Health Law Blog - Healthcare Legal Issues

Posts Tagged ‘HIPAA’

Don’t Overlook Special Status of Behavioral Health Records

Monday, January 9th, 2017

Most health care providers have implemented HIPAA compliant policies and procedures and have made them operational.  We often see providers who have not given appropriate levels of thought to behavioral health records.  HIPAA and state laws generally provide different levels of protection for patient information that relates to mental health issues or alcohol and drug treatment.  This requires providers to have policies and procedures in place that help employees identify these types of records and which describes appropriate precautions and special rules that apply.

Generally, Federal law treats general mental health records in the same way it treats other types of health information.  Many state statutes require more protection over confidentiality of mental health records than general health information.  Further distinction is made between general mental health/behavioral health records and the subset of those records that include psychotherapy notes.   Psychotherapy notes are rarely subject to disclosure to third parties.  In many cases even the subject patient can be denied access to psychotherapy notes.

It is important that policies and procedures clearly define mental health records and psychotherapy notes and describe the special restrictions that are applicable to both.  Clearly, the special restrictions on psychotherapy notes must be honored.  It is also important that healthcare providers do not apply the broader restrictions that are applicable psychotherapy notes to more general mental health records. Failing to understand the distinction between the various types of records can have adverse consequences under applicable laws and can even put patient care at risk.

This issue is further complicated because State and Federal protections can be different and even conflicting.  This requires providers to perform a preemption analysis to determine which law to follow.  That analysis can be different depending on the type of record involved and the purpose and nature of the contemplated release.

Psychotherapy notes are given special treatment under Federal law.  Psychotherapy notes are defined under Federal law as notes recorded by a health care provider who is a mental health professional documenting or analyzing the contents of a conversation during a private counseling session or a group, joint, or family counseling session and that are separate from the rest of the patient’s medical record.  Psychotherapy notes can rarely be released to a third party and often even the patient can be denied access to these records.  Certain information is not included within the definition of psychotherapy notes such as medical prescriptions, session start and stop times, frequency of treatment, results of clinical tests, summaries of diagnosis, symptoms, prognosis, etc.  This information is considered to be mental health records but does not receive the same special protection as psychotherapy notes.

Organizations should read and understand the distinction between general mental health records and psychotherapy notes.  Separation is key to complying with restrictions that are applicable to psychotherapy notes.  Psychotherapy notes should be stored separately from the patient’s medical records (which includes behavioral and mental health records).

Organizations that use electronic medical records (EMR) system must devise ways to separate psychotherapy notes from other types of medical records.  This might include integration of special naming and filing standards into the electronic record. Staff training is required to assure that the differences between psychotherapy notes and mental health records is maintained.

Some state laws complicate the analysis even further by provided additional restrictions on general mental health records.  Depending on your state, this analysis can become quite complicated and dependent on the purpose and nature of the contemplated release, application of preemption rules, and interpretation of state and Federal statutes and regulations.

Model Patient Privacy Notice Forms Privacy Rule Compliance

Thursday, September 19th, 2013

Patient Privacy Notice Forms

patient privacy notice formsThe HIPAA Privacy Rule gives individuals a fundamental right to be informed of the privacy practices of the health care providers and their privacy rights with respect to their personal health information. Providers are obligated to provide patients with a clear and concise description of their rights.

The HHS Office for Civil Rights and Office of the National Coordinator for Health Information Technology have released model Notices of Privacy Practices for health care providers and health plans. The model was created by collaboration between the two agencies with jurisdiction over patient privacy issues. The models express the views of these agencies concerning what health care providers should be communicating to their patients.

The Model Notices can be found at the following page of the HHS web site. Model Privacy Notices

It is notable that the model Notices of Privacy are not as in depth as the forms that have been used by many health care providers in the past. There is a simplicity to the model which seems to be directed toward communicating basic information to patients as opposed to an approach that includes “everything under the sun” in order to protect the provider. The less complicated approach seems to be more consistent with the regulatory requirement that providers develop and distribute a notice that provides a clear, user friendly explanation of these rights and practices.

The model released by the agencies provides a variety of formats that providers can consider depending on the context and their personal preference. The optional format include:

  • Notice in the form of a booklet
  • A layered notice that presents a summary of the information on the first page, followed by the full content on the following pages
  • A notice with the design elements found in the booklet, but formatted for full page presentation
  • A text only version of the notice

The models integrate the regulatory changes contained in the Omnibus Rule. Providers may use these models to serve as the baseline for compliance with the new requirements. For example, relatively new changes to patient access rights to information that is held in an electronic health record is covered. Providers who have not recently updated their notices may not include this information in their disclosure form.

The provided forms are set up so that providers can simply enter their specific information in the model forms. They can then be printed, posted, and otherwise used in connection with their practices.

The agencies seem to be actively encouraging providers to use these standard forms. Providers should take the opportunity to review their Notice of Privacy Policies and consider updating them to conform with the government provided standard forms unless the provider has a compelling reason to be more inclusive in its disclosure.

 

The Model Notices can be found at the following page of the HHS web site. Model Privacy Notices

OCR HIPAA Audit Resources For Healthcare Providers

Monday, July 30th, 2012

 HIPAA Audit Resources for OCR Audit of Health Care Providers

 HIPAA Information For Covered Entities

 HIPAA Audit Protocol

 Office of Civil Rights (OCR) HIPAA Notification Page

HIPAA New Archives

Patient Safety Confidentiality (PSQIA)

Sample Business Associates Contract

 Things To Do Before a HIPAA Audit is announced

Before you even have notice that you may be the subject of a HIPAA audits, you should be certain that your HIPAA “ducks” are in a row.  Taking last minute action when an audit is announced will not be nearly as effective as demonstrating that you have had a long term committment to HIPAA compliance.  Here are a few things that you should do now, before you are the subject of an audit.  This list is not meant to me all inclusive.

  • Review all policies and procedures that are required in order to comply with HIPAA. Consider an external review by an independent party.
  • Document a plan of correction if deficiencies are identified and document the correction process.
  • Designate departmental individuals who are responsible for HIPAA issues and prepare them to address the process of implementation in their area of responsibility.
  • Conduct a thourough risk analysis in accordance with OCR risk assessment guidance (referenced below).
  • Assure that your compliance training program is up to date and that employees have signed off on receiving required training.  Corret any discovered deficiencies in training.
  • Audit every outside vendor and contracting party and make certain that there is an appropriate Business Associates Agreement in place.

Major Issues Arising In First Round of HIPAA Audits

  • Patient record request review process, specifically denial process;
  • Providers failing to provide patients with access to their records;
  • Insufficient or non-existant policies and procedures;
  • Inproper use of information relating to decedents;
  • Disclosure of intformation to personal representatives;
  • Risk Assessment process; and
  • Difficulties with Business Associate Agreements.

HIPAA’s Security Rule requires that covered entities periodically conduct a risk analysis.  The OCR has issued guidance on conducting such an analysis.  In the event of an audit, the results of your audit are likely to be requested. A review of your HIPAA policies should be conducted on an annual basis.  Any deficiencies should be identified and addressed in a corrective action plan.  Carefully document your review and the process you use to correct any identified deficiencies.  OCR Audist Guidelines

John H. Fisher

Health Care Counsel
Ruder Ware, L.L.S.C.
500 First Street, Suite 8000
P.O. Box 8050
Wausau, WI 54402-8050

Tel 715.845.4336
Fax 715.845.2718

Ruder Ware is a member of Meritas Law Firms Worldwide

Search
Disclaimer
The Health Care Law Blog is made available by Ruder Ware for educational purposes and to provide a general understanding of some of the legal issues relating to the health care industry. This site does not provide specific legal advice and you should not use the information contained on this site to address your specific situation without consulting with legal counsel that is well versed in health care law and regulation. By using the Health Care Law Blog site you understand that there is no attorney client relationship between you and Ruder Ware or any individual attorney. Postings on this site do not represent the views of our clients. This site links to other information resources on the Internet; these sites are not endorsed or supported by Ruder Ware, and Ruder Ware does not vouch for the accuracy or reliability of any information provided therein. For further information regarding the articles on this blog, contact Ruder Ware through our primary website.