Health Law Blog - Healthcare Legal Issues

Archive for the ‘Behavioral Health Law’ Category

Mental Health Center Settlement for Failure to Provide Patient Record Copies

Tuesday, February 20th, 2018

OCR Sanction for Failing to Provide Patient Access to Protected Health Information

OCR Settlements Illustrate Area of HIPAA Risk

Access to Medical RecordsIn this case that was settled with the Office of Civil rights, the provider was a mental health center that was accused of refusing to provide a patient with a copy of her medical record, including psychotherapy notes. OCR’s investigation revealed that the Center provided the complainant with an opportunity to review her medical record, including the psychotherapy notes, with her therapist.  However, the provider failed to provide the patient with a copy of her records. The Privacy Rule requires covered entities to provide individuals with access to their medical records; however, the Privacy Rule exempts psychotherapy notes from this requirement if they are separately maintained by the covered entity. Although the Center gave the complainant the opportunity to review her medical record, this did not negate the Center’s obligation to provide the complainant with a copy of her records. Among other corrective action taken, the Center provided the complainant with a copy of her medical record and revised its policies and procedures to ensure that it provides timely access to all individuals.

The regulations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which protect the privacy and security of individuals’ identifiable health information and establish an array of individual rights with respect to health information, have always recognized the importance of providing individuals with the ability to access and obtain a copy of their health information. With limited exceptions, the HIPAA Privacy Rule (the Privacy Rule) provides individuals with a legal, enforceable right to see and receive copies upon request of the information in their medical and other health records maintained by their health care providers and health plans.  Thus, individuals have a right to a broad array of health information about themselves maintained by or for covered entities, including: medical records; billing and payment records; insurance information; clinical laboratory test results; medical images, such as X-rays; wellness and disease management program files; and clinical case notes; among other information used to make decisions about individuals. In responding to a request for access, a covered entity is not, however, required to create new information, such as explanatory materials or analyses, that does not already exist in the designated record set.

An individual does not have a right to access PHI that is not part of a designated record set because the information is not used to make decisions about individuals. This may include certain quality assessment or improvement records, patient safety activity records, or business planning, development, and management records that are used for business decisions more generally rather than to make decisions about individuals.

In addition, two categories of information are expressly excluded from the right of access:

  1. Psychotherapy notes, which are the personal notes of a mental health care provider documenting or analyzing the contents of a counseling session, that are maintained separate from the rest of the patient’s medical record. See 45 CFR 164.524(a)(1)(i) and 164.501.
  2. Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. See 45 CFR 164.524(a)(1)(ii).

Written Agreement Requirement for Disclosure of Part 2 Records

Wednesday, January 31st, 2018

Disclosure of Part 2 Records for Payment or Health Care Operations Requires Written Agreement

Regulations issued by SAMHSA in January of 2018, permit a lawful holder of Part 2 Records (relating to alcohol or substance abuse treatment) to disclose those records, with written consent of the patient, to its contractors, subcontractors, or legal representatives to carry out payment or healthcare operations on behalf of the lawful holder. The regulations list 17 examples of situations where a release may be considered appropriate. Disclosures to contractors, subcontractors, and legal representatives to carry out other purposes such as substance use disorder patient diagnosis, treatment, or referral for treatment are not permitted under the new rule.

In order to take advantage of the rule permitting disclosure for payment and/or health care operations, the lawful holder of the information is required to have in place a written contract or comparable legal instrument with the contractor or voluntary legal representative, which provides that the contractor, subcontractor, or voluntary legal representative is fully bound by the provisions of part 2 upon receipt of the patient identifying information.

In addition to having a proper contract in place, when making any such disclosures, the lawful holder must take the following further steps:

  • furnish such recipients with the notice required under § 2.32 of the regulations;
  • require such recipients to implement appropriate safeguards to prevent unauthorized uses and disclosures; and
  • require such recipients to report any unauthorized uses, disclosures, or breaches of patient identifying information to the lawful holder.

The lawful holder may only disclose information to the contractor or subcontractor or voluntary legal representative that is necessary for the contractor or subcontractor or voluntary legal representative to perform its duties under the contract or comparable legal instrument. Contracts may not permit a contractor or subcontractor or voluntary legal representative to re-disclose information to a third party unless that third party is a contract agent of the contractor or subcontractor, helping them provide services described in the contract, and only as long as the agent only further discloses the information back to the contractor or lawful holder from which the information originated.

17 Examples SAMHSA Payment and Health Care Operations

Wednesday, January 31st, 2018

Examples of Disclosures of Part 2 Records for Payment and Health Care Operations

In regulations released in January of 2018, SAMHSA included a list of 17 specific types of payment and health care operations in the regulatory text that would be the basis for further disclosures by a lawful holder of patient identifying information. SAMHSA did not include this list of 17 items in the regulations.  Rather, these items were contained in the preamble reflecting that additional reasons for release for payment and health care operations may be permissible.  Examples of permissible activities under § 2.33(b) that SAMHSA considers to be payment and health care operations activities include:

  • Billing, claims management, collections activities, obtaining payment under a contract for reinsurance, claims filing and related health care data processing;
  • Clinical professional support services (e.g., quality assessment and improvement initiatives; utilization review and management services);
  • Patient safety activities;
  • Activities pertaining to:
  • The training of student trainees and health care professionals;
  • The assessment of practitioner competencies;
  • The assessment of provider and/or health plan performance; and
  • Training of non-health care professionals;
  • Accreditation, certification, licensing, or credentialing activities;
  • Underwriting, enrollment, premium rating, and other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care;
  • Third-party liability coverage;
  • Activities related to addressing fraud, waste and abuse;
  • Conducting or arranging for medical review, legal services, and auditing functions;
  • Business planning and development, such as conducting cost management and planning-related analyses related to managing and
    operating, including formulary development and administration, development or improvement of methods of payment or coverage
    policies;
  • Business management and general administrative activities, including management activities relating to implementation of and compliance with the requirements of this or other statutes or regulations;
  • Customer services, including the provision of data analyses for policy holders, plan sponsors, or other customers;
  • Resolution of internal grievances;
  • The sale, transfer, merger, consolidation, or dissolution of an organization;
  • Determinations of eligibility or coverage (e.g. coordination of benefit services or the determination of cost sharing amounts), and adjudication or subrogation of health benefit claims;
  • Risk adjusting amounts due based on enrollee health status and demographic characteristics;
  • Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges.

SAMHSA believes it is important to maintain patient choice in disclosing information to health care providers with whom patients have direct contact. For this reason, the final provision in § 2.33(b) does not cover care coordination or case management and disclosures to contractors, subcontractors, and legal representatives to carry out such purposes are not permitted under this section. In addition, SAMHSA added language to the regulatory text in § 2.33(b) to clarify that disclosures to contractors, subcontractors and legal representatives are not permitted for activities related to a patient’s diagnosis, treatment, or referral for treatment.

Disclosures for Specific Payment or Health Care Operations Purposes (§ 2.33)

Wednesday, January 31st, 2018

Part 2 Records –  Specific Payment or Health Care Operations Purposes (§ 2.33)

Special restrictions apply to health information that is restricted under SAMHSA rules.  These rules protect patient information involving substance and alcohol treatment in Federal programs.  SAMHSA requirements are much more restrictive than HIPAA rules and must be considered, not only by substance abuse program, but also by providers and others who may receive these records and are subject to strict re-disclosure prohibitions.

The 2018 Rules finalizes the scope and requirements for permitted disclosures to contractors, subcontractors, and legal representatives for the purpose of payment and health care operations. SAMHSA lists 17 specific types of activities for which minimal information necessary may be disclosed for specific payment and health care operations activities. The 17 specific activites are listed in the preamble, rather than the regulatory text, as examples of potentially permissible disclosures.
SAMHSA states that its intent is for other appropriate payment and health care operations activities to be permitted beyond the 17 listed activities. In addition, consistent with SAMHSA’s prior statement in the SNPRM preamble, SAMHSA has added language to the regulatory text in § 2.33(b) to clarify that disclosures to contractors, subcontractors, and legal representatives are not permitted for activities related to a patient’s diagnosis, treatment, or referral for treatment. The rules require lawful holders of restricted information who engage contractors or subcontractors to carry out payment and health care operations activities to include specific contract provisions addressing compliance with part 2. Additionally, language was added to the regulation to clarify that disclosures to contractors, subcontractors, and legal representatives are not permitted for substance use disorder patient diagnosis, treatment, or referral for treatment.

Notice of Restriction on Re-Disclosure SAMHSA Records

Wednesday, January 31st, 2018

Prohibition on Re-Disclosure – Changes in New SAMHSA Final Rules (§ 2.32)

Redisclosure Notice SAMHSA RecordsOne of the primary new operative provisions that was created in the 2017 Final Rules is an expanded prohibition against re-disclosure of records that are covered under SAMHSA. Even when a disclosure is permitted, the 2017 rules required the disclosure to be accompanied by a lengthy written statement, notifying the recipient of the special status of the information and the prohibition against re-disclosure. The notification was rediculously long:

This information has been disclosed to you from records protected by Federal confidentiality rules (42 CFR part 2). The Federal rules prohibit you from making any further disclosure of this information unless further disclosure is expressly permitted by the written consent of the person to whom it pertains or as otherwise permitted by 42 CFR part 2. A general authorization for the release of medical or other information is NOT sufficient for this purpose. The Federal rules restrict any use of the information to criminally investigate or prosecute any alcohol or drug abuse patient.

The new 2018 Rules create an abbreviated notice that is 80 characters long to fit in standard free-text space within health care electronic systems. The abbreviated notice in this final rule reads ‘‘Federal law/42 CFR part 2 prohibits unauthorized disclosure of these records.’’

The 42 CFR part 2 regulations have always required that a notice of the prohibition on redisclosure accompany each disclosure made with the patient’s written consent. With the adoption of electronic health record systems, it became difficult to comply electronically with the longer notification form due to character limits in freetext fields within electronic health record systems. Many electronic record systems contain a free text space with a maximum character capacity of 80 characters. The new 2018 Rules reflect SANHSA’s belief that offering an abbreviated notice option will be beneficial to providers who use electronic health record systems to exchange data.

SAMHSA recognizes concerns that an abbreviated notice could be insufficient to convey understanding of part 2 requirements. SAMHSA encourages part 2 programs and other lawful holders of restricted records that chose to use the abbreviated notice to discuss the restriction and redisclosure requirements applicable to SAMHSA protected records with those to whom they disclose patient identifying information.

First Article in SAMHSA Series

Confidentiality of Substance Use Disorder Patient Records

Wednesday, January 31st, 2018

New SAMHSA Clarifying Regulations for Part 2 Program Records

SAMHSA Regulations Substance Abuse RecordsNew Final regulations were issued on January 2, 2018 by the Substance Abuse and Mental Health Services Administration (SAMHSA). The new Final regulations supplement SAMHSA’s major regulation change that was finalized in regulations that were released in January of 2017. The new, 2018 Final regulations add some clarification and more specificity to some of the requirements of the 2017 rule.

These rules, commonly known as the “SAMHSA Rules” or “Part 2” describe special confidentiality restrictions that apply to Substance Use Disorder Patient Records related to certain substance use disorder treatment programs that receive federal financial assistance. The confidentiality requirements that apply to treatment records covered by the SAMHSA Rules are more stringent than apply to general patient health records. The special restrictions on these records has been in existence for decades, with the last major re-write occuring in 1987.

SAMHSA began a process of reconstituting the SAMHSA Rules in February of 2016, when it published a Notice of Proposed Rulemaking (NPRM) in the Federal Register (81 FR 6988). SAMHSA’s stated purpose for revising the rules was to reflect development of integrated health care models and the use of electronic exchange of patient information. At the same time, SAMHSA’s aim was to accomodate new technologies while maintaining confidentiality protections for patients of covered treatment programs who could encounter discrimination if their information is not properly protected.

The  Final Rules that we published on January 18, 2017, provided for greater flexibility in disclosing patient identifying information within the health care system while continuing to address the need to protect the confidentiality of substance use disorder patient records. At the same time that it published the 2017 Final Rule’s, SAMHSA issued a supplemental notice of proposed rulemaking (SNPRM) to solicit public comment on additional proposals in a variety of areas covered by the SAMHSA Rule. The new Final Rules that were issued on January 2, 2018, address many of the issues suggested in the SNPRM and integrate some of the 55 regulatory comments that SAMHSA received in response to the SNPRM.

SAMHSA received numerous comments asking it to consider alignment of the special restrictions applicable through the SAMHSA Rules with the Health Insurance Portability and Accountability Act (HIPAA) or the Health Information Technology for Economic and Clinical Health (HITECH) Act. It is challenging for providers to establish different requirements for special status records. By its very nature, the more restrictive requirements that are applicable to SAMHSA covered records requires providers to “triage” record requests to be certain that they are not covered by the special restrictions of the SAMHSA Rules. This is especially problematic when a provide that does not provide alcohol or substance abuse treatment receives SAMHSA protected records from another provider. SAMHSA Rules not subject receiving providers to a direct prohibition against redisclosure.

SAMHSA says that it has attempted to align the final rule with HIPAA, the HITECH Act, and their implementing regulations to the extent feasible. Yet, the more stringent SAMHSA restrictions will be difficult to completely harmonize with HIPAA and HITECH. Part 2 provides more stringent federal protections than other health privacy laws such as HIPAA and seeks to protect individuals with substance use disorders who could be subject to discrimination and legal consequences in the event that their information is improperly used or disclosed. A similar issue exists with respect to many state laws that provide more stringent privacy restrictions on records related to mental health related services. Decision trees applicable to disclosure of special treatment records can be quite complex; particularly when HIPAA premption concepts are applied as an overlay to the base analysis.

Follow our article series on the SAMHSA Regulations on this site.

Next Article in Series

Notice of Restriction on Re-Disclosure

Don’t Overlook Special Status of Behavioral Health Records

Monday, January 9th, 2017

Most health care providers have implemented HIPAA compliant policies and procedures and have made them operational.  We often see providers who have not given appropriate levels of thought to behavioral health records.  HIPAA and state laws generally provide different levels of protection for patient information that relates to mental health issues or alcohol and drug treatment.  This requires providers to have policies and procedures in place that help employees identify these types of records and which describes appropriate precautions and special rules that apply.

Generally, Federal law treats general mental health records in the same way it treats other types of health information.  Many state statutes require more protection over confidentiality of mental health records than general health information.  Further distinction is made between general mental health/behavioral health records and the subset of those records that include psychotherapy notes.   Psychotherapy notes are rarely subject to disclosure to third parties.  In many cases even the subject patient can be denied access to psychotherapy notes.

It is important that policies and procedures clearly define mental health records and psychotherapy notes and describe the special restrictions that are applicable to both.  Clearly, the special restrictions on psychotherapy notes must be honored.  It is also important that healthcare providers do not apply the broader restrictions that are applicable psychotherapy notes to more general mental health records. Failing to understand the distinction between the various types of records can have adverse consequences under applicable laws and can even put patient care at risk.

This issue is further complicated because State and Federal protections can be different and even conflicting.  This requires providers to perform a preemption analysis to determine which law to follow.  That analysis can be different depending on the type of record involved and the purpose and nature of the contemplated release.

Psychotherapy notes are given special treatment under Federal law.  Psychotherapy notes are defined under Federal law as notes recorded by a health care provider who is a mental health professional documenting or analyzing the contents of a conversation during a private counseling session or a group, joint, or family counseling session and that are separate from the rest of the patient’s medical record.  Psychotherapy notes can rarely be released to a third party and often even the patient can be denied access to these records.  Certain information is not included within the definition of psychotherapy notes such as medical prescriptions, session start and stop times, frequency of treatment, results of clinical tests, summaries of diagnosis, symptoms, prognosis, etc.  This information is considered to be mental health records but does not receive the same special protection as psychotherapy notes.

Organizations should read and understand the distinction between general mental health records and psychotherapy notes.  Separation is key to complying with restrictions that are applicable to psychotherapy notes.  Psychotherapy notes should be stored separately from the patient’s medical records (which includes behavioral and mental health records).

Organizations that use electronic medical records (EMR) system must devise ways to separate psychotherapy notes from other types of medical records.  This might include integration of special naming and filing standards into the electronic record. Staff training is required to assure that the differences between psychotherapy notes and mental health records is maintained.

Some state laws complicate the analysis even further by provided additional restrictions on general mental health records.  Depending on your state, this analysis can become quite complicated and dependent on the purpose and nature of the contemplated release, application of preemption rules, and interpretation of state and Federal statutes and regulations.

Telehealth Certification In Wisconsin Mental Health Programs

Tuesday, August 11th, 2015

Process for Telehealth Certification In Wisconsin

Only certified mental health and/or substance abuse programs, or agencies planning to be certified as a mental health and/or substance abuse provider, may apply for telehealth certification. The first step in the process is for the agency to write a plan addressing each section in the attached template. The plan is then sent to the Behavioral Health Certification Section of the Division of Quality Assurance.

Provider’s must demonstrate compliance with their approved plan to the Division of Quality Assurance surveyor(s) during a site review or other unannounced focus visits.

Requirements for Telehealth Certification

There are several requirements that must be met in order to maintain certification.  Many of these requirements will need to be reflected in compliance policies and made operational as part of the telehealth program. These requirements fall in the following areas subject to additional detail in each area:

  • applicable regulatory requirements for the provider’s specific program (Administrative Code DHS 34, 35, 36, 40, 41, 61, 63, and 75)
  • requirements related to clinical supervision/collaboration for program staff who provide treatment services via telehealth, background checks, maintenance of professional liability insurance, documentation into the consumer’s record in a timely manner, and other requirements.
  • requirements regarding the locations for staff other than the main office of certified program or a certified branch office. Patients must receive the telehealth services at the main office or a certified branch office of the certified program.
  • Restriction against providing the telehealth services to consumers who are in-home or in-community.
  • minimum transmission standards established by the American Telemedicine Association (see http://www.americantelemed.org/resources/telemedicine-practice-guidelines/telemedicine-practice-guidelines)
  • compliance with vendor requirements for the telehealth hardware/software to ensure that the telehealth service is of high quality and as close to a face to face visit as possible.
  • orientation and ongoing training to staff on the use of the telehealth equipment, the clinical application of telehealth, safety and security during telehealth visits, privacy and confidentiality, back-up procedures if there is equipment failure, and consumer preparation for telehealth.
  • Assuring that patients are informed about the provision of services provided through telehealth, the history of telehealth, success rate of telehealth services, how telehealth sessions are conducted, and the extent to which the program is able to provide treatment services face-to-face versus via telehealth.
  • an ongoing method for obtaining consumer satisfaction on telehealth visits and evaluating the results of this survey process for quality assurance purposes
  • patient choice of having a face to face visit with a professional or seeing this person via telehealth, to the extent feasible.
  • workspaces must be secure, private, reasonably soundproof, and have a lockable door to prevent unexpected entry.
  • Efforts to ensure privacy so provider discussion cannot be overheard by others outside of the room where the service is provided.
  • If other people are in either the patient or the professional’s room, both the program staff and the consumer must be made aware of the other person and agree to their presence.
  • Program staff must verify for the consumer the identity of the staff member who is providing the treatment services via telehealth and verify for the staff member providing the treatment services theconsumer’s identity.
  • policy/procedure for technology breakdown that causes a disruption of the session.
  • System to Ensure secure upload and download with the vendor’s server.  At least 128 bit encryption software must be used.
  • assure that no information from a transmission of a telehealth services is stored on the vendor’s servers.
  • use of HIPAA Business Associate Agreement if information is transmitted via the vendor’s servers.

How Does Wisconsin Medicaid Reimburse for Telehealth?  Check Out The Article Here: Telemedicine Reimbursement Mental Health Programs

ATA Issues Telemedicine Protocols for Mental Health Services

Tuesday, March 26th, 2013

ATA Proposed Telemedicine Protocols – Mental Health Video Services

telemedicine video mental healthThe American Telemedicine Association just issues a request for public comment on a draft policy that it released relative to video-based mental health services. The proposed ATA policies are intended to “detail best-practices for online mental health providers delivering video-based services through personal computers and mobile devices” according to the ATA release.

You can access the ATA proposed practice guidelines at: www.americantelemed.org/standards

You can comment to the proposed practice protocols at the following link:
www.americantelemed.org/comments

For more information regarding legal and regulatory issues affecting telemedicine and telehealth programs, contact John H. Fisher at the Ruder Ware Health Care Focus Group through the contact information on this page.

Anti-kickback Statutes Safe Harbor Regulations

Thursday, December 8th, 2011

Anti-kickback Statutes and Safe Harbor Regulations

Medicare Antikickback Statute Safe HarborsOverview: On the books since 1972, the federal anti-kickback law’s main purpose is to protect patients and the federal health care programs from fraud and abuse by curtailing the corrupting influence of money on health care decisions. Straightforward but broad, the law states that anyone who knowingly and willfully receives or pays anything of value to influence the referral of federal health care program business, including Medicare and Medicaid, can be held accountable for a felony. Violations of the law are punishable by up to five years in prison, criminal fines up to $25,000, administrative civil money penalties up to $50,000, and exclusion from participation in federal health care programs.

Because the law is broad on its face, concerns arose among health care providers that some relatively innocuous — and in some cases even beneficial — commercial arrangements are prohibited by the anti-kickback law. Responding to these concerns, Congress in 1987 authorized the Department to issue regulations designating specific “safe harbors” for various payment and business practices that, while potentially prohibited by the law, would not be prosecuted.

John H. Fisher

Health Care Counsel
Ruder Ware, L.L.S.C.
500 First Street, Suite 8000
P.O. Box 8050
Wausau, WI 54402-8050

Tel 715.845.4336
Fax 715.845.2718

Ruder Ware is a member of Meritas Law Firms Worldwide

Search
Disclaimer
The Health Care Law Blog is made available by Ruder Ware for educational purposes and to provide a general understanding of some of the legal issues relating to the health care industry. This site does not provide specific legal advice and you should not use the information contained on this site to address your specific situation without consulting with legal counsel that is well versed in health care law and regulation. By using the Health Care Law Blog site you understand that there is no attorney client relationship between you and Ruder Ware or any individual attorney. Postings on this site do not represent the views of our clients. This site links to other information resources on the Internet; these sites are not endorsed or supported by Ruder Ware, and Ruder Ware does not vouch for the accuracy or reliability of any information provided therein. For further information regarding the articles on this blog, contact Ruder Ware through our primary website.