would probably not be subject to the
HIPAA Privacy Rule because the mental health information may be maintained in
what is considered to be “education records,” as defined in FERPA. The school
would then have to comply with the FERPA privacy requirements. (Private and
religious schools at the elementary and secondary level generally do not
receive funds from the U.S. Department of Education and are, therefore, not
subject to FERPA.)
Some
therapists or counselors may be employed at a university hospital. A question
arises as to whether FERPA or HIPAA applies to the patient records maintained
by the hospital affiliated with a university that is subject to FERPA. Since
these hospitals typically provide health care services without regard to the
person’s status as a student and not on
behalf of the university, patient treatment records are subject to all of
the HIPAA rules, including the Privacy Rule – assuming that the hospital is a
“covered entity” (usually the case). These particular patient records would not
ordinarily be considered “education records” or “treatment records” covered by
FERPA. However, if the hospital runs the student health clinic on behalf of a university, the clinic
records on students would be subject to FERPA and not subject to the HIPAA
Privacy Rule.
Why is it important to know whether the HIPAA
Privacy Rule applies, or the privacy requirements of FERPA, in any given
situation? The rules regarding disclosure of student health records may differ
between FERPA and the HIPAA Privacy Rule, depending upon the circumstances
involved. Questions are likely to arise as to a student’s right to access
(inspect or copy) his or her own records, both as a minor and as an adult.
Additionally, parents may desire to access the health records of their minor
children who are students (the HIPAA Privacy Rule essentially defers to state
law with respect to the issue of a parent’s right to access the health care
records of a minor patient). Finally, schools may be faced with requests by
parents or the student that the student’s health records be sent to other
health care providers or to “third parties.” In each situation, it is critical
for the practitioner and the school to know which law applies.
I was able to access this thirteen-page document by
“googling” the words “joint guidance on FERPA and HIPAA.” It can likely be
accessed through the websites for either the U.S. Department of Education or
the U.S. Department of Health and Human Services.
|
|
|
|