keeping. To distinguish among the various types of records, the following definitions are offered: ● Mental health records : These are patient records related to the evaluation or treatment of a mental disorder. These records include, but are not limited to, substance abuse (drugs and/or alcohol) records (Moline et al., 1998). Typically, behavioral health documentation is noted in a separate section of the electronic health record (EHR). ● Patient medical records : These are records maintained in any form or medium, by or in the custody of a healthcare provider, which relate to a patient’s health history or diagnosis, or the treatment provided. Patient records do not include information given in confidence by a person other than another healthcare provider or the patient. ● Psychotherapy notes : Psychotherapy notes, according to HIPAA regulations, are notes recorded in any medium by a healthcare provider who is a mental health professional that (a) document or analyze the content of conversations that took place during a private counseling session or a group, joint, or family counseling session and (b) are separated from the rest of the client record. Psychotherapy notes (as compared to medical records) do not include medication prescription and monitoring; counseling session start and stop times; the modalities and frequencies of treatment furnished; results of clinical tests; or any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date (HIPAA Survival Guide, 2003). Several mental health provider associations have debated this ruling. The Health The privacy rule (HIPAA) In the late 20th century, the problem of employees losing health insurance between jobs and the danger of healthcare fraud led to the creation and passage of an important new law (HIPAA Journal, 2017). In 1996 the 104th Congress amended the Internal Revenue Code of 1986 and created Public Law 104-191, the Health Insurance Portability and Accountability Act. This Act established the first-ever national standards for the protection of certain health information, in an effort, not just to prevent fraud, but to protect client and patient privacy. These standards, developed by the Department of Health and Human Services, took effect April 14, 2003. The Privacy Rule standards address who can use, look at, and receive individuals’ health information (Protected Health Information or PHI) by organizations (Covered Entities) subject to the rule. These organizations include: ● Most doctors, nurses, pharmacies, hospitals, clinics, nursing homes, and other health care providers. ● Health insurance companies, HMO’s, and most employer group health plans. ● Certain government programs that pay for health care, such as Medicare and Medicaid Key provisions of the standards include: ● Access to medical records : Patients may ask to see and get a copy of their health records and have corrections added to their health information. ● Notice of privacy practices : Patients must be given a notice that tells them how a covered entity may use and share their health information and how they can exercise their rights. ● Limits on use of personal medical information : The privacy rule sets limits on how health plans and covered providers may use individually identifiable health information. Generally health information cannot be given to the patient’s employer or shared for any other purpose unless the patient signs an authorization form. ● Prohibition of marketing : Pharmacies, health plans, and other covered entities must first obtain an individual’s specific authorization before disclosing their patient information for marketing. ● Stronger state laws : As stated earlier, confidentiality protections are cumulative; any state law providing additional
Insurance Portability and Accountability Act specifies that “psychotherapy notes are held to a higher standard of protection because they are not part of the medical record and never intended to be shared with anyone else” (Bodek, 2010). If it were true that psychotherapy notes were not intended to be shared, there certainly would be less cause for concern. In addition to the client record, a HIPAA compliance folder for each client must be maintained. Furthermore, HIPAA specifies that psychotherapy notes are to be kept separate from the rest of the individual’s medical record, including the HIPAA compliance folder (Bodek, 2010). This regulation sets up a baffling conundrum in that healthcare facilities usually maintain a single consolidated medical record for each client that includes all consultations, including behavioral health interventions. As a result, the therapist may maintain his or her own clinical or shadow notes, which may be considered “personal,” but are nevertheless subject to the same legal scrutiny as the official record. Some states protect personal notes from legal discovery, yet keeping such notes does pose a risk. Mitchell (2007) describes a case in which a practitioner naïvely kept the second set of notes in a foreign language as protection. Of course those notes could be translated. Other practitioners may conclude that “what they don’t know won’t hurt me” and keep the personal notes a secret. If asked under oath if all records have been provided, however, the consequences of perjury and ethical misconduct may be worse than what was written in the notes. protections would continue to apply. However, should state law require a certain disclosure: such as reporting an infectious disease outbreak: the federal privacy regulations would not preempt the state law. ● Confidential communications : Patients have the right to expect covered entities to take reasonable steps to ensure communications with them are confidential. For example, a patient may want to be called on their work phone rather than home telephone. ● Complaints : Patients may file a formal complaint regarding privacy practices directly to the provider, health plan, or to the HHS Office for Civil Rights. Consumers can find out more information about filing a complaint at https://www.hhs.gov/ hipaa/filing-a-complaint/index.html or by calling (800) 368- 1019. It is very important to know that professionals who work in the mental health field are responsible for following and enforcing the HIPAA Privacy Rule. There can be severe civil and criminal penalties if procedures are not followed, and depending on the situation, an individual employee may be held responsible for not protecting a client’s privacy. For unknowing civil violations of the standards, the Office for Civil Rights (OCR) may impose monetary penalties of from $100 to $50,000 per violation, with an annual maximum of $25,000 per year for repeat violations. Penalties are higher for reasonable cause and willful neglect. PL 104-191 prescribed criminal penalties for certain actions such as knowingly obtaining protected health information in violation of the law. The Department of Justice handles criminal penalties, which are significantly higher than civil penalties, ranging from $50,000 and one year in prison up to $250,000 and 10 years in prison if the offenses are committed with the intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm. This rule ensures protections for clients by limiting the way covered entities can use personal medical information. The regulations protect medical records and other individually identifiable health information (identifiers), whether the information is transmitted in electronic, written, or verbal format.
Page 43
Book Code: SWTX1524
EliteLearning.com/Social-Work
Powered by FlippingBook