Avoiding Liability Bulletin – May 2016
The duty of confidentiality is often on the minds of practitioners when it comes to dealing with insurance companies and insurance reimbursement issues. The comments that follow do not cover the entire spectrum of issues that may arise, but rather, review several basic principles of law or practice related to confidentiality that are important to keep in mind as one deals with the various situations that may occur when dealing with insurers.
First, practitioners will either be governed by the HIPAA Privacy Rule or by the laws of the states where they practice. It is obviously important to know which laws (and regulations) govern one’s practice. Secondly, whether governed by state law or HIPAA, it is important to remember that if there is doubt as to the appropriateness of a particular disclosure to an insurer, a signed authorization from the patient can usually be obtained. If the patient is for some reason unwilling to sign an authorization, and knows the possible consequences with respect to reimbursement, then release of the information will likely not occur. It is important for practitioners to know with certainty the required contents or elements of a valid authorization form, whether governed by HIPAA or by state law.
Those practitioners who are covered entities under HIPAA must be aware of the definition of “psychotherapy notes” in the “Privacy Rule,” since a written authorization is required before such notes (documenting or analyzing the contents of conversation during a counseling session) can be released to an insurer. It is not very often that an insurer will seek “psychotherapy notes,” which must be kept separate from the rest of the patient’s treatment record, but in some cases, this will occur. Typically the insurer is primarily interested in the dates of service, the symptoms, the diagnosis, the treatment plan, the prognosis, the progress to date, and other “routine” information contained in the treatment record. The fact that there may be disclosures of such information without the patient’s signed authorization must be described in the Notice of Privacy Practices (for covered entities under HIPAA) given to the patient at the outset of treatment.
It is helpful to remember the minimum necessary rule or principle. The principle makes abundant sense and should (or must) be followed, with some exceptions, whether one is governed by HIPAA or by state law. In essence, it provides that the practitioner must make reasonable efforts to only release the minimum amount of information necessary to accomplish the purpose of the request. This principle applies primarily to releases of information that are permitted without a written and signed authorization from the patient, such as information that an insurer might routinely request (see above) to determine if payment should be made or continue to be made. The minimum necessary principle would generally not apply, for example, to a release of information to another licensed health care provider for purposes of diagnosis or treatment of the patient, or in situations where there is use of an authorization form. In the latter case, the amount of information released would not be the minimum necessary, but rather, the amount released would be determined by the specific wording in the authorization.
HIPAA regulations were to a large extent modeled after state laws. State laws usually specify the circumstances under which a written and signed authorization from the patient is not required. In other words, and counter-intuitively, the practitioner can often release information without the patient’s signed authorization. It is either required (e.g., by the Notice of Privacy Practices provisions under the HIPAA Privacy Rule, or by a particular state law) or advisable to inform patients, in a written disclosure form (sometimes referred to as an informed consent form), that certain disclosures of otherwise confidential information may be required and permitted under applicable law – without the patient’s signed authorization. The most helpful (from a treatment perspective) permissive exception to the requirement of a written and signed authorization from the patient involves releases of information to other health care providers or health care facilities for purposes of diagnosis or treatment of the patient.
Another permissive exception under state laws typically provides, among other things, that a health care provider may release medical information (includes mental health information) about a patient to an insurer or other person or entity responsible for paying for health care services rendered to the patient, to the extent necessary to allow responsibility for payment to be determined and payment to be made. State law may also provide that medical information may be disclosed to a person or entity that provides billing, claims management, medical data processing, or other administrative services for providers of health care. HIPAA’s Privacy Rule essentially recognizes these common exceptions to confidentiality and the required Notice of Privacy Practices form informs patients of these and other exceptions.