Ensuring patient trust is one of the highest priorities for healthcare providers. Knowing that there is a layer of confidentiality between the patient and his psychiatrist encourages patients to seek the help that they need and allows providers to obtain clinically relevant information necessary to treat their patients. Both ethical considerations and federal and state privacy laws dictate the necessity for confidentiality. With the rise in specialization and the institutionalization of the healthcare field, there are now countless other providers, insurers, and other associates who may need patient information from psychiatrists in order to make the system work effectively. Additionally, instances of medical malpractice, workers compensation, accidents, estate planning, and the like may require the disclosure of medical records. This means that the request for patient records from your practice is likely continuous. Providers must be aware of which entities may legally obtain information without authorization, how to obtain valid consent from patients, and what information may be disclosed. Having adequate knowledge about the law and setting appropriate procedures in place are the best ways to avoid potential liability for unauthorized disclosures.
Requirements Under HIPAA
The Health Information Portability and Accountability Act (HIPAA) sets forth the requirements for individual healthcare providers, healthcare facilities and their business associates (collectively called “covered entities”) to disclose a patient’s protected health information (or PHI, as the Act calls it). The HIPAA Privacy Rule covers all information that individually identifies a patient—including digital, paper, oral, or any other form. PHI typically covers information such as a patient’s name, social security number, physical or mental health condition, any treatment or care provided, and information regarding payment or insurance (as long as it identifies the individual patient). Subject to enumerated exceptions under HIPAA, PHI cannot be disclosed without the patient’s explicit authorization (or the consent of an authorized representative).1
Specific HIPAA Considerations for Behavioral Health Professionals
Although HIPAA governs behavioral health PHI the same as general health information, there is a major exception to this rule for “Psychotherapy Notes.” Under the Privacy Rule, psychotherapy notes are explicitly defined and must be kept separate from the patient’s other medical records in order to receive heightened protection against disclosure, afforded under HIPAA. Psychotherapy notes do not include any information maintained in the patient’s medical record such as information about medications, prescriptions, treatment start and stop times, results of tests, diagnoses, symptoms, or prognosis.2
In addition, psychotherapy notes require the patient’s authorization before disclosure to anyone, including another provider for treatment purposes, except in cases where there is imminent harm or the mandatory reporting of abuse. Providers should be careful to keep these notes separate from the patient’s full medical record and confirm that there is a valid authorization form for these notes specifically before disclosing anything.
Penalties for Unauthorized Disclosures Under HIPAA
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing HIPAA and imposing penalties on noncompliant entities. If OCR determines that a covered entity has been non-compliant, it may impose civil or criminal penalties. In circumstances where the entity does not or cannot satisfactorily resolve the matter within 30 days, OCR may impose a monetary penalty based on a tiered structure.
If the violation was unknowing, the civil monetary penalty is $100 per violation at a minimum or $50,000 per violation at a maximum. Violations resulting from reasonable cause range from $1,000 per violation to $50,000 per violation. Violations occurring because of willful neglect are the most severe. These types of violations will cost $50,000 per violation. Although if it is corrected within 30 days, OCR has discretion to impose a minimum penalty of $10,000 and a maximum of $50,000.3
Other Privacy Laws and Negligence
There is no private right of action under HIPAA, which means that a patient cannot sue a provider or facility for noncompliance, only the government can bring the legal action. However, under state privacy laws, some states do allow patients to sue for breach of doctor-patient confidentiality or invasion of privacy, and negligence for releasing medical information without consent under state law. In this regard, it is vital to remember that HIPAA is the “floor,” not the “ceiling” – states are permitted to enforce stricter requirements than the federal law.
It is important to be aware of the age of consent of minors who are undergoing behavioral health treatment. State laws on age of consent vary and some states have an age of consent of 13 whereas others have an age of consent of 18.
What Constitutes Authorization?
The patient or the patient’s authorized representative must give consent any time there is a request for his or her medical records that is not for purposes of medical treatment, payment or administration. There are, of course, exceptions for when the law requires disclosure, for example in instances of suspected abuse of a child, elder or disabled person. An authorized representative is someone who may legally act on the patient’s behalf. For example, a legal guardian, parent, or someone who holds power of attorney for healthcare purposes may also give valid consent. If the patient is deceased, healthcare providers are still required to protect that patient’s PHI, and depending on your state’s specific laws, the executor of the decedent’s estate may give authorization. However, it is important to be aware of your state’s rules prior to disclosure to any family member. Ensure that all staff who facilitate these requests are trained and that they ask for verification of the requester’s identity or status as an authorized representative, in order to ensure these requests are legitimate. If you are unsure, consult with your local attorney or risk management professional with questions regarding whether it is permissible to release a patient’s requested mental health records.
HIPAA requires that all authorization for the release of a patient’s PHI must be in writing. In order to authorize the release of records, the patient or authorized representative must sign a HIPAA compliant form that includes:
- Identification information: Information such as the patient’s full name, date of birth, address, phone number, that can be used to identify him or her.
- Who is authorized to receive the records: The name of the authorized person or entity who may receive the information.
- What PHI may be disclosed: Perhaps only specific test results, histories, or reports. Patients may also choose to simply authorize the entirety of their records.
- The purpose for which the PHI may be disclosed: Such as “for assessment of worker’s compensation claim.” The patient may also choose not to authorize by specific purpose and may make a statement such as “for individual use or request.”
- A date by which the form expires: Some patients will choose to have their authorization expire at a particular date, “June 1, 2017” or a particular event, “until the patient gives birth.” In addition, some states may institute a maximum time limit that an authorization for release can be valid.
When Patient Information is Requested
Medical offices handle requests for patient information frequently. While these requests are often assumed to be “business as usual” for many providers, it is important to keep in mind the legal and regulatory requirements when receiving a request for the PHI of any patient and to set up policies and procedures for staff members who are often tasked with fielding them. Keep in mind that both providers independently and the facility as a whole can face liability for the actions of non-professional employees. Most importantly, when fielding these communications it is crucial to ascertain who is making the request and for what purpose. Requests for your patient’s psychiatric records may come from a variety of sources, including:
- Other healthcare organizations: Many patients expect that their health records will be used as necessary to properly administer healthcare. Due to this need and expectation, HIPAA allows for the automatic disclosure of PHI between HIPAA covered entities that request the information for purposes of “treatment, payment, or health care operations.”4 Again, however, it is important to be aware of any restrictions that your state’s laws may have regarding the sharing of behavioral health records.
- Attorneys that represent your patient: When a patient is involved in litigation, in perhaps an auto accident, for example, his or her attorney may request the patient’s medical records in order to assess the case. If an attorney requesting the patient’s information represents him or her, then the patient most likely wants the information disclosed to that attorney, right? Not necessarily. It is important to remember that this does not circumvent the requirement for authorization described above. The patient must specifically authorize his or her attorney to receive disclosures. HIPAA and state privacy laws also prohibit you from having conversations (however casual) with unauthorized persons about the patient’s condition.
- Attorneys that represent you or your facility/clinic: If you or your facility/clinic is involved in any litigation as either the plaintiff or the defendant, the law permits disclosure to your attorney. Those communications are also covered under attorney-client privilege. When a HIPAA covered entity is party to litigation, that entity may disclose PHI without the patient’s authorization for the purposes of that litigation.5
- Attorneys that do not represent you or your patient: Perhaps your patient is involved in a custody dispute or has filed a workers compensation claim. Attorneys representing other parties may contact your office for medical records in these types of cases. These types of disclosures are impermissible unless your patient specifically authorizes them. It is also improper to disclose anything identifying at all to the requester even when denying their request in casual telephone conversations. However, an entity may disclose information pursuant to a valid subpoena, court order, or discovery request. If you receive such a request, consult with your local attorney or risk management professional prior to releasing records.
The legal requirements for medical record disclosure can be complicated and the penalties for noncompliance are steep. Whenever you are in doubt of how to comply with HIPAA or other privacy laws, consult with either a local attorney familiar with HIPAA and state privacy laws, or a risk management professional.
1 45 C.F.R. §160.103.
2 For more specific information that is not included in the definition of “psychotherapy notes” see 45 CFR 164.501.
3 The American Medical Association. HIPAA Violation and Enforcement,, https://www.ama-assn.org/practice-management/hipaa-violations-enforcement.
4 45 CFR 164.501; Uses and Disclosures for Treatment, Payment, and Health Care Operations, https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/disclosures-treatment-payment-health-care-operations/index.html.
5 This exception arises from the “health care operations” exception in 45 CFR 164.501 that includes activities of conducting or arranging for legal services.