Guidance on Mental Health & the HIPAA Privacy Rule - Health Insurance Portability and Accountability Act
The U.S. Department of Health and Human Services recently issued guidance entitled, “HIPAA Privacy Rule and Sharing Information Related to Mental Health.” As the title implies, it offers information as to when it may be permissible under HIPAA for health care providers to share information related to a patient’s mental health, including instances when the patient may be a minor. The direction, issued in the form of Q&As, comes as HHS seeks to strike a balance between a patient’s privacy rights in mental health records and public safety concerns. The clarifications could not come at a better time, as the health care industry prepares for an influx of patients who now have insurance that includes mental health coverage. Below are some of the highlights from the guidance:
Family & Friends
A mental health provider may communicate with, and disclose a patient’s PHI (including mental health information) to family and friends (or others involved with the health care or payment for services) when the patient is present and has the capacity to make health care decisions, so long as the patient does not object.
When the patient is not present or is incapacitated, the mental health provider may disclose relevant information so long as the provider determines, based on his or her professional judgment, that doing so is in the best interests of the patient. Lack of consciousness is the most common form of incapacity, but it can take other forms. For instance, when a health care provider knows that a patient with a serious mental illness has stopped taking a prescribed medication, the provider can share that information with a family member, if doing so would be in the patient’s best interest. Providers should take into account any prior expressed preferences of the patient regarding the disclosure of his or her information.
In instances when the patient has capacity and objects to the sharing of information, the provider may share the information only if doing so is consistent with applicable law and standards of ethical conduct, and the provider has a good faith belief that the patient poses a threat to the health or safety of others, and the person to whom the information is disclosed is reasonably able to prevent or lessen the threat.
The Privacy Rule does not prevent providers from listening to concerns raised by family or friends about the health of the patient. These concerns can be withheld from the patient if the disclosure of such information would be reasonably likely to reveal the identity of the concerned individual.
These notes, defined as notes kept separate from the rest of the patient’s medical record that document or analyze conversations held during certain types of counseling sessions, are afforded extra protection under the Privacy Rule. With a few limited exceptions, a specific, separate authorization is required before a mental health provider may use or disclose them, and a mental health provider is not required to disclose such notes to the patient under the individual’s Privacy Rule right of access. Two notable exceptions exist for the disclosure of these records: mandatory “duty to warn” situations or when a threat of serious and imminent harm to the health or safety of the patient or others is present.
Certain PHI, including date and time of admission and discharge, may be disclosed in response to a law enforcement official’s request, for the purpose of location or identifying a suspect, fugitive, missing person or material witness. Information such as name and address and distinguishing physical characteristics (among other things) may be released, but some information (such as dental records or samples of bodily fluids) cannot be released.