FAQs for HIPAA / Mental Health Records

I get a number of questions about the creation, maintenance, disclosure, integrity, and destruction of mental health records. Here are some of those questions and my responses. WARNING: this area is regulated by state and federal statutes, regulations, and case law. I am not an attorney. The information provided here is generic, and your local jurisdiction and specific circumstances may differ. You are advised to seek the services of a licensed attorney, regarding your specific circumstances.  Providers who understand their local laws in this area will be better prepared to handle future problems.

HIPAA-COMPLIANT TECHNOLOGY

Q I'm looking for a phone / fax / computer / teleconferencing system that is HIPAA-compliant. How do I find one?

A You can't, because there is no such thing as HIPAA-compliant anything. 

First, there is no certification process for making anything 'compliant'. That should be your first clue. Yes, some manufacturers claim to be "HIPAA-compliant", but that's only a sales gimmick, like labeling candy as 'fat free'.

Second, HIPAA regulates providers, not technology. Therefore, technology cannot comply with the HIPAA regulations.

Lastly, compliance with the HIPAA security rule involves more than merely technological measures, and the other measures require action by the provider. How much security is required, and what measures to take, are the provider's responsibility to determine an enact.

In sum, although technology can be secure, the provider is responsible to esnure that the PHI is secure - not the technology.

e.g., see 

Landman, A. (September 25, 2013). Debunking the most common myths about HIPAA. MobiHealthNews

http://www.mobihealthnews.com/news/debunking-most-common-myths-about-hipaa 

FORENSIC EVALUATIONS AND HIPAA #2

Q Can a forensic evaluator refuse to give the evaluee a copy of the records, because the evaluation was "information compiled in anticipation" of litigation?

A no. 

Many forensic evaluators believe that when an evaluation is ordered by a court, or when the evaluator was retained by an attorney, that either fact qualifies the evaluation as being 'in anticipation of litigation'. Some even extend that interpretation, asserting that evaluations such as fitness for duty qualify, because they believe that the evaluee will, at some future date, begin litigation.

Although this myth has been widely promulgated, it is based solely on one particular reading of the regulation text. Authors who advocate for their belief assert that their reading should be considered to be the 'plain reading' of that text - meaning that there is no other reasonable interpretation of that text.

However, upon further investigation, we found that there are other published interpretations of the text. In the following article, we observe that multiple sources all point to a single, different interpretation - that this regulation refers to documents that are protected by attorney work product.

Borkosky, B. G., & Pellett, J. M. Can FMHPs refuse to release records to evaluees because the records are “information compiled in reasonable anticipation of or for use in, a civil, criminal, or administrative action or proceeding”(as defined by HIPAA)?. American Journal of Forensic Psychology, 31(3), 21-40.

NOTE: interestingly, although the sources we cite INCLUDE HHS itself, many forensic evaluators still refuse to alter their positions!

FORENSIC EVALUATIONS AND HIPAA #1

Q Does HIPAA regulate forensic evaluations?

A no, but.... or I could say, yes, but.......... Actually, this question is poorly framed. 

This issue was initially address by this article:

Connell, M., & Koocher, G. P. (2003). HIPAA and forensic practice. American Psychology Law Society News, 23(2), 16-19.

Although it provided equivocal answers, most forensic psychologists read this as asserting that HIPAA does not regulate forensic evaluations. Nothing could be further from the truth!

The truth is, HIPAA does not regulate healthcare SERVICES - it regulates healthcare PROVIDERS. Thus, if the provider qualifies as a HIPAA covered entity, at any time since 4/14/2001, then the provider is regulated by HIPAA for all services they perform in their professional capacity or under their professional license.

Borkosky, B. G., Pellett, J. M., & Thomas, M. S. (2014). Are forensic evaluations “health care” and are they regulated by HIPAA?. Psychological Injury and Law, 7(1), 1-8.

INFORMED CONSENT AND HIPAA

Q  Does HIPAA require informed consent for treatment purposes?

A. no. Some authors assert that HIPAA requires informed consent for treatment. For example, see

Kleinman, T. G., & Walker, L. E. (2014). Protecting psychotherapy clients from the shadow of the law: A call for the revision of the Association of Family and Conciliation Courts (AFCC) guidelines for court-involved therapy. Journal of Child Custody, 11(4), 335-362.

However, this assertion is incorrect. What HIPAA DOES require is a notification of privacy practices (NOPP) - this document tells the patient what will be done with their information and describes their rights in this regard. However, this document does not mention anything about the treatment being offered by the provider.

CHARGING A FEE FOR REVIEW OF RECORDS

Q Am I permitted to charge a fee for reviewing the records prior to disclosing them?

A no.

Some providers are rightfully concerned that the records might contain information that cannot be disclosed, for any of a number of reasons. For example, some records might contain information about other patients (as occurs during marriage and/or family therapy). However, HIPAA contains no provision for imposing fees for such activities. Further, because of this, any state laws that might authorize such fees would be preempted by HIPAA, and the fees would not be permitted.

HIPAA'S SATISFACTORY ASSURANCE AND SUBPOENAS

Q Am I required to disclose records if the attorney provides 'satisfactory assurance that s/he notified the patient (per HIPAA 45 CFR 164.512)?

Q Am I required to disclose records if the attorney has requested an order of protection (per HIPAA 45 CFR 164.512)?

A the short answer is no. First I will explain why many attorneys seem to be arguing this, and then give you the rationale / long answer.

Why do many attorneys argue this point? It is not completely clear, because no attorney has ever given me a complete answer. They merely cite HIPAA.

1. One reason might be myopia. Some attorneys seem to think that the world revolves around the legal system / their litigation. Thus, they read HIPAA as applying to them. They fail to realize that HIPAA regulates healthcare providers - not the legal system. 

For example, Vine (2015) argued that because her article referenced only federal litigation, preemption did not apply. She failed to consider that health care providers are always required to comply with state licensing laws, even when the litigation is in federal court. It is FEDERAL COURTS that are not required to comply with state laws - not providers. 

2. A second reason might be that they fail to consider the impact of state law and the impact of HIPAA's preemption. Almost all (if not 100%) of state laws require written authorization from the patient, prior to disclosing records to the legal system. Although HIPAA permits the disclosures described in this question (sans patient authorization), state laws are more protective of the patient, and thus are not preempted by HIPAA. Thus, state laws rule. 

3. A third possible reason for this error is that many people confuse the rules of confidentiality and privilege. Privilege rules regulate the legal system, and determine when records can be admitted as evidence. The part played by health care providers is to protect the patient by asserting privilege until it is clear that privilege does not apply.

now - why does this HIPAA provision not permit providers to disclose records to the legal system?

a. Many (if not most) health care records are privileged, which protects them from disclosure. Providers protect patients (and comply with confidentiality laws) by requiring either patient authorization or a court order, prior to disclosing records. These laws are more protective of patients, and thus are not preempted by HIPAA.

b. For records that are not privileged (e.g., privilege does not apply or is waived), making that determination is a legal one - as such, providers are not permitted to do so. Thus, providers must obtain either a court order or patient authorization.