Avoiding Liability Bulletin – October 2007
… How do your state laws interact with HIPAA regulations, primarily the “Privacy Rule?” What efforts are being made in your state to subject all practitioners to HIPAA requirements? What misconceptions do you or others have about HIPAA requirements and its applicability to your practice? It is important, from time to time, to think about these questions and to get answers so that you can stay abreast of changes that may affect your policies and practices concerning confidentiality and patient access to records.
Whether or not you are a “covered entity” (may be an individual private practitioner or a larger health care business – like a hospital – that engages in specified insurance related transactions electronically), it is important to understand the basics about HIPAA and the federal regulations referred to as the “Privacy Rule,” and how they interact with state law. If you are a covered provider, you must know about state law requirements and how they interact with HIPAA because, among other things, you will likely have to resolve conflicts between state law and the provisions of the “Privacy Rule.”
For example, if your state law allows a patient to access his or her records within a specified time frame, and if HIPAA regulations allow access within a longer period of time, the federal regulation is superseded by the state law provision. On the other hand, if your state law allows you to provide a patient with a summary of his/her records in lieu of the complete records, HIPAA regulations may take precedence over the state law. In most states, a variety of organizations have analyzed the “Privacy Rule” and state law, and have identified which law a “covered entity” must follow in particular circumstances.
For those who are not covered providers, state law governs. However, many states are in the process of reconciling their state law with the federal regulations, so it is important to keep current on such issues as a patient’s right to inspect or to get a copy of his/her records, a patient’s right to amend or addend his/her records, and a therapist’s right or duty to break confidentiality under specified circumstances. The California Legislature has this year passed a law that allows a therapist to break confidentiality in dangerous patient situations – and has essentially taken the language from the “Privacy Rule.” Therapists in California who are not covered providers under HIPAA will soon (1/1/08, if signed by the Governor) be bound by a state law provision taken directly from the “Privacy Rule.” So, stay alert and up to date!
As to common misconceptions, there are several. One common misconception at the beginning of HIPAA’s implementation in 2003 was that all licensed psychotherapists or health care practitioners were covered and bound by HIPAA. This, of course, is not true. Another misconception was the failure to realize that under HIPAA regulations, health care providers were free to break confidentiality, without the patient’s written authorization, in order to communicate with other health care providers about the diagnosis and treatment of the patient and in order to get payment from insurance companies. This freedom to share information without the patient’s written authorization is disclosed to the patient in the required Notice of Privacy Practices.
A third and somewhat broader misconception involves the manner in which “psychotherapy notes,” as that term is used in the “Privacy Rule,” is treated under HIPAA, and the manner in which it is to be handled by practitioners. The key fact that is misunderstood is that the definition of the term does not include the treatment records pertaining to counseling session start and stop times, the modalities and frequencies of treatment furnished, the results of clinical tests, symptoms, or summaries of diagnosis, functional status, treatment plan, prognosis and progress to date.
“Psychotherapy notes,” under HIPAA, a) must be kept separate from the rest of the patient’s mental health records, b) the therapist may properly deny the patient access to the psychotherapy notes when the patient makes a written demand for a copy of his or her records, c) insurance companies are not ordinarily entitled to psychotherapy notes without the patient’s written authorization (despite the general rule that covered providers are permitted under HIPAA to share confidential information with insurers for the purposes of obtaining payment), and d) in litigation, psychotherapy notes are discoverable (pursuant to a subpoena) when mental health records are determined to be relevant and the psychotherapist-patient privilege has been waived or is otherwise not applicable.
Think carefully about the two prior paragraphs. It is important to understand this term and how it is treated under HIPAA. Are “psychotherapy notes” treated similarly by the laws in your state regarding patient records, privilege, or access to records? Perhaps at this point you have realized that the term “psychotherapy notes” has not yet been defined in this article. Do you know the definition of the term? Are you comfortable with your knowledge of this subject? If your answer is “no” to either question, then I refer you to the Avoiding Liability Bulletin Archives. Click on all of the articles under HIPAA – and you will learn more about this important and often misunderstood subject.