Privacy Confidentiality and Disclosure of Mental Health

The Ethics of a Practicing Therapist
PAMFT Membership Conference
April 11, 2014
Renee H. Martin, JD, RN, MSN
Rhoades & Sinon, LLP
29 Dowlin Forge Road
Exton, PA 19341
Tel.: (610) 423-4200
Fax: (610) 423-4201
E-mail: rmartin@rhoads-sinon.com
941943.2
1
Outline
 Minors’ Rights
 Courts/Subpoenas
 Electronic/Social Media
 HIPAA
.
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
2
Privacy, Confidentiality, Ethical Duties and Disclosure
ACT 147: Adolescent Rights
Consent to release of mental health records of all purposes
and in all circumstances other than those provided in this
section shall be subject to the provisions of the “Mental
Health Procedures Act,” and other applicable federal and
state statutes and regulations.
.
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
3
Privacy, Confidentiality, Ethical Duties and Disclosure
ACT 147: Adolescent Rights
Generally the minor shall control the release of the minor’s
mental health treatment records and information to the
extent allowed by law.
.
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
4
Privacy, Confidentiality, Ethical Duties and Disclosure
ACT 147: Adolescent Rights
When a minor has provided consent to outpatient mental health
treatment (records related to prior treatment consented to by
minor), the minor shall control the records of treatment to the
same extent as the minor would control the records of inpatient
care or involuntary outpatient care under the “Mental Health
Procedures Act” and its regulations.
.
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
5
Privacy, Confidentiality, Ethical Duties and Disclosure
ACT 147: Limited Rights of P/LG
 When a parent or legal guardian (“P/LG”) has consented
to treatment of a minor fourteen years of age or older
Outpatient Treatment, the following shall apply to the
release of the minor’s records and information:
.
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
6
Privacy, Confidentiality, Ethical Duties and Disclosure
ACT 147: Limited Rights of P/LG
 “The P/LG may consent to release of the minor’s medical
records and information, including records of prior mental
health treatment for which the PL/G had provided consent,
to the minor’s current mental health care treatment
provider.”
.
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
7
Privacy, Confidentiality, Ethical Duties and Disclosure
ACT 147: Limited Rights of P/LG
 If deemed pertinent by the minor’s current mental health
treatment provider, the release of information under this
subsection may include a minor’s mental health records
and information from prior mental health treatment for
which the minor had provided consent to treatment.
.
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
8
Privacy, Confidentiality, Ethical Duties and Disclosure
ACT 147: Limited Rights of P/LG
 “The P/LG may consent to the release of the minor’s
mental health records and information to the primary care
provider if, in the judgment of the minor’s current mental
health treatment provider, such release would not be
detrimental to the minor.”
.
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
9
Privacy, Confidentiality, Ethical Duties and Disclosure
ACT 147: Limited Rights of P/LG
 Release of mental health records and information shall be
limited to release directly from one provider of mental
health treatment to another or from the provider of mental
health treatment to the primary care provider.
.
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
10
Privacy, Confidentiality, Ethical Duties and Disclosure
ACT 147: Limited Rights of P/LG
 The P/LG who is providing consent to outpatient mental health
treatment of a minor (14+) shall have the right to:
information necessary for providing consent;
symptoms;
conditions to be treated;
medications;
other treatments;
risks and benefits;
expected results.
.
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
11
Privacy, Confidentiality, Ethical Duties and Disclosure
Confidentiality of Mental Health Treatment Records
§5100.25 Release to Courts
 No release of records in response to a Subpoena or other Court discovery proceedings
without patient consent or an additional court order
 Duty to Inform Court
 Inform client/patient’s attorney
 Defense counsel for Provider may review records; minimum necessary applies
 Employees are to be informed; violations include civil and criminal liability
.
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
12
Privacy, Confidentiality, Ethical Duties and Disclosure
Court Orders
 Issues by a Judge
 Increased duty to respond
 Search warrant (magistrate)
.
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
13
Privacy, Confidentiality, Ethical Duties and Disclosure
Ethical Duties and Social Media and e-mail
 Provider-Patient Relationship
 Explaining the Limits of Confidentiality
 Social Media and Private Practice
 Use of e-mail
.
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
14
Privacy, Confidentiality, Ethical Duties and Disclosure
Social Media refers broadly to Web-based tools that
allow individuals to communicate quickly, easily and
broadly.
•
•
•
•
Email
Facebook
Twitter
LinkedIn
• Blogs
• You Tube
• Health sites
.
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
15
Privacy, Confidentiality, Ethical Duties and Disclosure
Confidentiality and Social Media
When is the Provider-Patient Relationship created?
 Contractual: implied by the actions of the parties in
seeking and providing advice and care
 Use of email
.
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
16
Privacy, Confidentiality, Ethical Duties and Disclosure
Principle II: Confidentiality
1.13 Electronic Therapy (AAMFT Code of Ethics)
2.4 Protection of Records. Marriage and family therapists store,
safeguard, and dispose of client records in ways that maintain
confidentiality and in accord with applicable laws and professional
stands.
2.7 Protection of Electronic Information. When using electronic
methods for communication, billing, recordkeeping, or other
elements of client care, marriage and family therapists ensure that
their electronic data storage and communications are privacy
protected consistent with all applicable law.
.
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
17
Social Media Guidelines & Recommendations
 Professional Liability
Policies should remind employees and staff that online
communications are not private and may be discoverable in
litigation.
Policies should clearly define the parameters of the relationships
between healthcare professionals and other social media users.
Professionals should be aware of the pros and cons of making
patients their Facebook “friends”.
 Distinguish between personal/social relationships versus
doctor/patient relationships.
 Be aware of risks of “practicing medicine online”
 It is generally unwise to establish therapist/patient relationships online.
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
118
Social Media Guidelines & Recommendations
 Professionals should monitor their social media/networking sites
regularly.
 Consider adding broad disclaimers such as a statement that your
organization does not give medical advice via your website or social
media sites and that users seeking specific medical advice should
contact a physician or contact 911 in the event of an emergency.
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
119
Policies – Can They Help?
 Be Proactive Not Reactive
Even if your employees don’t use or access computers at
work, they most likely do at home – and may be talking
about work.
Nearly every employer in every work environment should
consider how social media could impact their workforce or
company.
What steps should be taken now to avoid problems down
the road.
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
220
Issues To Consider in Developing a Social
Media Policy
 Whose job will it be to monitor violations?
 Who will monitor your social media activity? Use
automated resources such as Google Alerts or have IT
sources assist you to determine other resources available
to monitor social media activity that may be impacting
your company.
 How will you discipline violators – consistently?
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
221
Issues To Consider After Developing a Social
Media Policy
 Be careful about disciplining employees who engage in
concerted activity, report illegal activities and exercise
freedom of speech.
 Consider training employees regarding the social media
policy and areas such as privacy, trade secret
infringement, etc.
 Re-evaluate on a regular basis. Social media is
developing and changing quickly. Your attitudes and
expectations regarding social media will likely change
overtime – be sure your policies keep up.
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
222
Privacy, Confidentiality, Ethical Duties and Disclosure
Confidentiality and Social Media
 American Health Information Management Association
(“AHIMA”)
 American Medical Association Ethical Guidelines (AMA)
 American Psychological Association Ethical Principles
(APA)
 Marriage and Family Therapists (Regulations and AAMFC
Code of Ethics)
.
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
23
Privacy, Confidentiality, Ethical Duties and Disclosure
Questions to Consider with Social Media/E-mail
 Is it necessary to use e-mail?
 Is there another equally safe way to send information?
 Is the disclosure necessary?
 Does the disclosure affect my other obligations?
 Should it be encrypted?
 How do I dispose of it?
 Is it part of the clinical record?
.
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
24
HIPAA
.
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
25
History of HIPAA
1996
- HIPAA enacted
1999-2000
- Initial Privacy & Security Regulations Issued
2002
- Final Privacy Rules Issued
2005
- Final Security Rules Issue
2009
- HITECH ACT – Interim Final Rule-Breach
Notification
2010
- Enforcement Rules Published
2013
- HIPAA Final Omnibus Rule
.
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
26
 Who is covered under HIPAA?
.
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
27
Who Is Subject to HIPAA?
 Covered Entities (direct)
Health plans: insurance companies; HMO
Health care clearing houses (process nonstandard data
elements into standard data elements)
Health care providers who transmit any health information in
electronic form in connection with a covered transaction
Business Associates
 Receive PHI from covered entity
 Perform a function on its behalf
.
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
28
What is a Business Associate?
 A person who, on behalf of a covered entity - Performs or assists with a function or activity involving
Individually Identifiable Information
Performs certain identified services
.
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
29
Business Associate
Billing Firms
Clearing
Houses
Management
Firms
Auditors
Lawyers
Actuaries
Covered
Entity
Consultants
Vendors
Other
Covered
Entities
TPAs
Accreditation
Organizations
.
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
30
Third Parties and Business Associate?
Covered entities may disclose PHI to a business associate
 As necessary to permit the business associate to perform
functions and activities on behalf of the covered entity
Business associate cannot use PHI for its own purposes
.
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
31
Individually Identifiable Health Information (IIHI)
 Health information including demographics that:
Is created or received by a health care provider, health plan,
or health care clearing house and
Related to the past, present or future physical or mental
health or condition; the provision of health care; or the past,
present or future payment for the provision of health care to
an individual that
 Identifies the individual or with respect to which
there is a reasonable basis to believe the
information can be used to identify the individual.
.
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
32
Protected Health Information (PHI)
 Individually identifiable health information that is:
Transmitted by electronic media
Maintained in any electronic media
Transmitted or maintained in any other form (including oral
or written PHI)
.
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
33
PHI and the Medical Record
 The HIPAA Privacy Rule defines a Designated record set as
follows:
 (1) A group of records maintained by or for a covered entity that is:
 The medical records and billing records about individuals maintained
by or for a covered health care provider;
 Used, in whole or in part, by or for the covered entity to make
decisions about individuals.
 (2) the term record means any item, collection, or grouping of
information that includes protected health information and is
maintained, collected, used, or disseminated by or for a covered
entity.
.
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
34
Privacy Rule Summary
 A covered entity may not use or disclose PHI except:
After is gives written Notice about its health information
practices to the individual
In accordance with an individual’s written authorization*
When requested by the Department of Health and Human
Services Office of Civil rights
Note: MFT Rules of Ethics require authorization from
individual in “unit” to permit disclosures.
.
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
35
General Rule: Required Disclosure
 To individual upon individual’s request; some exceptions
apply
 To HHS in connection with its enforcement and
compliance review actions
.
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
36
General Rule: Permitted Disclosures
 Notice of Privacy Practices: Treatment, Payment, Health
Care Operations
 Authorization – always noted legal mandated exception
 Statutory/Regulatory Disclosures (Duty to Warn, etc.)
.
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
37
Scope of the Omnibus Rule
 Revised breach notification standard
 Patient access to information contained in an electronic
health record (right already granted to paper records)
 Regulation of business associates (“BAs”) and
subcontractors
 Prohibition on “sale” of PHI without authorization
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
38
Privacy, Confidentiality and Disclosure
 HIPAA Permitted Disclosures to Avert Serious Threat to
Health and Safety (§164.512(j))
1. A covered entity may, consistent with applicable law and
standards of ethical conduct, use or disclose protected
health information, if the covered entity, in good faith,
believes the use or disclosure (emphasis added):
Is necessary to prevent or lessen a serious and imminent
threat to the health or safety of a person or the public; and
It to a person or persons reasonably able to prevent or lessen
the threat, including the target of the threat;
.
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
39
Privacy, Confidentiality and Disclosure
 HIPAA Permitted Disclosures to Avert Serious
Threat to Health and Safety (§164.512(j))
Is necessary for law enforcement authorities to
identify or apprehend an individual:
Because of a statement by an individual admitting
participation in a violent crime that the covered entity
reasonably believes may have caused serious physical harm
to the victim; or
Where it appears from all the circumstances that the
individual has escaped from a correctional institution or from
lawful custody
.
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
40
Privacy, Confidentiality and Disclosure
 HIPAA Permitted Disclosures to Avert Serious
Threat to Health and Safety (§164.512(j))
Use or disclosure not permitted if the information
described in this section is learned by the CE
In the course of treatment to affect the propensity to commit the
criminal conduct that is the basis for the disclosure…[during], or
counseling or therapy; or
Through a request by the individual to initiate or to be referred for
the treatment, counseling, or therapy…
.
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
41
Privacy, Confidentiality and Disclosure
 HIPAA Permitted Disclosures to Avert Serious
Threat to Health and Safety (§164.512(j))
Limit on information that may be disclosed.
Presumption of good faith belief.
.
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
42
Scope of the Omnibus Rule
 Patients’ right to restrict data sharing with payers
 Requirements to modify and redistribute NPP
 Clarifies and strengthen OCRs role in enforcement,
imposition of civil monetary penalties (CMPs) and CMP
liability for acts of Business Associates and
subcontractors
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
43
Duty to Notify in Case of Breach
 HITECH Act: Required Notification of Breach of
“Unsecured PHI”
 What is a “breach”?
“the unauthorized acquisition, access, use, or disclosure
of PHI in a manner not permitted by the Privacy Rule and
which compromises the security or privacy of the PHI”
If definition is met, notification is required
*Applies to both electronic and hard copy information*
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
44
Duty to Notify in Case of Breach

What is NOT a “breach”?

Determined by:
1. Definition of “breach”
2. Exceptions to definition of a breach
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
45
Not a Breach by Definition
 Unintentional acquisition, access or use of PHI by
a workforce member
 or person acting under the authority of a Covered
Entity (CE) or Business Associate (BA)
 if the acquisition, access, or use was made in good
faith and within the scope of authority and does not
result in further use or disclosure in a manner not
permitted
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
46
Not a Breach by Definition
 Applies only to “Unsecured PHI”:
If CEs and BAs apply the technologies and
methodologies specified in the April 17, 2009 Guidance
for PHI, the PHI is “secure” and no notice required.
Per the Guidance,
 “Secure PHI” is PHI that is rendered unusable, unreadable
or indecipherable to unauthorized individuals (i.e., encrypted
or destroyed as detailed in the exhaustive list of
technologies and methodologies)
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
47
Omnibus Rule Breach Notification Standard
 An impermissible use or disclosure of PHI is presumed to
be a breach unless the covered entity or business
associate demonstrates there is low probability that the
PHI has been “compromised”
 Determining whether or not there is a low probability data
has been “compromised” requires analysis of what
happened (or may have happened) to the data
 Focus now switched to what happened to PHI?
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
48
Breach Notification – Risk Assessment
 CE/BA should perform risk assessment post-breach
discovery and must consider at least the following:
Nature and extent of PHI involved, including types of
identifiers and likelihood of re-identification
Who was the recipient of the PHI
Was the PHI actually acquired or viewed
The extent to which the risk to misuse of the PHI has been
mitigated
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
49
Breach Notification – Burden of Proof
 If no risk assessment performed, the default is notification
 Burden of demonstrating low probability that PHI is
compromised is on the CE/BA
 Decision not to notify must be documented in case of
review
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
50
Breach Notification – Obligations to Notify
 CEs must notify individuals (although can delegate this to
BAs)
 BAs must notify CEs
 Subcontractors must be obligated to notify their
contracting partner so the information can go back up the
chain
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
51
Breach Notification – Examples of Risk
Analysis Criteria
 Likelihood of identification or re-identification:
A list of client names on letterhead – not low probability
Client discharge data, client not specified – can clients be reidentified? – could be low probability (depends on the circumstances)
 Who is the unauthorized recipient:
A HIPAA covered entity – low probability, as long as you have
evidence the risk has been mitigated
 PHI actually acquired or viewed:
Untampered with laptop – low probability
Information mailed to wrong person – not low probability
Issue then is of course, risk of harm
 Has improper use been mitigated
Satisfactory assurances of destruction from a known person – low
probability
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
52
Right to Request Restrictions to Payors
 The general rule is that a CE is not required to accept
restrictions on the use and disclosure of PHI.
 Final Rule created an exception, and requires a CE to
agree to a restriction if:
the disclosure is for the purpose of carrying out payment or
health care operations and is not otherwise required by law;
and
the PHI pertains solely to a health care item or service for
which the individual, or person other than the health plan on
behalf of the individual, has paid the CE in full.
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
53
Individual Right to Access PHI
 HIPAA currently requires, with limited exceptions,
that individuals have a right to review or obtain
copies of their PHI to the extent such information is
maintained in a designated record set.
 The Final Rule made significant changes to the
individual’s right to access their PHI.
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
54
Patient Access to Electronic Health Information
 If PHI held electronically, individual entitled to an electronic
copy if in a “designated record set” (not just the information
in an “EHR”)
 Must be in the format requested if “readily
producible”; if not, in a readable electronic
form and format agreed upon by the entity
and the individual
Note required to buy new software to do this – but
must have capability to provide some electronic
copy
If individual declines to accept electronic formats entity makes available,
can default to hard copy
Not required to accept patient’s device – but can’t require individuals to
purchase a device from you if they don’t want to
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
55
Patient Access – Reasonable Safeguards
 Must have reasonable safeguards in place to
protect transmission of ePHI – but…
If an individual wants information by unencrypted e-mail,
entity can send if they advise the individual that such
transmission is risky
Can’t force individuals to accept unsecure
Not them responsible for breach – document individual
acknowledgement of risk
 Omnibus allows 30 days to produce with one, 30 day
extension for a total of 60 days-OCR urges entities to
make information available sooner when possible
 If over 30 days must notify patient in writing and inform
why extension is needed
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
56
Patient Access – Third Parties
 Individuals can have the copy directed
to another person/entity – but the choice
must be in writing and clearly identify the individual/entity
Information must be protected and entity must implement reasonable
policies and procedures to sending to the right place (e.g., type e-mail
correctly)
“In writing” can be electronic
 Fees charged are restricted to labor costs for copying –
cannot include cost of retrieval, or portion of capital costs
 Charge can include supplies provided to individual upon
request
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
57
Business Associates/Subcontractors
 Omnibus rule conforms HIPAA regulations to
HITECH Act changes
Before HITECH, BAs regulated through business associate
contracts or agreements (“BAAs”)
After HITECH, BAs and subcontractors are regulated directly
under HIPAA
 Must comply with Security Rule (rule is flexible to accommodate small
BAs)
 Must comply with some of Privacy Rule and provisions of BAA
 Still need BAA Agreement
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
58
Notice of Privacy Practices (NPP)
 NPPs must include:
Statements regarding certain uses and disclosures
requiring authorization – e.g., psychotherapy notes
(where appropriate), marketing, sales of PHI, right to
restrict disclosures to health plans (provider only), and
right to be notified of breach; and
General statement that all uses and disclosures not
described in NPP also require authorization
New patients get revised by 9/23/13, other patients as
they come in to be seen
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
59
What the OCR says about Enforcement
“This final omnibus rule marks the most sweeping changes
to the HIPAA Privacy and Security Rules since they were
first implemented. These changes not only greatly
enhance a client’s privacy rights and protections, but also
strengthen the ability of my office to vigorously enforce the
HIPAA privacy and security protections, regardless of
whether the information is being held by a health plan, a
health care provider, or one of their business associates.”
Director OCR
Leon Rodriguez
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
60
Enforcement Rule – BAs, Investigations, Reviews
 Civil monetary penalties (CMPs) can be assessed
directly to business associates
 Complaint investigations and compliance reviews
Required whenever there is evidence of a possible
HIPAA violation due to willful neglect
Discretionary in the absence of possible willful neglect
Every complaint will be investigated preliminarily
Secretary has discretion to move directly to imposition of
CMPs without informal resolution
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
61
Enforcement - Coordination
 Secretary may disclose PHI to another agency on
request
 Coordination of Department of Justice and FTC
(http://www.hhs.gov.ocr/enforcement)
 Coordination with State Attorneys General to assist with
their direct enforcement
© 2014 Rhoads & Sinon LLP. All Rights Reserved.
62