January 2000
Government Relations
Practice Directorate
For more information: E-mail
January 20, 2000
Secretary Donna E. Shalala
U.S. Department of Health and Human Services
Assistant Secretary for Planning and Evaluation
Attention: Privacy-P, Room G-322A
Hubert H. Humphrey Building
200 Independence Avenue SW
Washington, DC 20201
Re: Proposed Rule on Standards for Privacy of Individually Identifiable Health
Information, as published in 64 Federal Register 59917, November 3, 1999.
Dear Secretary Shalala:
We submit these comments on behalf of the American Psychological Association (APA), the
professional organization representing more than 159,000 members and affiliates engaged in
the practice, research, and teaching of psychology, regarding the proposed rule on
standards for privacy of individually identifiable health information, as published in 64
Federal Register 59917 et seq., November 3, 1999. We recognize that promulgating rules
regarding the privacy of individually identifiable patient information is a daunting task
and commend Secretary Donna E. Shalala (the Secretary) for proposing a rule with several
provisions that proactively protect the privacy of patient records. These include, for
example, provisions which require patient authorization for disclosure of psychotherapy
notes, ensure that more protective State records’ privacy laws are not preempted, and
permit patients who do not want any disclosure of their health records to pay privately
for services. However, we are concerned that other key provisions of the proposed rule
will only weaken the already inadequate patient records privacy protections afforded under
current law and focus our comments on these provisions.
Ideally, the Secretary should propose a rule, just as Congress should pass a law, which
protects the private relationship between the patient and his or her treating health care
provider. A strong patient-provider relationship privacy rule would necessarily protect
the privacy associated with the patient’s record, because a patient’s record
could not be disclosed in a manner that violated the privacy of the underlying
relationship. Such a rule would be very different from that proposed by the Secretary
today, which seeks merely to address actual and potential disclosures of the patient
record.
The APA recognizes that the Secretary is limited in her rule-making authority by the
specific statutory requirements imposed by Congress through the Health Insurance
Portability and Accountability Act (HIPAA). As HIPAA mandates, the Secretary must issue
standards to facilitate the electronic exchange of information with respect to financial
and administrative transactions carried out by health plans, health providers, and certain
other entities. Given this limitation, however, we believe the proposed rule can be
substantially improved. We offer the following comments with specific suggestions to
improve the proposed rule, particularly as it relates to mental health records.
We note that the proposed rule mainly concerns the protection of patient records in the
health care delivery system, as our comments reflect. However, the proposed rule also
permits the disclosure of a patient's protected health information for specified public
and public policy purposes, including research.Comments on the impact of the proposed rule
on the conduct of research will be addressed at a future date in a separate letter by
Richard McCarty, Ph.D., the Executive Director of APA's Science Directorate.
APA Comment Summary.
I. Disclosure of individually identifiable records for "treatment, payment, and
health care operations" without patient authorization. Patients in our country
are facing a privacy crisis regarding their health records. This crisis has been brought
on by each patient’s loss of control of his or her records, as parties beyond the
patient and his or her treating health care professional demand records for a host of
reasons not directly related to care.
We believe that allowing patient records to be shared with potentially innumerable
other parties for "treatment, payment, and health care operations" without
patient authorization, as the proposed rule permits, may exacerbate the crisis. Disclosure
of patient records for these mainly health administration functions without meaningful
patient authorization validates an unacceptable status quo, which recognizes that many
parties beyond the patient and his or her treating health care professional may use and
disclose these records for purposes not directly related to treatment. We offer
suggestions to the proposed rule to provide patients with some control over their records
when disclosed to third parties for "treatment, payment, and health care
operations."
Mental health records are particularly sensitive to disclosures beyond the patient and
his or her treating psychologist or other health care professional. Therefore, we view (A)
the requirement that patients must specifically authorize disclosure of psychotherapy
notes for "treatment, payment, and health care operations" purposes, and (B) the
non-preemption of stronger State mental health privacy laws as central to securing for
patients some meaningful privacy for their mental health records.
A. The psychotherapy notes exception from disclosure without authorization for
"treatment, payment, and health care operations." We are particularly
pleased that the Secretary shares with psychology the recognition of the importance of
ensuring the privacy of the psychologist and patient treatment relationship by requiring
that "psychotherapy notes" require specific patient authorization before they
may be disclosed to third parties for "treatment, payment, and health care
operations."
We appreciate the Secretary’s reliance on the United States Supreme Court decision
of Jaffee v. Redmond, 518 U.S. 1 (1996), to provide for the psychotherapy notes
exception. While upholding the existence of the psychotherapist-patient Federal
evidentiary privilege, the Supreme Court found in Jaffee that the relationship is
"rooted in the imperative need for confidentiality and trust" and that the
"mere possibility" of disclosure could impede the development of a confidential
relationship necessary for successful treatment.
To reflect fully the spirit of the Supreme Court’s decision, we suggest that the
definition of "psychotherapy notes" be more comprehensively defined to protect
the unauthorized disclosure of all particularly sensitive mental health information
related to psychotherapeutic treatment, such as assessment results and clinical
observations. In so doing, the "psychotherapy notes" exception will more
adequately preserve the confidence and trust between the psychotherapist and patient and
help eliminate the mere possibility of disclosures that would otherwise hamper treatment.
B. Non-preemption of stronger State patient records’ privacy laws. We are
also pleased that stronger State laws that protect the confidentiality of patient records
are not preempted by this proposed rule. Many States have enacted laws that more
stringently protect the privacy of mental health records than the standards provided by
the proposed rule. We agree with the Secretary that the proposed rule should "act as
a floor, but not a ceiling on privacy protections."[1] We are
concerned, however, with the Secretary’s interpretation of those States laws which
are sufficiently "related to" the privacy of patient records to be saved from
Federal preemption. We suggest that the proposed rule’s "related to"
requirement is unnecessarily restrictive and may be inappropriately interpreted to preempt
many State laws that protect the privacy of mental health records.
II. Provisions which particularly impact the privacy of mental health records.
The proposed rule is very broad and considers a gamut of issues related to the privacy of
individually identifiable patient information. We have focused on three areas of
particular pertinence for persons seeking and receiving psychologists’ services:
A. Disclosure of individually identifiable patient information for "emergency
circumstances." With regard to the provision that permits use and disclosure of
patient records without authorization for "emergency circumstances," we believe
that this provision is drafted too broadly, permitting any number of persons in health
plans or providers to disclose patient information based on a reasonable belief of
endangerment. The provisions should be redrafted to ensure that only a licensed mental
health care professional exercising his or her reasonable professional judgment should
make disclosure determinations in emergency circumstances.
B. Patient inspection of information that may cause psychological harm. The rule
does not recognize, as some States have recognized, that patients can be psychologically
harmed if permitted to see sensitive information in their mental health records. We urge
that the inspection provisions be amended to permit licensed mental health care
professionals to prevent such disclosure upon a determination that such disclosure could
cause substantial psychological harm to the patient who is the subject of the record.
C. Law enforcement access to patient records. We raise a number of concerns
regarding the unauthorized disclosure of patient records to law enforcement officials. As
an overarching concern, assuming that appropriately limited disclosure to a law
enforcement official has been made, the proposed rule does not provide for limitations for
further use and re-disclosure of the records. We urge that limitations be incorporated
into the rule.
We additionally focus on specific permitted disclosures to law enforcement entities.
These are disclosures related to: (1) information about the victim of a crime, abuse or
other harm, (2) information disclosure pursuant to a legal process, and (3) the
investigation of health care fraud. We seek additional regulatory language regarding these
provisions to narrow their scope or to clarify their meaning and application.
APA Comments and Suggested Improvements.
I. Allowing individually identifiable health records to be shared with potentially
innumerable parties beyond the patient and his or her treating health care professional
for "treatment, payment, and health care operations" without authorization
exacerbates the current privacy crisis that patients face regarding their health records
in our country.
Patients in our country are facing a privacy crisis regarding their health records. The
Secretary’s reference to the California HealthCare Foundation’s "National
Survey: Confidentiality of Medical Records" is appropriate and gives some indication
of the concern that patients have in the loss of their health records privacy. As the
Secretary states, this survey found that one-fifth of Americans believe that their
personal health information has been used inappropriately. Worse, one-sixth indicate that
they have taken some form of action to avoid the misuse of their information, including
providing inaccurate information, frequently changing health care professionals, or
avoiding care.[2] In fact, more than half of those surveyed are very
concerned that even with the use of unique health identifiers, people with mental
illnesses, AIDS, or drug or alcohol problems will avoid seeking care for fear of exposure.[3]
Mental health and certain other records are particularly vulnerable to disclosure
because they typically contain information that could lead to a patient’s
embarrassment or stigmatization. For these patients, the potential loss of records’
privacy can be devastating. To avoid the potential loss of privacy, patients receiving
mental health services may make decisions that sacrifice their care and that could
jeopardize their health. We agree with the Secretary when she states in her regulatory
impact analysis that:
Where patients are concerned about a lack of privacy protections, they might fail to
get medical treatment that they would otherwise seek. This failure to get treatment may be
especially likely for certain conditions, including mental health, substance abuse, and
conditions such as HIV. Similarly, patients who are concerned about lack of privacy
protections may report inaccurately to their providers when they do seek treatment. For
instance, they might decide not to mention that they are taking prescription drugs that
indicate that they have an embarrassing condition. These inaccurate reports may lead to
mis-diagnosis and less-than optimal treatment, including inappropriate medications. In
short, the lack of privacy safeguards can lead to efficiency losses in the form of
foregone or inappropriate treatment.[4]
Our health care system can not deliver appropriate, high quality care to patients with
mental health or other sensitive services needs, if the patients have a real or perceived
loss in the privacy of their records. Patients must have a clear indication of who will
see their records when these records leave the hands of their direct treating provider.
Because our delivery system has shifted from a fee-for-service to a managed care system,
patients really can not determine who and how many other persons are viewing their
records.
The health care delivery shift to a managed care system, where potentially thousands of
individuals have access to a patient’s record, combined with the increasing use of
electronic records within managed care delivery systems have, in large part, caused the
current patient records’ privacy crisis. As the Secretary mentions, "[t]he
number of entities who are maintaining and transmitting individually identifiable health
information has increased significantly over the last 10 years."[5]
The problem of managed care access to records is actually twofold. First, once created
solely for clinical and treatment purposes, patient records are now also being used for
administrative purposes, such as for coverage determinations and payment. Second, the line
between clinical use of records and administrative use of records has become blurred.
Patients, health care professionals and payers in the health care system no longer can
easily distinguish the purposes for which records are being used. Hence, Congress has been
grappling for nearly the last decade to address legislatively patient and provider calls
to protect the privacy of patient records, and the Secretary today proposes rules for the
electronic exchange of records among various entities with an attempt to distinguish
records use for "treatment, payment, and health care operations."
For a number of years, the APA has pointed out to Congress and the Secretary that
access by managed health plan and other third parties to patient records has been causing
a patient privacy crisis and that the line between use for treatment purposes and use for
administrative purposes has become blurred.[6] In APA testimony submitted
to the Senate Committee on Labor and Human Resources in November 1995, the APA wrote:
Rapid changes in the health care delivery system have meant that parties other than
health care providers have access to patient records for a host of reasons, including
those related to payment for and financial review of services. Technological advances in
record-keeping now permit computerized and electronically transferable patient records.
While federal and state statutes and case law have generally established the duty of
health care providers to protect the confidentiality of patient records, the duty of many
third parties must still be legally defined.[7]
In February 1997, when the APA submitted comments to the National Committee on Vital
and Health Statistics (NCVHS), the committee with which the Secretary consulted before
submitting her comments to Congress regarding the privacy of individually identifiable
patient information, we reiterated this underlying problem.[8] In
addition, several commentators on the confidentiality status of patient records have
recently discussed the loss of privacy connected with third-party use of patient records
brought on by managed health plan access to patient records. [9]
The Secretary’s suggestion that a lack of national standards has " . . . made
the health care industry and the population in general uncomfortable about this primarily
financially driven expansion in the use of electronic data . . ." is an
understatement. Patients are "uncomfortable" because in this financially driven
managed care system they simply do not know who is seeing their records, and they are
justifiably concerned with their loss of privacy. The health care industry is
"uncomfortable," because managed health plans have no uniform law that applies
across all States, which justifies and legalizes their current use of patient records.
Unfortunately, in certain provisions of the proposed rule, the Secretary addresses the
health care industry’s discomfort with regard to their current use of patient records
at patient expense. In this respect, the proposed rule may be viewed as a promulgation by
the Secretary of a Federal law that validates the managed health care industry’s
current use and disclosure of patient records, particularly with regard to their use for
"treatment, payment, and health care operations."
In essence, the proposed rule preserves an unacceptable status quo where the managed
health care industry uses patient records for a number of purposes not directly related to
patient care. In fact, the proposed rule exacerbates the current problem of too much
managed health plan access to patient information, because patient consent, through
authorization, to such access is not even required for use by managed health plans for
purposes of "treatment, payment, and health care operations."
The Secretary justifies this fundamental shift away from patient authorization by
commenting that the current practice of blanket authorization for records’ release
provides individuals "with little actual control over their health information,"
since such authorization is "often not voluntary because the individual must sign the
form as a condition of treatment or payment for treatment."[10] The
Secretary may be correct concerning the current ineffectuality of blanket authorizations.
Blanket authorizations, however, are not meaningless. At the very least they allow the
patient an opportunity to read and have some idea of the manner in which his or her
records will be used, and they may permit a legal cause of action if the plan or provider
fails to provide the blanket authorization in the first place.
We suggest further that the many uses of records permitted to managed health plans
under the proposed rule for "treatment, payment and health care operations
purposes" primarily benefit the administrative functions of plans and have little or
no connection to care directly provided to the individual patient. During the last several
years, the APA has recommended to Congress and the Secretary that higher standards should
be imposed when records are released for administrative purposes not directly related to
patient care. The Secretary appears to understand this principle. For instance, in
proposing this rule the Secretary indicates that:
The purpose of our proposal is to define and limit the circumstances in which an
individual’s protected health information may be used or disclosed by others. We are
proposing to make the use and exchange of protected health information relatively easy for
health care purposes, and more difficult for purposes other than health care.[11]
We respectfully submit that the Secretary will not accomplish the goal of making the
use and exchange of protected health information "more difficult for purposes other
than health care" when patient records may be disclosed without authorization for
"treatment, payment, and health care operations" purposes as those terms are
defined in the proposed rule. A careful reading of the "treatment, payment, and
health care operations definitions" reveal that much of this access is not directly
related to the health care that an individual patient receives. Rather such access is for
other purposes, primarily administrative, which benefit managed health plans or other
entities.
We are particularly troubled by the Secretary’s assertion that the use and
disclosure of patient information without patient authorization for "payment"
and "health care operations" is primarily for health care purposes. A summary
examination of the definitions of these "payment" and "health care
operations" reveals that they define activities primarily to fulfill the
administrative function of managed health plans:
- The proposed rule defines "payment" to mean the activities undertaken by a
health plan or its business partner to obtain premiums or to determine coverage, or along
with a health care provider, to obtain reimbursement for the provision of care. Payment
activities specifically include: determinations of coverage, "improved methods of
paying or coverage policies," adjudication or subrogation of claims, risk adjustment,
billing, claims management, medical data processing, medical necessity review, and
utilization review, including precertification and preauthorization services. [12]
- "Health care operations" are defined as activities undertaken by a health plan
or health care provider for the purpose of "carrying out the management functions of
such entity necessary for the support of treatment or payment." These activities
specifically include: quality assessment and improvement activities such as outcomes
evaluation and development of clinical guidelines, reviewing the competence and
qualifications of health care professionals and their performance, training activities,
insurance rating and other insurance activities, medical review and auditing, and
compiling and analyzing information in anticipation of or for use in a civil or criminal
legal proceeding. [13]
Simply stated, too many of the "payment" and "health care
operations" functions are administrative and have little or no connection to direct
provision of health care to a patient. These administrative functions, including claims
adjustment, billing, development of clinical guidelines, and training activities may serve
patients in the aggregate, but they do not have a sufficient nexus to the actual care and
treatment of an individual patient.
The purpose of this proposed rule is to protect the privacy of the individual’s
identifiable information. An individual’s privacy is lost when his or her
individually identifiable information is shared for administrative purposes or for
purposes that may benefit patients in general.
The proposed rule’s definition of "treatment" is also troubling for
vagueness. The "treatment" definition potentially could be read to permit the
unauthorized disclosure of records for purposes that are actually administrative and not
related to treatment. In the proposed rule:
Treatment means the provision of health care by, or the coordination of health care
(including health care management of the individual through risk assessment, case
management, and disease management) among, health care providers; the referral of a
patient from one provider to another; or the coordination of health care or other services
among health care providers and third parties authorized by the health plan or the
individual. [14]
Of course, psychologists and other health care professionals and providers need to
share information and coordinate patient care to ensure appropriate care and patient
safety. Therefore, health care professionals who are directly delivering services to
patients must coordinate care and share information as necessary. This situation is
properly considered within the "treatment" definition proposed by the rule.
The "treatment" definition, however, would also permit the sharing of patient
information by a health plan for "the coordination of health care or other services
among health care providers and third parties" as authorized by the plan. This
permissible sharing of information could encompass the purely administrative function of a
plan’s management or coordination of care and is not necessarily linked to direct
treatment of a patient. As we mentioned above, patients should have some control over the
sharing of their records by those individuals who are not directly providing care to them.
Therefore, the "treatment" definition should be more narrowly tailored to ensure
that it considers only those activities related to the direct treatment of the patient.
The administrative functions are more properly contained within the "payment"
and "health care operations" definitions.
As in our testimony before Congress and in our comments to NVCHS, the APA urges the
Secretary to afford greater protection for patient records when disclosed for
administrative or other purposes not related to direct patient care. [15]
Sharing information not directly related to patient care is at the crux of the current
patient privacy crisis. Patients can not feel secure, and indeed they should not feel
secure in the privacy of their health records, if these records are permitted to be shared
with innumerable other persons for a long list of administrative purposes not directly
associated with the patient’s care.
Given the limitations implicit in the proposed rule, greater protection of the patient
record can and must be afforded when patient records are disclosed for "treatment,
payment, and health care operations" purposes. We propose, for example, that:
1. Blanket authorization. A blanket patient authorization for all of these
administrative activities should be required. Patients have a right to their privacy.
Therefore they should be afforded the opportunity to exercise their right to protect their
patient record information by signing off on its disclosure. Not permitting patient
authorization presumes that patients have no right to the privacy of their records. Since
blanket authorizations are standard practice today, such authorizations will cause no more
inconvenience or increased expense to managed health plans or other entities requesting
the records, and at the very least such authorization gives patients the opportunity to
read or discuss the possible future disclosure of their records.
We agree with the Secretary that the current practice of blanket authorization provides
patients with little control over their health records. We suggest, however, that rather
than eliminating blanket authorizations, the Secretary and individuals involved in the
health care delivery system work together to improve such authorizations. For example, the
Secretary could develop and publish a model authorization form so that patients might more
readily understand their rights and responsibilities when signing the authorization.
Perhaps the Secretary could propose a model blanket authorization to be used by health
care providers and payers. The APA would welcome the opportunity to assist the Secretary
in this endeavor, particularly as it would affect those patients seeking and receiving
mental health services.
2. Additional patient authorization for disclosures for administrative purposes. The
Secretary should reexamine the definitions of "treatment, payment, and health care
operations," and particularly those of "treatment" and "health care
operations." These definitions permit very broad administrative activities, some of
which could be narrowed or eliminated. Further, we suggest that some of these
administrative functions should require specific patient authorization in addition to an
initial blanket authorization. For example, we suggest that within the definitions of
"payment" or "health care operations" that improvement of payment
methodologies for risk adjustment or of clinical guidelines development are isolated
activities mainly for administrative purposes, which should require additional patient
authorization.
3. Enforcement of use and disclosure limitations. The Secretary should stress
that the general rules that apply to patient records, such as requiring that the minimum
amount of the patient record be used for the specific purpose of disclosure and that
de-identified information be used where possible, apply to managed health plans for
"treatment, payment, and health care operations" purposes. The Secretary should
impose a process whereby managed health plans and providers must demonstrate to the
Secretary that they have specific procedures in place to accomplish these standards and
are meeting these requirements.
4. Enforcement of the psychotherapy notes disclosure exception. Regarding
disclosure of mental health records, the Secretary should ensure that the exception from
disclosure without patient authorization for "psychotherapy notes" is strictly
enforced and improved. We now offer specific comments on how the "psychotherapy
notes" exception may be improved.
A. Requiring that patients must authorize disclosure of psychotherapy notes to managed
health plans and other entities for "treatment, payment, and health care
operations" purposes is of central importance to preserving the privacy of the
psychologist-patient relationship. The APA urges that this provision be included in the
final rule and offers specific improvements to ensure that it appropriately protects all
sensitive mental health information.
We have mentioned above that mental health records are particularly
"sensitive" to disclosure. This sensitivity exists for several reasons, many of
which are rooted in societal stigmatization of mental disorders, and more intimately to
the individual patient, in the fear that disclosure to loved ones, family, friends,
business associates, even acquaintances could harm these relationships, perhaps
irreparably. We need not discuss the sensitivity of mental health records in depth since
the Secretary clearly shares this view. We agree, for example, with the Secretary’s
comments that a greater intrusion in privacy occurs when mental health records are
disclosed than when records regarding physical health are disclosed:
Many people believe that details about their physical self should not generally be put
on display for neighbors, employers, and government officials to see. Informed consent
laws place limits on the ability of other persons to intrude physically on a person’s
body. Similar concerns apply to intrusions on information about the person. Moving beyond
these facts about physical treatment, there is likely a greater intrusion when the medical
records reveal details about a person’s mental state, such as during treatment for
mental health. If, in Justice Brandeis’ words, the "right to be let alone"
means anything, then it likely applies to having outsiders have access to one’s
intimate thoughts, words, and emotions. [16]
Due to the particular sensitivity of mental health records, we suggest that patients
seeking and receiving mental health treatment have different, generally greater, privacy
and confidentiality needs than persons receiving general health services. Therefore,
greater protection must be afforded mental health records when medical records’
confidentiality legislation or regulation is considered.
State legislatures and governments have long recognized this need for heightened
protection of mental health records. The most recent and comprehensive survey of state
records confidentiality laws conducted by the Institute for Health Care Research and
Policy of Georgetown University concluded that "[b]y far, state legislation
concerning mental health is among the most detailed and complex. All states have some
statutory provision addressing mental health communications and records." [17]
The Secretary has implemented her recognition that mental health information must be
afforded heightened protection through the psychotherapy notes patient authorization
requirement. Specifically, the proposed rule will permit records to be disclosed to
managed health plans, other health providers, and their agents without patient
authorization for "treatment, payment, and health care operations purposes."
Patients must, however, authorize disclosure of psychotherapy notes to these entities for
such purposes.
The APA appreciates the Secretary’s reliance on and extensive quotation of the
recent United States Supreme Court decision of Jaffee v. Redmond, 518 U.S. 1 (1996)
to provide for the psychotherapy notes disclosure requirement in the proposed rule. In Jaffee,
a decision upholding the existence of the psychotherapist-patient evidentiary privilege
under the Federal Rules of Evidence, the Supreme Court found that psychotherapist-patient
relationship is:
[R]ooted in the imperative need for confidentiality and trust. . . . Treatment by a
physician for physical ailments can often proceed successfully on the basis of a physical
examination, objective information supplied by the patient, and the results of diagnostic
tests. Effective psychotherapy, by contrast, depends upon an atmosphere of confidence and
trust in which the patient is willing to make a frank and complete disclosure of facts,
emotions, memories, and fears. Because of the sensitive nature of the problems for which
individuals consult psychotherapists, disclosure of confidential communications made
during counseling sessions may cause embarrassment or disgrace. For this reason, the mere
possibility of disclosure may impede development of the confidential relationship
necessary for successful treatment. [18]
In recognizing the particular sensitivity of mental health records, the Secretary is
right to apply the Jaffee decision as the underlying rationale for requiring
patient authorization for the disclosure of psychotherapy notes. However, the
Secretary’s definition of "psychotherapy notes" in the proposed rule
encompasses a narrower range of sensitive mental health information than that recognized
by the Supreme Court in the Jaffee decision.
Psychologists and other mental health professionals typically create and maintain
records, in addition and related to psychotherapy notes. The privacy of these records must
also be protected to ensure effective psychotherapy and to preserve an atmosphere of
confidence and trust so that the patient "is willing to make a frank and complete
disclosure of facts, emotions, memories, and fears." A patient can not feel secure in
the privacy of his or her relationship with a psychologist if he or she perceives that
some records require specific authorization for release, while other records with similar
and highly sensitive information do not. As the Supreme Court states, "the mere
possibility of disclosure may impede development of the confidential relationship
necessary for successful treatment." Patients need to know that all sensitive
information related to their psychotherapy and treatment is secure and requires their
specific authorization for release.
Therefore, the Secretary should define "psychotherapy notes" to include notes
and all other records, which contain highly sensitive information related to treatment.
These records would include, for example, those clinical observations made by the
psychologist outside of a psychotherapy session, and perhaps most importantly,
psychological assessment, responses and assessment results.
An expanded definition of "psychotherapy notes," as we propose, is
appropriate and justified in the context of the Jaffee decision upon which the
Secretary relies. The Supreme Court’s decision is a carefully tailored examination of
the psychotherapist-patient relationship in the context of a Federal evidentiary
privilege. In contrast, the Secretary is proposing a rule with broad application to mental
health records and their disclosure to third parties. To fully reflect the spirit of the
Supreme Court’s decision—to ensure the preservation of "confidence and
trust" in the psychotherapist-patient relationship—the Secretary should apply
the disclosure requirement broadly to all particularly sensitive mental health
information.
We offer specific suggestions to amend the current "psychotherapy notes" patient
authorization requirement to ensure that the provision protects all sensitive mental
health records detailing the psychotherapist-patient relationship. We begin with an
examination of the proposed rule’s "psychotherapy notes" definition, which
states that:
Psychotherapy notes means notes recorded (in any medium) by a health care provider who
is a mental health professional documenting or analyzing the contents of conversation
during a private counseling session or a group, joint, or family counseling session. For
purposes of this definition, "psychotherapy notes" excludes medication
prescription and monitoring, counseling session start and stop times, the modalities and
frequencies of treatment furnished, results of clinical tests, and any summary of the
following items: diagnosis, functional status, the treatment plan, symptoms, prognosis,
and progress to date. [19]
We suggest that the "psychotherapy notes" definition should be improved as
follows:
1. The word "conversation" should be replaced with the word
"communication." The Jaffee decision more properly recognizes the
protection of "communications" between the psychotherapist and patient. Not all
communications between psychotherapists and their patients are limited to conversations.
For example, during therapy with a child where the child may not be easily able to
converse, the psychologist may allow the child to draw pictures or to sand play, creating
images, which the psychologist photographs. For example, a disabled patient may have to
communicate through means other than vocal conversation, such as through sign language,
written notes, and computer-generated or other mechanical means. These are communications
in recorded form generated as part of the psychotherapist-patient relationship, and
therefore should fall under the psychotherapy notes authorization requirement.
2. Psychotherapy notes are, at times, created through patient contact
outside of a "private counseling session or a group, joint, or family counseling
session." These words should be replaced with "psychotherapy, interview, or
counseling session." For example, a mental health provider may treat a patient with a
phobic condition by accompanying him and applying psychotherapeutic techniques while he
performs a behavior in the community outside of a "private counseling session."
Specifically, the mental health provider might give relaxation instructions and
"expose" a patient with a social phobia to crowds during a treatment session.
Typically too, counseling occurs not only in "private counseling sessions," but
also in other settings, such as in rehabilitation settings or in transplantation settings,
where highly personal and subjective information about a patient’s emotional and
psychological state may be elicited. Our language change ensures that this information
requires specific patient authorization before disclosure may occur.
3. Strike the words "results of clinical tests" and insert immediately after
the phrase "and any summary of the following items:" the words "assessment
results". Additionally, add the following new sentence at the end of the
psychotherapy notes definition: "Test responses, scores, items and forms used in
assessment or personal history shall be considered a part of psychotherapy notes, if the
mental health professional determines that such assessment or history contains information
directly related to psychological treatment." Psychologists typically utilize
psychological tests that require patients to divulge highly sensitive personal
information, which is as sensitive as the information contained in psychotherapy notes. To
preserve the privacy of the patient-mental health professional relationship, test
responses, scores, items and even test forms themselves should require patient
authorization for disclosure when such assessment would divulge sensitive information
about the patient.
The current wording could be construed to allow the release of responses to
psychological test items or scores on particular personality or behavioral dimensions. For
example, the Minnesota Multiphasic Personality Inventory (MMPI-2), one of the most
commonly used clinical tests, contains an item asking the respondent to indicate whether
he or she has "indulged in unusual sex practices." We believe that managed
health plans and other third parties have no need for this sort of highly sensitive and
embarrassing patient information and are able to make coverage and payment determinations
with appropriate summaries of such clinical test results.
4. Move the words "functional status" to immediately precede the words
"and progress to date" and insert immediately before "functional
status" the phrase "and as related to diagnosis and prognosis,". In
addition, insert after the second sentence, the following new sentence:
"Psychotherapy notes include clinical observations or other references in a
patient’s record, and summaries of functional status or progress to date, which would
otherwise divulge the nature or contents of communication made during a psychotherapy,
interview, or counseling session."
Clinical observations of behavior commonly record extremely sensitive information
regarding the personal characteristics and behaviors of a patient in psychotherapy. For
example, behavior observations commonly include detailed descriptions of a patient’s
strong emotional reactions associated with the content of sessions such as screaming,
crying, or striking an object or herself. While these observations aid the psychotherapist
in treatment, a managed health plan or other third party generally has no need for this
level of detailed information for purposes of payment or other administrative activities.
Such observations and references are typically central to the psychotherapist’s
history regarding a patient, may occur during or after sessions, and may be placed in
other parts of the patient’s record, such as for purposes of treatment in hospitals
or in other integrated health care facilities. Therefore, clinical observations and
similar references should be considered psychotherapy notes when such information would
reveal the nature or the contents of communication made during psychotherapy.
Likewise, summaries of functional status and progress to date can contain extremely
sensitive patient information, which if inappropriately released to third parties without
patient authorization could impede treatment progress and harm the relationship between
the mental health professional and patient. Our amendment recognizes that managed health
plans and other third parties may have access to summaries of functional status and
progress to date in order to make decisions about care, as related to diagnosis and
prognosis. Disclosure of a patient’s functional status or progress to date, which
would divulge sensitive patient information central to psychotherapeutic treatment,
however, would require specific patient authorization.
As we have mentioned, the Jaffee decision considers the "mere
possibility" of disclosure as impeding the confidential relationship between the
patient and his or her psychotherapist. The inclusion of this additional sentence will
help prevent the mere possibility that information is disclosed that would otherwise
divulge the communications made during psychotherapy. We therefore believe the inclusion
of this additional sentence is necessary for the "psychotherapy notes"
authorization requirement to accomplish its fundamental goal of shielding highly sensitive
information from disclosures beyond the patient and his or her treating provider.
Incorporating these changes into the "psychotherapy notes" definition, we
suggest that the definition read as follows with the text of our amendments underlined:
Psychotherapy notes means notes recorded (in any medium) by a health care provider who
is a mental health professional documenting or analyzing the contents of communication
during a psychotherapy, interview, or counseling session. For purposes of this
definition, "psychotherapy notes" excludes medication prescription and
monitoring, counseling session start and stop times, the modalities and frequencies of
treatment furnished, and any summary of the following items: assessment results,
diagnosis, the treatment plan, symptoms, prognosis, and as related to diagnosis and
prognosis, functional status and progress to date. Psychotherapy notes include
clinical observations or other references in a patient’s record, and summaries of
functional status or progress to date, which would otherwise divulge the nature or
contents of communication made during a psychotherapy, interview or counseling session.
Test responses, scores, items and forms used in assessment or personal history shall be
considered a part of psychotherapy notes, if the mental health professional determines
that such assessment or history contains information directly related to psychological
treatment.
In addition to amending the definition of "psychotherapy notes" we offer
additional suggestions to ensure that the psychotherapy notes authorization requirement
works in practice and that it accomplishes the goal of providing patients the ability to
determine when their psychotherapy notes may be disclosed to managed health plans and
other entities:
1. We believe that covered entities should not be permitted to condition treatment,
enrollment in a health plan, or payment on the disclosure of psychotherapy notes relating
to the individual. A provision is needed to ensure that the psychotherapy notes
authorization requirement can not be circumvented and dismissed as a mere procedural
formality by managed health plans. Such a provision was included at proposed section
164.508(a)(3)(iii) before it was eliminated by the "corrections" published on
January 5, 2000, 65 Federal Register 427. We urge that this provision be included in the
final rule.
2. Psychologists and other psychotherapists must, at times, share portions of
psychotherapy notes with other treating health care professionals in integrated health
care facilities to ensure coordination of care. For example, psychologists typically
include portions of psychotherapy records in the patient’s hospital record for care
coordination. The requirement contained in the exception, at section 164.508(a)(3)(I)(A),
that only the "creator" of the notes may use the notes without specific patient
authorization, is a vitally important provision. It does not, however, permit the sharing
of some portions of sensitive patient information needed to ensure coordinated and
appropriate care in hospitals or other integrated health care facilities. We suggest that
this language be amended to add directly after the word "creator," the words
"or in an integrated health care facility, the creator or other treating health care
professional,".
Relatedly, we note that the Secretary includes in her commentary additional
"psychotherapy notes" requirements which are not included in the proposed
"psychotherapy notes" definition. These requirements are that to qualify for the
exception to disclosure without patient authorization, "such notes could be used only
by the therapist who wrote them, would have to be maintained separately from the medical
record, and could not be involved in the documentation necessary for health care
treatment, payment, or operations . . . ." [20] As in our example
above, psychologists share information with other treating health care professionals in
hospitals for coordinated-care and patient safety purposes. We suggest that these
additional requirements are unworkable in practice and may harm patient care. We urge the
Secretary to continue to exclude these requirements in the language of the final rule.
Although including relevant portions of psychotherapy notes in a patient’s medical
record is a common practice, this does not mean that the patient and his or her
psychotherapist relinquish the privacy of the record. Rather, the patient and
psychotherapist choose pertinent information relative to assuring appropriate overall
treatment for the patient. Psychologists often work in settings, such as in medical units
in hospitals, where their treatment notes are used to communicate sensitive information to
other treating health care professions to enhance the effectiveness of the patient’s
overall health care. Disclosure to a core group of treating providers in this situation is
necessary and does not expose the record to a substantial loss of privacy, which would be
the case in the sharing of such information for payment, health care operations, and other
administrative purposes.
3. We suggest that an additional requirement be inserted which states that for purposes
of the psychotherapy notes authorization requirement, a health plan may not claim
"ownership" of the record and therefore thwart the requirement. A July 1999
National Mental Health Association (NMHA) survey of the current confidentiality protocols
under private sector managed care systems found that for purposes of utilization review,
every managed health plan policy reviewed "maintains the right to access the full
medical record (including detailed psychotherapy notes) of any consumer covered under its
benefit plan at its whim." [21] Worse, at least one of the major
managed health plans surveyed considered the patient record to be the property of the
health plan and governed by the health plan’s policies. [22]
Clearly, a patient is less likely to be afforded the protection provided by the
psychotherapy notes authorization requirement if he or she is enrolled in a plan which
states that it owns the patient’s psychotherapy notes. Therefore, language should be
included in the final rule that specifies that real or perceived "ownership" of
the mental health record does not negate the requirement that patients must specifically
authorize the disclosure of their psychotherapy notes.
B. Many States have laws that more stringently protect the privacy of mental health
records than those requirements provided in the proposed rule. The APA believes that the
proposed rule’s non-preemption of these State laws is vitally important for the
preservation of the psychologist-patient relationship. We are concerned, however, with the
proposed rule’s and the Secretary’s interpretation of those States laws that are
sufficiently "related to" the privacy of patient records to be saved from
Federal preemption. We suggest that the proposed rule’s "related to"
requirement is unnecessarily restrictive and may be inappropriately interpreted to preempt
many State laws that protect the privacy of mental health records.
As we have mentioned, States across the country currently protect the privacy of the
psychotherapist-patient relationship and the confidentiality of the records that are
created as a result of this relationship. The APA appreciates that the Secretary
acknowledges and accepts the importance of this body of mental health privacy law
throughout her commentary and by providing that these laws, when mandating stronger
protections, will not be preempted by the proposed rule. We strongly support the
non-preemption of these State laws.
We are concerned, however, with the manner in which the Secretary has interpreted and
implemented the "related to" requirement. As proposed, only a State mental
health law which is sufficiently related to the privacy of individually identifiable
health information is saved from preemption. To be sufficiently related, the State law
must have "the specific purpose of protecting the privacy of health information or
the effect of affecting the privacy of health information in a direct, clear, and
substantial way." [23] While the second part of the
requirement—that the law is saved when it has the "effect of affecting the
privacy of health information in a direct, clear, and substantial way"—may
preserve State laws addressing mental health records, we suggest that the "specific
purpose" first part requirement may be unnecessarily restrictive and inappropriately
interpreted to preempt these laws.
Many States currently afford a range of patient confidentiality protections for persons
receiving mental health services. Some of these laws may not be interpreted as having been
created for the "specific purpose of protecting the privacy of health
information." For example, psychologists’ and other professionals’
licensure laws often provide and laws related to a psychotherapist’s duty to warn
others of potential harm from his or her dangerous patients provide requirements related
to the privacy of health information. These laws, however, were not created for the
specific purpose of protecting health information and therefore could be seen as preempted
by the proposed rule.
The statutory basis for the proposed rule’s non-preemption of stronger State laws
may be found in section 264(c)(2) and section 1178 of the Health Insurance Portability and
Accountability Act (HIPAA). The language of these sections together, as the Secretary
concludes, provides that State laws relating to the privacy of individually identifiable
health information, which are contrary to and more stringent than the Federal requirements
are not preempted. No provision of the statute qualifies non-preemption through the
additional requirement that the State laws must have the "specific purpose of
protecting the privacy of health information."
The Secretary relies on and cites the House Report language leading to the passage of
HIPAA as authority for this additional requirement:
The intent of this section is to ensure that State privacy laws that are more stringent
that the requirements and standards contained in the bill are not superseded.
Based on this report language alone, the Secretary concludes State laws that relate to
the privacy of individually identifiable health information are "simply those that
are specifically or explicitly designed to regulate the privacy of personal health
information and not ones that might have the incidental effect of doing so." [24] The APA does not understand how the Secretary could have reached this
conclusion based on House Report language, which merely restates the general
non-preemption standard. More importantly, we suggest that the additional "specific
purpose" requirement to be implemented in the proposed rule could be interpreted to
preempt State laws that Congress intended to save.
For this reason, we suggest that the Secretary amend section 160.202 of the proposed
rule to more closely reflect Congressional intent regarding non-preemption of stronger
state laws. We suggest, for example, that the words "the specific" be deleted
and replaced with the word "a".
II. Other provisions which particularly impact the privacy of mental health records.
A. In mental health case, the authority to use and disclose patient information in
"emergency circumstances" should be restricted to licensed mental health care
professionals exercising their professional judgment.
The APA is greatly troubled by the breadth of the proposed provision allowing
unauthorized use and disclosure of patient information in emergencies, particularly with
respect to mental health records. Quite simply, the proposed rule appears to open up the
ability to invade patients’ privacy to too many people in too many circumstances.
Specifically, the Secretary is proposing that health plans, health care clearinghouses,
and providers be permitted to:
[C]onsistent with applicable law and standards of ethical conduct and based on a
reasonable belief that the use or disclosure is necessary to prevent or lessen a serious
and imminent threat to the health or safety of an individual or the public, use or
disclose protected health information to a person or persons reasonably able to prevent or
lessen the threat, including the target of the threat. [25]
On its face, this provision would permit virtually anyone working for a health plan or
a health care clearinghouse -- even a receptionist or clerk with no mental health training
whatsoever -- to breach a patient’s confidentiality if in their lay opinion the
circumstances warrant. The APA firmly believes and strongly urges the Secretary to propose
that, in the case of patients’ mental health records, only licensed mental health
care professionals based upon their professional judgment should be authorized to assess
whether the circumstances justify invading patients’ privacy. Only if the mental
health care professional recommends disclosure, should the individual provider, health
plan or health care clearinghouse be permitted to release confidential patient records.
This change would ensure that only persons with professional expertise in mental health
care would be making these extremely difficult decisions.
The Secretary already has proposed that only a licensed health care professional based
upon his or her reasonable professional judgment of possible harm to the patient may deny
a patient’s request to inspect or copy the patient’s medical records. [26] Health plans that choose to deny patients their right to inspect and
copy their records must first consult with a licensed health care professional. The
assessment of potential for harm to the patient is precisely the same here. Therefore,
requiring that only licensed health care professionals judge whether an emergency of
sufficient severity exists to warrant disclosure of a patient’s private information
would be fully consistent with the Secretary’s own proposals for other sections of
this rule.
Further, the Secretary’s proposal to allow disclosure by simply anyone who
believes an emergency exists is a tremendous unprecedented expansion of Tarasoff v.
Regents of the University of California, [27] and similar State laws
throughout the country. We understand and agree with the California Supreme Court’s
finding in Tarasoff that "the protective privilege ends where public safety
begins." We also understand the Secretary’s very practical desire to ensure that
health care professionals and law enforcement officials have access to the medical records
of an individual who, for example, is injured in an automobile accident and cannot consent
to disclosure in order to ensure that proper medical care can be provided. In the context
of mental health, however, confidential communications between psychotherapists and their
patients deserve greater protection.
As the Supreme Court has stated in Jaffe, as the Secretary already has
recognized, and as we have commented throughout this letter, communications between
patients and their psychotherapists deserve heightened protection due to the records’
greater sensitivity and the special need for confidentiality and trust in the
psychotherapeutic relationship. The Secretary also has recognized that nearly all States
have adopted some form of additional privacy protection for mental health records.[28] Under California law, for example, the psychotherapist-patient
privilege is considered to be a broader privilege than the physician-patient privilege. [29]
Moreover, the need to balance the patient’s need for confidentiality against the
public interest of health and safety is already addressed by many States under their
"duty to protect" laws, which impose an obligation on psychotherapists and other
providers to protect readily identifiable third parties from potential harm. As the
Secretary already has acknowledged, this duty was first established in Tarasoff,
but has since been adopted in similar form by many States. [30] For more
than two decades, these States have worked carefully and meticulously to achieve an
appropriate balance between the need for confidentiality and the need to protect the
health and safety of others. If there is the possibility of danger to a readily
identifiable third party, the psychotherapist must take steps to warn and protect that
third party. These steps might include warning the potential victim of the danger,
notifying the police, or even involuntarily committing the patient to the hospital.
To better balance the need for public safety and patient privacy, the APA strongly
urges the Secretary to more narrowly tailor the "emergency circumstances"
provision in the manner suggested above. We offer below our recommended revisions to this
provision with the following underlined amendments:
A covered entity may, consistent with applicable law and standards of ethical conduct
and based on a reasonable belief that the use or disclosure is necessary to prevent or
lessen a serious and imminent threat to the health or safety of an individual or the
public, use and disclose protected health information to a person or persons
reasonably able to prevent or lessen the threat, including the target of the threat. In
the case of a serious and imminent threat to the health or safety of an individual or the
public resulting from an individual’s mental health condition, a covered entity may,
based on a licensed mental health care professional’s exercise of reasonable
professional judgment that disclosure is necessary to prevent or lessen the threat and
consistent with applicable law and standards of ethical conduct, use and disclose
protected health information to a person or persons reasonably able to prevent or lessen
the threat, including the target of the threat.
B. The proposed rule should provide an exception to the right of patients to
inspect and copy their mental health records if, in the opinion of a licensed mental
health care professional, disclosure could reasonably be expected to cause substantial
psychological harm to the individual who is the subject of the record.
The APA appreciates that the provision protecting patients’ right to inspect,
copy, and correct their records is consistent with evolving legal recognition of these
rights. However, we strongly urge the Secretary to reverse her decision to remove the
exception for psychological harm and include it in the final rule.
As presently drafted, the provision permits health plans, health care clearinghouses
and providers to deny patients’ requests for access to their records where licensed
health care professionals judge that access is reasonably likely to endanger only
"the life or physical safety of the individual or another person." [31]
The Secretary has made clear that she considered, but declined to include, a similar
exception where the information has the potential to cause emotional or psychological
harm. The Secretary apparently arrived at this determination after concluding: "in
the current age of health care, it is critical that the individual is aware of his or her
health information." [32]
The APA agrees that in today’s environment it is important for individuals to have
access to their health care information. However, the exception to this principle, where
the life and safety of the individual are at stake, is no less critical for patients
endangered psychologically than physically. The potential for serious psychological injury
in this regard is not the equivalent of just a broken arm, but could be far more serious,
even permanent. For example, if a patient suffering from paranoid delusions believes he or
she is hearing voices, then inspects and reads in a therapist’s record that the
therapist believes these voices are auditory hallucinations rather than "real"
voices, distrust of the therapist could occur if revealed too early in the treatment. To
ignore the possibility of psychological harm in mental health treatment works contrary to
the very purpose of the treatment.
In fact, the psychological harm exception to patients’ right of access to their
records also is consistent with evolving law. For example, legislation proposed in this
congressional session by Senator Jeffords, "The Health Care Personal Information
Nondisclosure Act of 1999," (S. 578), included a psychological harm exception.
Specifically, the bill would permit denial of patient access to their records if "the
disclosure of the information could reasonably be expected to endanger the life or
physical safety of, or cause substantial mental harm to, the individual who is the
subject of the record (emphasis added)." [33]
Similarly, as the Secretary herself has acknowledged, a number of States allow an
exception for psychological harm including, but not limited to: California, Connecticut,
the District of Columbia, Indiana, and Maine. [34] In the District of
Columbia, for example, the treating mental health care professional may refuse a
patient’s request to see the patient’s records if the professional
"reasonably believes that such refusal or limitation on disclosure is necessary to
protect the client from a substantial risk of imminent psychological impairment . .
."[35]
The APA understands that concerns have been raised that the psychological harm
exception is often too vague or too broadly worded because it permits the covered entity
subjectively to determine whether there is a risk of psychological harm. To ensure greater
accuracy in assessing the potential for psychological harm, the APA strongly recommends
that the determination whether to deny access be made solely by a licensed mental health
care professional, who has the requisite training to assess whether serious psychological
harm is likely to occur.
Accordingly, incorporating the above referenced changes into the "harm"
exception to patients’ right to inspect and copy their records, we suggest that the
regulation read as follows with the text of our amendments underlined:
[A] covered entity may deny a request for access under paragraph (a) of this section
where (i) a licensed health care professional has determined that, in the exercise of
reasonable professional judgment, the inspection and copying requested is reasonably
likely to endanger the life or physical safety of the individual or another person; or
(ii) a licensed mental health care professional has determined that, in the exercise of
reasonable professional judgment, the inspection and copying requested is reasonably
likely to cause substantial mental harm to the individual or another person.
In the alternative, because so many State laws already contain exceptions for
psychological harm, the APA respectfully requests that the Secretary at the very least not
preempt State laws governing patients’ right to inspect and copy their records.
C. Law enforcement officials should be limited in their use and re-disclosure of
patient records. Permissible disclosures under the proposed rule (1) related to victims of
crime or abuse, (2) pursuant to legal processes, and (3) related to the investigation of
health care fraud should be narrowed in scope or their meaning clarified.
We raise a number of concerns regarding section 164.510(f) of the proposed rule, which
permits health providers and plans to disclose records to law enforcement officials
without patient authorization. Generally, we believe that law enforcement access to
patient records should be limited to the absolute minimum disclosure and use necessary in
the interest of justice. The law enforcement access provisions of the proposed rule do not
provide and therefore should be clarified to meet this burden.
We first discuss an overarching concern with the law enforcement disclosure provision:
Assuming that disclosure to a law enforcement official has been made, the proposed rule
provides no limitation for further use and re-disclosure of the records. Limitations on
law enforcement use and re-disclosure should be included in the final rule.
By not imposing use and re-disclosure safeguards, the Secretary may have assumed that a
court, grand jury, or judicial official in an administrative proceeding would impose such
limitations. It seems reasonable to believe, however, that various administrative law
bodies may not have specific procedures for use and re-disclosure in place. In addition,
the proposed rule allows disclosure of patient records in other instances unrelated to
legal processes or proceedings. These include release of patient records to a law
enforcement entity: (1) to identify as suspect, fugitive, material witness, or missing
person, (2) regarding the victim of a crime, abuse, or other harm, or (3) pursuant to an
investigation of health care fraud. The proposed rule should specify use and re-disclosure
requirements for disclosures to law enforcement in these instances.
Both Senators Jeffords and Leahy specify limitations on law enforcement use and
re-disclosure of patient records in their proposed patient records privacy bills (S. 578
and S. 573, respectively). Both the Jeffords and Leahy bills, for example, require that a
law enforcement entity either destroy the patient information or return it to the
disclosing party when the matter or need for which the information was disclosed has
concluded. Both bills require redaction of personally identifiable information prior to
public disclosure in a judicial or administrative procedure. Senator Leahy’s bill
additionally requires the court granting law enforcement access to impose appropriate
safeguards to ensure the privacy of the information and to protect against unauthorized or
improper use and disclosure. [36] The provisions of these bills could
serve as starting points for limitations recommended by the Secretary.
In addition to the lack of limitations specified for use and re-disclosure of records
by law enforcement officials, we raise three other issues concerning certain permissible
disclosures to law enforcement:
1. Unauthorized disclosure of patient records of victims of crime, abuse of other
harm. Section 164.510(f)(3) permits health care providers and plans to disclose
information about an individual who is a "suspected" victim of a crime or abuse,
if: (1) such information is needed to determine a law violation by a person other than the
victim, and (2) immediate law enforcement activity, depending upon such information, may
be necessary. On its face, this provision appears over-broad, potentially giving law
enforcement officials broad access to patient records in a number of instances where
judicial review is necessary to protect the privacy of the victim’s health record.
For example, the provision:
- envisions access to the records of any victim of a crime, even if the victim or public
is not endangered by the on-going criminal activity.
- provides no limitation on the amount of information law enforcement may have access to,
such as the "minimum necessary" to pursue the law enforcement activity.
- does not define "immediate" law enforcement activity. Urgent pursuit of a
criminal suspect seems a reasonable immediate law enforcement activity, but pursuit of a
suspect who is "engaged in ongoing criminal activities," as offered by the
commentary, does not give a sense of immediacy. [37] Such ongoing
criminal activities could be taking place over a period of months or years.
Perhaps the Secretary’s most compelling argument for unauthorized records
disclosure to law enforcement officials concerns protecting victims of spousal or child
abuse from additional violent crimes. [38] While we might agree that
this a reasonable unauthorized records disclosure, to our knowledge, law enforcement
officials currently must pursue judicial review and other requirements to receive access
to patient records of victims of crime or abuse. Therefore, this provision would allow
significant new law enforcement access to patient records.
As we have mentioned throughout our comments, mental health records are particularly
sensitive to disclosure. Disclosure of psychotherapy notes and other mental health records
to law enforcement without authorization could have dire consequences for a patient. For
example, a victim of spousal or child abuse may no longer trust a mental health provider
who relinquished his or her records to law enforcement officials. Further, the mental
health records may contain sensitive information, to which the victim does not want the
abuser, in turn, to have access.
Judicial review allows an unbiased judge to weigh the privacy interests of the patient
against the public interest of law enforcement’s pursuit of criminals. Certainly, the
mental health records of victims of crime should be particularly protected from
unauthorized disclosure unless a compelling interest justifies such disclosure. Therefore,
unauthorized records disclosure to law enforcement, particularly with regard to mental
health records, should be confined to narrow circumstances. We urge that the provision be
narrowly tailored to recognize the particular sensitivity of mental health records.
2. Disclosure of patient records pursuant to a legal process. Section
164.510(f)(1) would permit unauthorized patient records disclosure pursuant to a law
enforcement inquiry authorized by law through: (1) a warrant, subpoena, or order issued by
a judicial officer, (2) a grand jury subpoena, or (3) an administrative request. Unlike
disclosures made through warrants, subpoenas, and other court orders, disclosures pursuant
to administrative requests do not require judicial review. We seek clarification of this
provision to assure that law enforcement officials can not thwart the current warrant,
subpoena, and court-ordered processes by accessing patient records through administrative
requests.
We assume that law enforcement officials would seek disclosure of records in the manner
appropriate to the matter under investigation, as required by law, whether through
warrant, a grand jury subpoena, or administrative request. Administrative requests for
records, for example, should not permit law enforcement officials to request patient
records from health care providers and plans based on a written request only and without
judicial review.
3. Disclosure of records during an investigation of health care fraud. Section
164.510(f)(5) would permit a covered entity, such as a managed health plan, to disclose
unauthorized protected patient health information to law enforcement officials if the
covered entity believes in good faith that the information shows evidence of criminal
health care fraud and abuse. [39] If this proposal is retained in its
current form with no additional safeguards, it will provide a loophole so large that it
swallows the rule. As we have repeatedly stated throughout this commentary, health care
records, particularly mental health care records, deserve more – not less –
protection.
Notably absent from this section are key procedural protections for patients, such as:
(1) prior review of the request by an administrative body, which then weighs law
enforcement’s need for the information against the patient’s privacy interests;
and (2) prior notice to the patient with an opportunity to contest the proposed
disclosure. The APA believes that inclusion of these protections is crucial to protecting
patient privacy while still allowing the investigation of health care fraud and abuse.
Legislative proposals, such as Senator Leahy’s privacy bill, S. 573, contain both of
these types of restrictions on law enforcement’s access to patients’ protected
health care information. [40]
Further, the NCVHS supports these types of safeguards. As the NCVHS recommended, and as
the APA agrees:
Investigations of health fraud and abuse are important. Nevertheless, the Committee
believes that patients need strong substantive and procedural protections if their health
records are to be disclosed to law enforcement officials.. . . The Committee is confident
that strong protections for patient privacy interests can be compatible with fraud and
abuse investigations. [41]
Closing.
The APA recognizes that the proposed rule is a beginning point toward affording
patients greater privacy protections regarding their health care records. We urge the
Secretary to incorporate our suggestions, which we believe will improve the rule,
particularly as it encompasses the protection of mental health records.
We would appreciate the opportunity to work further the Department of Health and Human
Services to improve the rule and specifically, to incorporate our suggestions. Please
contact Doug Walter, J.D., Legislative and Regulatory Counsel, Government Relations,
Practice Directorate, at (202) 336-5889, if you have further questions regarding our
comments.
Sincerely,

Russ Newman, Ph.D., J.D.
Executive Director for Professional Practice
Footnotes
1. 64 Fed. Reg. 59917, 59994 (1999).
2. Id. at 59920.
3. California HealthCare Foundation, National Survey: Confidentiality
of Medical Records, p. 21 (January 1999).
4. 64 Fed. Reg. at 60009-60010.
5. Id. at 59920.
6. We use the term "managed health plan" throughout this
comment to indicate managed care organizations' access to and use of patient records.
While we recognize that the proposed rule covers disclosure of records to other entities,
such as fee-for-service health plans, health care clearinghouses, and health care
providers, we use the term "managed health plans" to stress that these are the
entities which primarily use patient records for payment, "health care
operations," and other administrative purposes.
7. Hearing on S. 1360, The Medical Records Confidentiality Act of 1995:
Before the Senate Comm. On Labor and Human Resources, 104th Cong., 1st Sess. (1995)
(statement for the record of the American Psychological Association).
8. Letter from Marilyn S. Richmond, Assistant Executive Director,
Government Relations, Practice Directorate, American Psychological Association, to the
National Committee on Vital and Health Statistics (NCVHS), c/o U.S. Department of Health
and Human Services (Feb. 14, 1997).
9. See, e.g., Health Privacy Project, Best Principles for Health
Privacy: A Report of the Health Privacy Working Group, Institute for Health Care Research
and Policy, Georgetown University (July 1999); Lise Rybowski, Protecting the
Confidentiality of Health Information, National Health Policy Forum, George Washington
University (July 1998).
10. 64 Fed. Reg. at 59940.
11. Id. at 59924.
12. Id. at 60053 (to be codified at 45 C.F.R. § 164.504).
13. Id. at 60052 (to be codified at 45 C.F.R. § 164.504).
14. Id. at 60053 (to be codified at 45 C.F.R. § 164.504).
15. Letter from Marilyn S. Richmond to NCVHS, p. 4.
16. 64 Fed. Reg. at 60008.
17. Health Privacy Project: The State of Health Privacy: An Uneven
Terrain, Institute for Health Care Research and Policy, Georgetown University (July 1999).
(See p. 3 of "Secondary Findings," as available at
http://www.healthprivacy.org/resources/statereports/secondary.html).
18. 518 U.S. at 10.
19. 64 Fed. Reg. at 60055 (to be codified at 45 C.F.R. §
164.508(a)(3)(iv)(A)).
20. Id. at 59941.
21. National Mental Health Association: Best (& Worst) Practices
in Private Sector Managed Mental Healthcare, Part II: Confidentiality, p. 13 (July 1999).
22. Id. at 13.
23. 64 Fed. Reg. 60051 (to be codified at 45 C.F.R. § 160.202).
24. Id. at 59996.
25. Id. at 60058 (to be codified at 45 C.F.R. § 164.510(k)(1)).
26. Id. at 60060 (to be codified at 45 C.F.R. § 164.514(b)(1)(i)).
27. 17 Cal. 3d 425 (1976).
28. Id. at 60012.
29. .California Evid. Code Ann. § 1014 (Deering 1999).
30. Id. at 59972.
31. Id. at 60060 (to be codified at 45 C.F.R. § 164.514(b)(1)(i)).
32. Id. at 59982.
33. S.578, 106th Cong., 1st Sess. §101(b)(1).
34. Id. at 59982.
35. D.C. Code § 6-2016 (1999).
36, S. 578, 106th Cong., 1st Sess. § 210; S. 573, 106th Cong., 1st
Sess. § 208.
37. 64 Fed. Reg. at 59962.
38. Id. at 59962.
39. 64 Fed. Reg. at 60057 ( (to be codified at 45 C.F.R.
§164.510(f)((5)).
40. S. 573, 106th Cong., 1st Sess. § 208.
41. NCVHS, Health Privacy and Confidentiality Recommendations, p. 13
(June 1997)