AVOIDING LIABILITY BLOG

Breach of Confidentiality – How Much Accountability and to Whom

Avoiding Liability Bulletin, Ethics and HIPAA, Mental Health
Download PDF

Avoiding Liability Bulletin – May 2009

… Confidentiality is the primary cornerstone of psychotherapy. Without the promise of confidentiality, patients and clients would be reluctant to “open up” with their therapists and counselors, and as a consequence, successful treatment would likely be hindered. Therapists and counselors learn about confidentiality early in their careers and understand its importance. Hopefully, they also understand that a negligent or intentional breach of confidentiality can result in significant negative consequences for them.

Typically and traditionally, the patient or client has had two remedies. One remedy is to sue for monetary damages in a civil lawsuit. Depending upon the nature and extent of the breach, and the consequent damages or harm to the client, the civil lawsuit might have significant value. Hopefully, the practitioner will be covered by professional liability (malpractice) insurance! (Intentional acts are typically excluded from coverage). The other remedy available to the client is the filing of a complaint with the licensing board. A complaint could result in a fine, a suspension or revocation of one’s license, multiple years of probation upon various and onerous terms and conditions, or a combination thereof. Additionally, licensing board actions are usually publicized, in one way or another (e.g., on the Internet).

It is now possible, at least in one state, for an inadvertent breach of confidentiality to result in monetary liability (administrative fines) by three separate governmental entities – one federal agency and two state agencies! Imagine a practitioner who inadvertently sends records to a third party, but later realizes that the authorization form that the patient signed was only valid through a certain date, which had recently passed. The possible implications of such a situation, or other more serious situations involving a breach of confidentiality, are rather extensive in this state and perhaps others.

In the state referenced above, the licensing board for marriage and family therapists and clinical social workers has the authority, as an alternative to the usual disciplinary actions they can initiate, to issue an administrative citation for violations of the law that are inadvertent or minor in nature. Such a procedure allows the practitioner to pay the fine assessed by the Board (up to $5000) or to contest it, both informally and formally.

If the practitioner is a “covered entity” under HIPAA, then he or she is also subject to a complaint to, and fine by, the federal Office of Civil Rights, which is part of the U.S. Department of Health and Human Services. While the range of possible fines per violation is rather wide, depending upon the circumstances, inadvertent or negligent violations of confidentiality, especially for first time offenders, have been rather light under the HIPAA enforcement provisions. Recently, however, Congress passed the so-called “stimulus package” in order to stimulate the economy – more formally known as the American Recovery and Reinvestment Act. A part of that Act is the HITECH Act – which stands for Health Information Technology for Economic and Clinical Health. In the latter Act, the amount of the civil fines that may be assessed against a “covered provider” has been substantially increased. Providers can either pay the administrative fine or contest the matter.

As if that were not enough, the state referenced above has created yet another agency that can fine licensed health care professionals for violations of a patient’s confidentiality. This new agency, the Office of Health Information Integrity, is a creature of recent legislation. Its general purpose is to ensure the enforcement of state law mandating the confidentiality of “medical information” (includes mental health records maintained by a variety of psychotherapists) and to impose administrative fines for the unauthorized use of medical information. The reason why this law was passed (in my view, in haste and without enough thought) is directly a result and reaction to some gross breaches of confidentiality that occurred regarding one or more well-known entertainers. Legislators quickly reacted by passing this law – which is somewhat duplicative of the HIPAA enforcement provisions and various licensing law and related provisions allowing for administrative fines and more severe disciplinary action.

The penalty provisions for violating confidentiality have been expanded by this recently passed state law. On the upper end of the penalties for a breach of confidentiality, a $250,000 administrative fine or civil penalty is possible, for example, if a licensed health care professional knowingly and willfully obtains, discloses, or uses medical information in violation of the state’s basic confidentiality law for the purpose of financial gain. This stiff fine or civil penalty (the maximum) is applicable in the case of a third violation. A first time violation could garner an administrative fine or civil penalty up to $5,000, while a second violation could result in a fine or civil penalty of up to $25,000. Lesser penalties are provided for in cases where a disclosure is made by a licensed health care professional as the result of negligence (as opposed to knowing and willful behavior) and not for financial gain.

This new law requires every provider of health care to establish and implement appropriate administrative, technical, and physical safeguards to protect the privacy of a patient’s medical information. It requires providers of health care to reasonably safeguard confidential medical information from any unauthorized access or unlawful access, use, or disclosure. While the requirements mentioned above have not previously been expressly stated in the law (other than in HIPAA regulations), the duty of confidentiality obviously, and as a practical matter, requires these basic steps to be taken by any practitioner who is duty bound to preserve patient confidentiality. A bill has recently been introduced in the state’s Legislature that would give the newly created Office of Health Information Integrity the right to audit the procedures and records of a provider of health care at any time in order to determine the provider’s compliance with these requirements. I expect that this bill will be the subject of great concern for associations representing various providers of health care.

Finally, the Confidentiality of Medical Information Act in this state (California) provides that any violation of the law of confidentiality, as contained in the CMIA, that results in economic loss or personal injury to a patient is punishable as a misdemeanor. The “civil penalty,” referred to above, is assessed and recovered in a civil action (lawsuit) brought in the name of the people of the State of California in any court of competent jurisdiction by any district attorney, any city attorney of a city, the Attorney General of the State of California, or others! Accountability enough? Is there anything similar in your state?

ABOUT THE AUTHOR

Richard Leslie

"At the Intersection of Law and Psychotherapy" Richard S. Leslie is an attorney who has practiced at the intersection of law and psychotherapy for the past twenty-five years. Most recently, he was a consultant to the American Association for Marriage and Family Therapy (AAMFT), where he worked with their various state divisions to develop and implement their legislative agendas. He also provided telephone consultation services to AAMFT members regarding legal and ethical issues confronting practitioners of diverse licensure nationwide. Additionally, he wrote articles regarding legal and ethical issues for their Family Therapy Magazine and presented at workshops on a variety of legal issues. Prior to his work with AAMFT, Richard was Legal Counsel to the California Association of Marriage and Family Therapists (CAMFT) for approximately twenty-two years. He was director of Government Relations for CAMFT, and as such was the architect of CAMFT’s widely regarded and successful legislative agenda. He represented CAMFT before the regulatory board (the Board of Behavioral Sciences) and was a tireless advocate for due process and fairness for licensees and applicants. He was a regular presenter at workshops and was consistently evaluated as CAMFT’s most highly rated presenter. He also sat with the CAMFT Ethics Committee and acted as their advisor on matters pertaining to the enforcement of ethical standards. Richard is an acknowledged expert on matters pertaining to the interrelationship between law and the practice of marriage and family therapy and psychotherapy. For many years, he taught Law and Ethics courses for a number of colleges and universities in their marriage and family therapy degree programs. While at CAMFT, he provided telephone consultation services with thousands of therapists in California and elsewhere for over twenty years. He is highly regarded for his judgment, his expertise, his direct style, and his clarity. Richard has been the driving force for many of the changes and additions to the laws of the State of California that affect MFTs. In 1980, he was primarily responsible for achieving passage of the "Freedom of Choice Law" that required insurance companies to pay for psychotherapy services performed by MFTs. Passage of that law allowed MFTs to earn a living, allowed them to better compete in the marketplace, and strengthened the profession in California by leading to a great increase in the number of licensees and CAMFT membership. Currently, about half of the licensed marriage and family therapists in the country are licensed in California. While at CAMFT, Richard was primarily responsible for, among other things, the successful effort to criminalize sex between a patient and a therapist. He was successful in extending the laws of psychotherapist-patient privilege to MFTs, thereby giving patients the same level of privacy protection as when seeing a psychiatrist or psychologist. He fought tirelessly and successfully for the right of MFTs to refer to themselves as "psychotherapists," to perform psychological testing services, to be appropriately reimbursed by California’s Victims of Crime Program, and to be employed in county mental health agencies throughout California. Richard was admitted to the Bar in New York (1969) and in California (1973). While practicing in New York, he served as a public defender, and later, as an Assistant District Attorney. Shortly after moving to California, he worked for the San Diego County Human Relations Commission as their Law and Justice Officer. While there, he worked successfully to achieve greater racial diversity in the criminal jury selection system and to expose and stop police abuse. For such work with that agency, he was the recipient of the Civil Libertarian of the Year Award by the San Diego Chapter of the American Civil Liberties Union.

YOU MIGHT ALSO LIKE

Mental Health
By: Richard Leslie

TESTIFYING IN COURT OR AT A DEPOSITION

Mental health practitioners must be prepared to testify in court or at a deposition, under oath. Although some practitioners may not [...]

Mental Health
By: Richard Leslie

Brief Reminders

The following reminders/topics are not in order of importance and are only brief comments about a variety of issues

Mental Health
By: Richard Leslie

Discipline and “Due Process”

Licensing by the state is not a right, but rather, a privilege. Those who are licensed, whether as marriage and family therapists, [...]

Have Questions? click here, We’re happy to help!