The HIPAA applies to a wide range of health care providers, including providers in the field of mental health. Here is an overview of the most important things to know for mental health professionals.
Please note that the rules are fairly complex: take this blog as a high-level, grossly simplified overview and nothing more, and refer to a legal professional if you need in-detailed information!
- What is the HIPAA?
- When does the HIPAA apply?
- Does the HIPAA apply to mental healthcare providers?
- What is the Privacy Rule?
- What does the Privacy Rule say?
- What are some common issues with HIPAA for mental health professionals?
- More than privacy
What is the HIPAA?
The HIPAA is the 1996 Health Insurance Portability and Accountability Act of the US. The US Department of Health and Human Services is responsible for enforcing the HIPAA and for expanding it through its own regulations.
The HIPAA is not a privacy law in a strict sense: it covers a broad range of topic including standards for the security and portability of health information.
When does the HIPAA apply?
The scope of the HIPAA is somewhat complex. Information is covered by the HIPAA when it satisfies three cumulative requirements:
- it is personally identifiable
- it relates to health, including mental health
- it is collected by a health care provider
Information that satisfies all of the above requirements, falls under the HIPAA and is referred to as PHI (short for protected health information).
Health care providers often work with third parties who need access to PHI in order to do their jobs- for instance, hospitals need to forward the treatment bills to the insurance plans of their patients. These third parties are referred to as business associates. The HIPAA includes specific rules and requirements for disclosing data to a business associate.
For more in-depth information on the notion of PHI and the position of business associates, feel free to check out our blog on the HIPAA’s scope.
Does the HIPAA apply to mental healthcare providers?
Yes. The HIPAA does not differentiate between physical and mental health issues- nor does it differentiate between, say, a surgical center and a psychotherapy practice. This means that mental healthcare providers and their business associates must comply with the HIPAA.
What is the Privacy Rule?
The Privacy Rule is not a single rule, but rather a set of rules in HIPAA that deal with the privacy of PHI. In a nutshell, the privacy rule is about data disclosures: they tell healthcare providers whether they can disclose PHI, and whether they need the patient’s authorization to do so.
What does the Privacy Rule say?
The Privacy Rule is hard to sum up in a nutshell. To <u>very</u> grossly simplificythe disclosure of PHI requires a written authorization from the patient, save for specific scenarios.
The exemptions all relate to scenarios where the disclosure is necessary. For instance, a hospital can disclose medical records to the patient’s new hospital in order to ensure continuity of care, and healthcare providers can bill insurance plans for surgery. Similarly, information can be disclosed in order to prevent a patient from harming themselves or others, and when the law mandates the disclosure to law enforcement.
State laws and professional codes of conduct also play a role in determining what disclosures are permitted.
What are some common issues with HIPAA for mental health professionals?
The capacity to agree
Mental health patients are not always in a condition where they can meaningfully agree or object to the disclosure of their data. In such situations, the HIPAA allows professionals to disclose PHI to family, relatives, or other people involved in care, as long as this is in the patient’s best interest.
Please note that codes of conduct are also relevant there, and that some PHI could be held to higher privacy standards under the law. For instance, the US Code of Federal Regulations includes stringent rules about information related to drug abuse.
The duty to warn
Mental health professionals sometimes need to make the difficult choice of disclosing confidential information in order to prevent a patient from harming themselves or others.
As a general rule, the HIPAA allows PHI disclosures without authorization when they are needed to prevent harm. These disclosures are not required under the HIPAA- only permitted. In other words, the HIPAA does not interfere with a healthcare professional’s duty to warn, but does not create a disclosure obligation, either. At the end of the day, the call is for healthcare professionals to make.
State law and professional codes of conduct also deal with the duty to warn and typically include more specific rules. Because the HIPAA only permits disclosures, but does not mandate them, these specific rules typically prevail over the generic provisions of the HIPAA.
Psychotherapy notes
Psychotherapy notes are a specific category of PHI subject to a stricter regime. As a rule of thumb, psychotherapy notes cannot be disclosed without authorization, save for very specific scenarios (for instance, when the disclosure is required by another law).
This different regime is due to the fact that psychotherapy notes are typically only of use to the therapist: there is rarely a compelling reason for a mental health professional to disclose psychotherapy notes to a third party.
More than privacy
While the Privacy Rule is very important, the HIPAA is a comprehensive law that covers other aspects of the processing of health data such as security standards, PHI portability, and technical standards for maintaining health records. Do not focus on the Privacy Rule at the expense of everything else! _ We are passionate about privacy. It is a human right, and one that is becoming more important with each day as the world becomes more and more interconnected._ _ This is why we created Simple Analytics. Our privacy-first tool allows our customers to get all the insights they need in an ethical, privacy-friendly way. Simple Analytics delivers accurate insights without cookies, without trackers, and without collecting a single bit of personal data! If this sounds good to you, feel free to give us a try!_