The HIPAA privacy rule governs access to and use of “protected health information” (see sidebar) in patient records. The parties, known as “covered entities,” directly affected by the rule include health care providers, health plans, and health information clearinghouses. The privacy rule accommodates a number of interests in balancing the needs of individual patients against the interests of others such as health insurers, public health authorities, and law enforcement officials.

Clearly the privacy rule gives patients some important protections. Health consumers benefit from the HIPAA rule in several ways, including:

Greater Patient Access to and Information About Their Records

Under HIPAA, patients will now have greater access to their records and greater knowledge of how their records will be used than ever before. Specifically, patients are entitled to:

• Receive notice of use and disclosures of their PHI. Psychologists are obligated to inform patients about potential uses and disclosures of their protected health information and patients’ right to limit those uses and disclosures.
• Consent to use and disclosures of their PHI. Practitioners must agree to “reasonable requests” by patients for restrictions on the use and disclosures of PHI for treatment, payment and health care operations purposes. However, psychologists are not required to accept disclosure restrictions that would compromise their professional judgment or treatment.
• Access their records for inspection and amendment. Patients are allowed to inspect and obtain a copy of PHI in medical and billing records that a provider uses to make decisions about the patient. However, there are exceptions to this access. For one thing, patients do not have the right to inspect or obtain a copy of psychotherapy notes. And though the privacy rule enables an individual to request a change to their PHI if they believe the information is incorrect, a psychologist can deny requests for record amendments if he or she is not the originator or if the psychologist believes the information is accurate and complete. When an amendment to the record is made, the amendment does not replace any information in the record but simply adds to the record.
• Get an accounting of how PHI was used and shared. The privacy rule stipulates terms under which a patient may receive a listing of all disclosures of his or her PHI. The rule also spells out exceptions to an individual’s ability to obtain such an accounting of disclosures.

What Is "Protected Health Information"? The HIPAA privacy rule applies to protected health information (PHI), which means individually identifiable patient information. This is information that relates to the past, present or future physical or mental health condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual; and that identifies the individual or could reasonably be used to identify the individual. The rule will apply to all individually identifiable patient information transmitted or maintained by a covered entity regardless of its form. Health information that does not identify an individual and provides no reasonable basis to believe that the information can be used to identify a person is not considered PHI. Additional information about what “triggers” the application of the privacy rule is found in the primer, “Getting Ready for HIPAA: What You Need to Know Now,” mailed to all APA members who pay the APA Practice Organization special assessment.

Heightened Protection for Psychotherapy Notes

Of particular interest to the psychology community, the HIPAA privacy rule recognizes as a matter of federal policy the unique and particularly sensitive nature of the provider-patient relationship in mental health services delivery. The rule creates special requirements for the use and disclosure of psychotherapy information, and patients benefit from enhanced protection of psychotherapy notes. These notes are considered a special category of protected health information that must be kept separate from the basic record and that requires special patient authorization beyond general consent for disclosure.

Psychologists will need to make sure that any entity requesting psychotherapy notes has provided a valid authorization before the practitioner releases these notes. Alternatively, psychologists will have to secure authorization from the patient before providing notes in response to requests. Perhaps more importantly, unlike other protected health information, insurance companies, ERISA-certified employee benefit plans, and managed care companies that administer benefits will not be able to require patients to release this information from psychotherapy notes as a condition of coverage or payment.

Additional information about the treatment of psychotherapy notes under HIPPA appears here.

Safeguarding of State Laws That Are More Protective of Privacy

The federal privacy rule establishes a minimum set of requirements, or “floor,” for the protection of PHI. As a result, state laws are not pre-empted to the extent that they are stricter in protecting an individual’s PHI. A state law is considered more stringent if it provides greater privacy protection for patients or permits greater access by patients to review and/or amend information in their health records. Further, there is nothing in HIPAA that prevents states from passing laws more protective than the federal privacy rule. For more details about state law preemption, see the article on page 6.

Adapted from: “Getting Ready for HIPAA: What You Need to Know Now,” by the APA Practice Organization and the APA Insurance Trust. This primer was mailed in March 2002 to all APA members who pay the APA Practice Organization special assessment.