Mental healthcare is becoming an increasingly critical national issue. Covered entities and business associates that specialize in mental health are required to adhere to HIPAA regulations for maintaining, transferring, or sharing mental health data.
Without proper mental health data security, organizations could suffer a data breach and put sensitive information at risk.
How does mental health data security differ from regular PHI security? Are providers able to share information with family members and caregivers? What information are providers permitted to disclose to law enforcement, and for which situations is this allowed?
Current HIPAA regulations dictate that covered entities and their business associates must remain compliant when it comes to mental health records. Certain legislation making its way through the federal government could also potentially affect how organizations maintain HIPAA compliance and patient data security.
Organizations need to ensure that they understand all federal and state regulations when addressing mental health data security.
HIPAA regulations on mental health records
The HIPAA Privacy Rule requires that healthcare organizations maintain the privacy and security of mental health information. As with other types of PHI, the Privacy Rule also notes that there are certain circumstances where sensitive data “may need to be shared to ensure the patient receives the best treatment and for other important purposes, such as for the health and safety of the patient or others.”
“The Rule is carefully balanced to allow uses and disclosures of information—including mental health information—for treatment and these other purposes with appropriate protections,” HHS states on its website.
For example, healthcare providers are allowed to communicate with a patient’s family, friends, or other individual involved in the patient’s care.
“The provider may ask the patient’s permission to share relevant information with family members or others, may tell the patient he or she plans to discuss the information and give them an opportunity to agree or object, or may infer from the circumstances, using professional judgment, that the patient does not object,” HHS explains.
HIPAA also allows healthcare providers to communicate to numerous parties concerning a patient’s care. These parties can include but are not limited to family members when a patient is an adult, parents of a minor patient, as well as family members, law enforcement, or others when the patient presents a serious and imminent threat of harm to self or others.
“In all cases, disclosures to family members, friends, or other persons involved in the patient’s care or payment for care are to be limited to only the protected health information directly relevant to the person’s involvement in the patient’s care or payment for care,” HHS maintains.
The Rule is carefully balanced to allow uses and disclosures of information—including mental health information—for treatment and these other purposes with appropriate protections.
The “imminent threat” or harm aspect to the HIPAA Privacy Rule is critical. If an adult patient does not want information disclosed to friends or family members, then the healthcare provider must adhere to HIPAA. PHI disclosure, though, can potentially be made if “the provider perceives a serious and imminent threat to the health or safety of the patient or others and the family members are in a position to lessen the threat.”
One example HHS discusses in a FAQ involves a patient who is at a high risk of committing suicide. The patient’s doctor knows when that patient’s medication is not at a therapeutic level, she is at a higher suicide risk.
“The doctor may believe in good faith that disclosure is necessary to prevent or lessen the threat of harm to the health or safety of the patient who has stopped taking the prescribed medication, and may share information with the patient’s family or other caregivers who can avert the threat,” HHS elaborates.
However, the doctor must respect the PHI disclosure aspect of HIPAA. Without that “good faith belief” of potential harm, the doctor cannot share information with the patient’s family or caregiver.
The distinction of psychotherapy notes
Psychotherapy notes receive special protections under HIPAA. These notes are separate from the rest of a patient’s medical record and are “recorded by a health care provider who is a mental health professional documenting or analyzing the contents of a conversation during a private counseling session or a group, joint, or family counseling session.”
Psychotherapy notes also do not include the following information:
- Medication prescription and monitoring
- Counseling session start and stop times
- The modalities and frequencies of treatment furnished
- Clinical test results
- Diagnosis summaries
- Functional status
- Treatment plan
- Progress to date
Psychotherapy notes are treated differently because they are a therapist’s personal notes, only necessary for the mental health professional who created them. These notes “typically are not required or useful for treatment, payment, or health care operations purposes,” HHS makes clear.
“A notable exception exists for disclosures required by other law, such as for mandatory reporting of abuse, and mandatory ‘duty to warn’ situations regarding threats of serious and imminent harm made by the patient (State laws vary as to whether such a warning is mandatory or permissible),” according to HHS.
Parents also do not have a right to receive a copy of psychotherapy notes about a child’s mental health treatment.
“Psychotherapy notes are primarily for personal use by the treating professional and generally are not disclosed for other purposes,” HHS explains. “Thus, the Privacy Rule includes an exception to an individual’s (or personal representative’s) right of access for psychotherapy notes.”
Even so, parents are often the personal representatives of their children. In that case, parents would be able to receive a copy of their child’s mental health data within the medical record.
HIPAA regulations also let providers use their discretion in disclosing PHI — including psychotherapy notes — directly to the individual patient or the patient’s personal representative. HHS notes that mental health providers should consult applicable state laws to ensure that there are not any prohibitions or conditions before they would disclose such information.
Mental health legislation discussion, potential changes
Recent legislation has asked for more clarification within HIPAA regulations regarding mental health treatment.
In June 2016, the House of Representatives passed the Helping Families in Mental Health Crisis Act (HR 2646). The bill aimed to iron out confusion hindering mental health providers, stating that better clarification was needed for PHI disclosure.
“When individuals with [serious mental illness], even after efforts to help them understand, have failed to care for themselves, there exists confusion in the health care community around what is currently permissible under HIPAA rules,” the bill read. “This confusion may hinder communication with responsible caregivers who may be able to facilitate care for the patient with SMI in instances when the individual does not give permission for disclosure.”
"We recognize that the stigma associated with mental illness and substance abuse disorders continues to prevail and that, as a result, many in need of treatment still do not seek help."
The American Health Association (AHA) announced its support of the bill, saying it was important “to clarify what information providers may disclose to parents and caregivers in certain situations.”
In a letter to the House Energy and Commerce Health Subcommittee, Executive Vice President Thomas P. Nickels said that “the lack of access to, coverage for, and integration of behavioral health services limits their ability to provide comprehensive, appropriate care that meets communities’ needs.”
“The AHA is providing the field with tools and resources necessary to promote behavioral health integration through community partnerships,” Nickels continued. “Further, we recognize that the stigma associated with mental illness and substance abuse disorders continues to prevail and that, as a result, many in need of treatment still do not seek help.”
HHS also announced in January 2016 that the HIPAA Privacy Rule may be modified to improve the background check process individuals go through in order to purchase a firearm.
The proposed changes would let certain covered entities disclose information to the National Instant Criminal Background Check System (NICS).
“This rule applies only to a small subset of HIPAA covered entities that either make the mental health determinations that disqualify individuals from having a firearm or are designated by their States to report this information to NICS — and it allows such entities to report only limited identifying, non-clinical information to the NICS,” HHS said publicly.
The changes would also not allow the reporting of diagnostic, clinical, or other mental health treatment information. The information disclosure “is restricted to limited demographic and certain other information needed for NICS purposes.”
“Under this final rule, only covered entities with lawful authority to make the adjudications or commitment decisions that make individuals subject to the Federal mental health prohibitor, or that serve as repositories of information for NICS reporting purposes, are permitted to disclose the information needed for these purposes,” the rule stated.
Considering patient privacy in HIPAA compliance
Covered entities and business associates must maintain HIPAA compliance, regardless of the reasons a patient is seeking care in the first place. Mental health data privacy is no less important than standard PHI privacy.
Implementing applicable technical safeguards, physical safeguards, and administrative safeguards is essential. Organizations should have regular employee training to ensure that staff members at all levels understand how to utilize the latest technology while still keeping data secure.
Finally, regularly reviewing and having a full understanding of HIPAA regulations, as well as applicable state laws, will assist organizations in understanding mental health data security measures.