Mental Health and HIPAA

Posted: May 10, 2016
Share This:

A few months back, we published a guide detailing some of the “Facts of HIPAA’ that all covered entities and business associates need to be aware of. The HIPAA rules apply to behavioural and mental health in much the same way, but there are a few differences for providers who specialise in these fields. This leads to a few further HIPAA ‘gray areas’ that are exclusive to practices and individuals treating patients with behavioural and mental health problems.

Much of the confusion around HIPAA and mental health centers around three key areas

  • the difference in disclosure rules surrounding PHI and psychotherapy notes
  • permission to grant access to a patient’s psychotherapy notes
  • disclosure of medical records to share information with family members during a mental health crisis, without the consent of the patient

It is worth noting that all practitioners should familiarise themselves with state laws relating to privacy and disclosure of information, as stricter state laws supersede HIPAA in some instances.

What are the differences between PHI and psychotherapy notes?

Generally, the HIPAA Privacy Rule applies uniformly to all protected health information, without regard to the type of information. This applies to mental health records that form part of an individual’s overall medical record, and are considered to be PHI.

By contrast, HIPAA defines psychotherapy notes as notes recorded by a healthcare provider who is a mental health professional that documents or analyzes the contents of conversations held with the patient during their treatment. Psychotherapy notes must be kept separate from an individual’s medical records, as they are granted special consideration under HIPAA Privacy Law.

Because of the sensitive nature of the information held in psychotherapy notes, if an organization wishes to store the notes within their electronic medical records (EMR) system, then these files must adhere to special naming and filing standards. Psychotherapy notes can be associated with the patient but must be done in a way that does not include the notes in their general medical record. It is crucial that all employees understand the differences between psychotherapy notes and PHI, and how to create, manage, access and disclose them appropriately.

What permission is required from the patient to disclose PHI vs. psychotherapy notes?

Consent must be sought from the patient to disclose any medical information relating to them in most circumstances. Psychotherapy notes have a higher level of protection under the Privacy Rule than other types of PHI. If a patient requests access to their medical record, it will not contain psychotherapy notes, as this is classified as completely different information and a covered entity is under no obligation to release them.

However, should the patient or a third party request access to psychotherapy notes in addition to PHI, the organization must obtain separate authorization from the individual concerned. If consent is not sought separately, this makes the disclosure noncompliant.

In what circumstances is it OK to disclose information without the patient’s consent?

In some instances, it may be necessary to communicate health information concerning a patient to others, such as family members, caregivers and law enforcement to ensure the safety of the individual and people around them without the patient’s consent. This also applies if the patient is incapacitated or not present if the practitioner feels it is in their best interest to disclose relevant information relating to an individual’s treatment based on their professional judgement.

There are very few exceptions relating to the disclosure of an individual’s psychotherapy notes without prior consent for any reason. However, it is at the discretion of the practitioner to determine whether a notable exception exists for disclosures required by other law, such as for mandatory reporting of abuse, and mandatory “duty to warn” situations regarding threats of serious and imminent harm made by the patient.

For more information relating to HIPAA and mental health, visit HHS.gov