March 9, 2001
For more information: E-mail

I. Background and Overview.

On December 28, 2000, the Department of Health and Human Services (HHS) published a final rule to provide for new federal standards for the privacy of individually identifiable patient information. This privacy rule is the second in a series of records "standards" rules mandated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Under HIPAA Congress called for the creation of national standards and requirements regarding the electronic transmission of health information. The first published rule addressed electronic transactions. Other rules are in various stages of development or are under reconsideration. These include rules relating to unique health plan identifiers, unique provider identifiers, and standards for claims attachments.

On February 28, 2001, HHS Secretary Tommy G. Thompson reopened the final privacy rule for further comment and delayed the rule's effective date to April 14, 2001. It may be anticipated that the rule's compliance date will be approximately two years following the effective date. Reopening the final rule is an unusual administrative step, but according to Secretary Thompson, necessary due to the rule's complexity and scope.

The following brief analysis is not an in-depth examination of the final rule. Rather it is designed to give practicing psychologists a sense of the breadth of the rule, to outline its requirements, and to highlight those aspects of the rule that are particularly pertinent to mental health records (text in italics). The rule may be altered following the new comment period, and therefore this analysis is subject to change. In addition, this analysis is not intended to provide legal guidance.

More information on the privacy rule is available on-line. The official rule is published through the Office of the Federal Register. To view the rule, including commentary and background enter the web site http://aspe.hhs.gov/admnsimp/bannerps.htm. Please note, however, that this document is extremely long, and as a result has been divided into eight separate parts for purposes of access and reading. The Health Privacy Project, Institute for Health Care Research and Policy of Georgetown University provides several excellent materials through its web site, including an in-depth summary of the final privacy rule. This summary is available at http://www.healthprivacy.org. HHS provides a fact sheet on the final rule, which is available at http://www.hhs.gov/news/press/2000pres/00fsprivacy.html.

II. Application of the Rule and Protected Patient Information.

A. Application. The privacy rule applies to health plans, health care clearinghouses, and those health care providers who transmit any health care information in electronic form in connection with a health care transaction. Like the rule, this analysis refers to plans, clearinghouses, and health care providers as "covered entities."

1. Almost all health plans are covered by the rule, including group health plans of 50 or more participants (whether or not covered under the Employee Retirement Income Security Act), insurers, and government plans, such as those in the Medicare and Medicaid programs.
   
   
2. Health care clearinghouses are those entities that process individually identifiable patient information into a non-identifiable format, or vice versa.
   
   
3. Psychologists, who transmit health care information for purposes of health care transactions, will be considered health care providers to whom the rule applies.
   
   
4. The rule applies to business associates of health plans, clearinghouses, and health care providers.
   
   
5. Many health care arrangements do not fall neatly into the three types of "covered entities." For instance, some businesses may have only a small component of their operations that would be covered by the rule, while other health care provider systems are conglomerates where uses and disclosures of information are diverse and shared. The rule identifies and establishes application of the rule to these various arrangements.

B. Covered information. The rule covers only patient information which in electronic form and which identifies the patient. As with the rule, this analysis generally refers to such information as "protected health information."

1. Information in electronic form. The final privacy rule is unclear, and unclear in its relation to other related HIPAA information standards regulations, as to which records it is designed to protect. Before made final, the rule was originally intended only to apply to electronic records and not to paper records. Background information in the final rule, however, indicates that the rule will apply to "all individually identifiable health information transmitted or maintained by a covered entity regardless of form." (65 Fed. Reg. 82496.)
   
   
2. Identifiable patient information. Information which does not identify a patient, or that has been de-identified, is not protected health information. The privacy rule contains standards for acceptable de-identification of patient records.

C. Relation to State laws. The privacy rule does not preempt stronger state privacy laws that concern patient records. States may enact stronger state laws after implementation of this rule. Preservation of state laws from federal preemption is particularly important for mental health providers, since such laws are by far the most common and complex laws regarding records privacy.

III. Uses and Disclosures of Patient Records.

A. General Rule. A covered entity may not use or disclose protected health information, except as permitted or required under the privacy rule.

1. Permitted uses and disclosures are outlined in C. below. Patient consent is required for uses and disclosures referenced in C.1, with the exception of psychotherapy notes, which require patient consent and authorization. Patient consent, authorization and opportunity to object is required for disclosures referenced in C.2. Uses and disclosures not requiring patient consent or authorization or without the opportunity to object, termed "permitted disclosures," are referenced in C.3. through C.14.
   
   
2. Minimum Necessary Standard. When using or disclosing information, a covered entity must make "reasonable efforts to limit protected information to the minimum necessary to accomplish the intended purpose of the use or disclosure." This standard does not apply for uses and disclosures to the patient, between health care providers for treatment, or for required and certain other uses and disclosures.
   
   
3. Other restrictions in addition to the "minimum necessary" requirement apply in certain circumstances, such as uses and disclosures to personal representatives, regarding deceased individuals, or to business associates.

B. Psychotherapy notes. A covered entity must have patient authorization for use and disclosure of psychotherapy notes.

1. While the rule and commentary tie this requirement to uses and disclosures related to payment, treatment, and health care operations (see below), in effect, the rule requires patient authorization for release of psychotherapy notes in all instances, unless the rule specifies that authorization is not required.
   
   
2. A covered entity may not condition treatment, payment, enrollment, or eligibility for benefits on patient authorization of psychotherapy notes.
   
   
3. Authorization is not required in limited instances: for psychotherapy training in mental health training programs, to defend a legal action or other proceeding brought against the entity by the patient, for purposes of investigation by the HHS Secretary of a covered entity's compliance with the privacy rule, as otherwise required by law, by a health oversight agency for a lawful purpose related to oversight of the psychotherapist, to a coroner or medical examiner, or instances of permissible disclosure related to a serious or imminent threat to the health or safety of a person or the public.
   
   
4. Psychotherapy notes are defined by the rule to mean "notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual's medical record. Psychotherapy notes excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date."

C. Uses or Disclosures Permitted or Required Under the Privacy Rule.

1. Payment, treatment, and health care operations. With prior patient consent obtained by the treating health care provider, protected health information may be used and disclosed for purposes of payment, treatment, and health care operations.
   a. The consent requirement mainly provides information to the patient on the manner in which his or her information will be used and disclosed for treatment and administrative purposes. A health care provider may refuse to treat or a health plan may refuse to enroll a patient who refuses to give consent. In addition, patient consent is not required when the provider shares the information with other providers for treatment purposes, for emergency treatment, when the provider must treat the patient by law, and in other limited circumstances. The rule provides standards for appropriate consent.
   b. The terms "payment," "treatment," and "health care operations" are broadly defined in the rule to pertain, in addition to their obvious meanings, to many managed health plan administrative functions. " Payment," for example, includes activities related to medical necessity and utilization review. "Treatment," includes the coordination and management of health care. "Health care operations," includes quality and assessment activities, clinical guidelines development, protocol development, case management, care coordination, evaluation of provider performance, review of provider competence and qualification, underwriting, premium rating, and business planning and development.

2. Facility Directory Information.
   a. If a patient is informed in advance and provided the opportunity to object when possible, his or her protected health information may be used and disclosed for purposes of inclusion in a hospital or other facility directory, to inform family or other persons regarding the individual's condition or care, and for other limited reasons. A patient may restrict or prohibit such disclosure.
   b. Facility information is limited to the patient's name, location in the facility, condition in general terms, and religious affiliation (available only to members of the clergy). Information of condition or care is limited to family members, relatives, and close personal friends.
   c. Other provisions concern patient capacity to make decisions, and instances where the patient is not present. In such cases, the covered entity must exercise professional judgment and experience to disclose information, such as related to a relative or friend picking up prescriptions, medical supplies, or X-rays.

3. A covered entity may use or disclose protected health information as otherwise required by law.
   
   
4. Individually identifiable patient information may be disclosed by a covered entity for public health activities by a public health authority, such as for disease control, vital statistics, and public health investigations and interventions.
   
   
5. A covered entity may disclose records pursuant to child abuse, neglect, or domestic violence laws.
   
   
6. A covered entity may disclose individually identifiable information to a health oversight agency for oversight activities authorized by law, such as audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings; or other activities necessary for appropriate oversight of the health care system, government health or regulatory programs, or civil rights laws.
   
   
7. A covered entity may disclose individually identifiable information pursuant to judicial or administrative proceedings, such as in response to court or administrative tribunal orders, or for subpoenas, discovery requests, or other lawful process. Several conditions are specified regarding notice, opportunity to object, and other procedural requirements to permit these disclosures.
   
   
8. A covered entity may disclose information for law enforcement purposes, pursuant to a court order, warrant, subpoena or summons issued by a judicial officer, grand jury subpoena, or an administrative summons or civil investigative demand. Such access is limited by requirements set out in the privacy rule. Additionally, disclosures are permitted related to identifying or locating a suspect, fugitive, material witness or missing person. Disclosures are permitted regarding crime victims.
   
   
9. A covered entity may disclose patient information to coroners, medical examiners, and funeral directors, for duties regarding decedents as authorized by law.
   
   
10. A covered entity may disclose patient information to organ donation organizations.
    
    
11. A covered entity may disclose patient records to researchers for research purposes.
    
    
12. A covered entity may disclose patient information to avert a serious threat to health or safety.
    a. Specifically, a covered entity may, consistent with applicable law and standards of ethical conduct, use or disclose protected health information, if such entity has a "good faith" belief that disclosure is necessary to "prevent or lessen a serious or imminent threat to the health or safety of a person or the public and is to a person or persons reasonably able to prevent or lessen the threat." In commentary to the final rule, HHS indicates that this provision is intended to be consistent with and not to create a new duty to warn as is required of therapists through the Tarasoff decision and related law (65 Fed Reg. 82703.) However, the actual impact of this provision, particularly since it applies to "covered entities" not just health care professionals, is still to be determined.
    b. The provision also allows disclosure to permit a law enforcement official to identify or apprehend an individual who has indicated that he or she has participated in a violent crime or has escaped from a correctional institution.

13. A covered entity may disclose individually identifiable patient information regarding military personnel and veterans for "activities deemed necessary by appropriate military command authorities to assure the proper execution of the military mission."
    
    
14. A covered entity may disclose patient information as required by workers compensation laws.
    
    
15. Uses and disclosures for marketing, fundraising and underwriting and premium rating purposes are permitted absent patient authorization under specified conditions and restrictions.

IV. Patient Rights Regarding Their Records.

The privacy rule affords patients the:

A. Right to adequate notice of the uses and disclosures of protected health information that may be made by a covered entity and of the patient's rights and the covered entity's legal duties with respect to such information. The rule specifies requirements for adequate notice, including requirements related to these rights and duties.

B. Right to request that a health care entity agree to restrictions on the entity's use and disclosure of protected health information. The covered entity does not have to agree to such restrictions, but only afford the patient the opportunity to make the request.

C. Right to access, inspect and copy protected health information.

1. A patient does not have this right with respect to psychotherapy notes, to information compiled as related to pending civil, criminal or administrative actions or proceedings, as related to a course of research, and for other limited grounds.
   
   
2. A covered entity may also deny access for other reasons for which a patient can seek review. These reasons are:
   a. when a licensed health care professional has determined that such access is "reasonably likely to endanger the life or physical safety" of the patient or another person,
   b. if the information identifies another individual, who is not a health care professional, and a licensed health care professional has determined that such access is "reasonably likely to cause substantial harm" to such other person, or
   c. if the person requesting access is the patient's personal representative and the health care professional determines that such access is "reasonably likely to cause substantial harm" to the patient or another person.

3. The privacy rule specifies standards to permit timely access to and for adequate review procedures for covered entity denials of access.

D. Right to amend protected health information. The privacy rule specifies the procedures that a covered entity must follow to honor this right.

E. Right to an accounting of disclosures of protected health information. This right does not pertain to disclosures related to transactions for payment, treatment, and health care operations, and for certain other disclosures.

V. Administrative Requirements.

A. As health care providers, and therefore covered entities under the privacy rule, most psychologists will need to meet the requirements of the rule with regard to covered transactions concerning patient records.

1. Some of these requirements concern the rights of patients with regard to their records, as outlined immediately above. Other requirements are termed "administrative" requirements by the rule. These administrative requirements address how covered entities will, in practice, provide for these protections as they use and disclose individually identifiable patient information.
   
   
2. "Scalable" Compliance. The administrative requirements of the privacy rule are "scalable." This means that a covered entity "reasonably" meets the requirements according its size and type of activities related to records transactions in which it engages. In other words, the administrative burden on a solo health care practitioner will likely be far less than that imposed on a hospital or health care insurer, which are much larger covered entities that use and disclose a large volume of patient records. Examples of scalable compliance are suggested below. HHS has indicated that it intends that the requirements will meld with current practice where appropriate. HHS has also indicated that it will work with various health associations and organizations to ensure that the requirements are effective and workable for those providers and other entities that use and disclose patient records.

B. To meet these administrative requirements, a covered entity must:

1. Designate a privacy official to be responsible for the development and implementation of policies and procedures to protect individually identifiable patient information. Scalable compliance: a psychologist may identify herself as the privacy officer in her solo practice, whereas in a large insurance company the privacy official may constitute a full time position with staff.
   
   
2. Train all members of its workforce on the policies and procedures. Scalable compliance: in commentary to the proposed rule, HHS recognizes that training must be flexible to the covered entity, leaving to the covered entity decisions regarding the nature and method of training to achieve this requirement. (65 Fed. Reg. 82783.)
   
   
3. Have in place administrative, technical, and physical safeguards to protect the privacy of identifiable patient information. Scalable compliance: a psychologist might be required to demonstrate that only he may log on and knows the password to his computer in which his patient records are kept and that any backup files are accessible only to him or that hard copies of such records are locked in a file cabinet.
   
   
4. Provide a process for patients to make complaints concerning the covered entity's policies and procedures and document all such complaints. Scalable compliance: a hospital might implement a mechanism where nursing stations follow a procedure to document complaints that would be made available to visitors. A psychologist might be required to simply receive complaints and keep a file of such complaints.
   
   
5. Have and apply appropriate workforce sanctions for failures to comply with the policies and procedures.
   
   
6. Mitigate, to the extent practicable, any harmful effect that the covered entity knows of regarding a violation of its policies and procedures. Scalable compliance: the receptionist in a small psychologist group practice inadvertently sent the wrong patient records to an insurer for reimbursement. The psychologist might be required to request the records back and inform the patient of the error.
   
   
7. Refrain from any retaliatory act against a patient for exercising his or her rights under the rule.
   
   
8. Ensure that the "minimum necessary" standard is followed for uses and disclosures. Pursuant to this requirement, a covered entity determines those persons who need access to individually identifiable information to carry out their duties and to limit access as appropriate. Policies and procedures must be implemented for routine and recurring disclosures to meet this standard. Scalable compliance: a health insurance company might be expected to remove identifiers or to limit data fields that are disclosed to fit the purpose of a disclosure. A psychologist's office would not be expected to have these capabilities, but might be expected to hide identifiers or limit disclosures to certain pages of the patient's file.

VI. Enforcement.

A. Any person who believes that a health plan, clearinghouse, or provider is not complying with the standards of the rule may file a complaint with the HHS Secretary. The Secretary has authority to investigate claims based on these complaints. The Secretary may also engage in compliance reviews and take "informal" or formal steps to gain compliance as permitted under the rule.

B. Statutory civil and criminal penalties apply for violations of the rule. There is a $100 civil penalty, up to a maximum of $25,000 per year for each standard violated. Criminal penalties are imposed for certain wrongful disclosures up to $250,000 for egregious conduct.