How HIPAA Applies to Mental Health Care

HIPAA, the Health Insurance Portability and Accountability Act, is the federal statute that protects the privacy of medical information. It also makes lets workers to transfer family health insurance from one employer to the next without preexisting condition penalties.

Does HIPAA Treat Mental Health Records Differently Than Other Medical Records?

Generally, the answer is “no.” The HIPAA statute is designed to protect personal medical information, so that the information cannot jeopardize employment opportunities or have other negative impacts on lives. For that reason, all health care information is protected by the statute.

When Does HIPAA Allow Disclosure of Mental Health Information to Family and/or Others Involved in the Care of the Patient?

Competent Adults: If the patient is a competent adult, the health care provider must have the permission of the patient before disclosing mental health information to family or caregivers. A signed authorization is not required. It is sufficient if the patient gives verbal permission. Often, the provider will tell the patient that he or she intends to discuss a relevant issue with the family. If the patient does not object, the Federal Office of Civil Rights (OCR) rules allow the provider to disclose the information. If the patient objects to disclosure and insists on privacy, the provider may not disclose.

Incapacitated Adults: When the patient is incapacitated, the provider must decide, based on their best professional judgment, if the disclosure of protected information is in the best interests of the patient. Even then, the provider may only disclose information they consider necessary and relevant to the issue under discussion.

Non-Medical Information: If a competent adult patient objects to the health care provider talking to family members or others, there is little information providers can share. Both HIPAA and ethical rules make patient privacy the highest importance. Providers cannot tell family how the patient feels. They cannot discuss treatment or progress. They cannot even tell the family when the patient was admitted or when they will be discharged. They cannot share financial information, the address of the patient, or employment information.

What is considered incapacity?

Mental illness is deemed to be incapacitating under several circumstances. Examples include: a serious head injury, a stroke, a drug overdose, or a severe psychotic episode.

• When a patient is unconscious, they are not able to make medical decisions. In that event, the mental health or medical provider is allowed to discuss the medical condition as well as treatment options with family members, guardians, caregivers, or the individual with a medical power of attorney.
• The patient is also incapacitated if they are suffering from an acute psychotic episode or are under the influence of drugs or alcohol. Once the drugs or alcohol intoxication wear off and the patient regains the capacity to make decisions, the implied consent is rescinded, and the capacity rules apply. 

Who is considered a personal representative of the patient?

Alert competent adults are their own personal representative. When patients are unable to make their own health care decisions because of mental incompetence, drug or alcohol overdose, or lack of consciousness, their appointed guardian or the holder of their medical power of attorney will be considered the personal representative of the patient. Parents or guardians of minors are considered the personal representative for medical decisions.

What if the patient does not have a personal representative?

If an incompetent person does not have a medical Power of Attorney or guardian, family members can apply with the courts to be appointed guardian. If the person is a homeless person or someone who does not have interested family, the medical facility will notify adult protective services. The agency will either involve the family or the state will handle the guardianship issue.

Adult Guardianship Information and Forms

What options do family members have when an adult patient with mental capacity refuses to allow them access to information?

Families of mental health patients often face this dilemma. They want to help, but the patient unwilling to allow the mental health care provider to share any information with family. Under the law, the only time the provider is authorized to disclose information to family is when the “the provider perceives a serious and imminent threat to the health or safety of the patient or others and the family members are in a position to lessen the threat.” (Office of Civil Rights). If a family member discloses private information about the patient to the provider and asks the provider to keep the information confidential, the provider may not legally share the information with the patient. While the patient does have a right to see and get copies of his or her medical records, confidential information disclosed by family members can be withheld. 45 C.F.R. § 164.512(j).

Can Providers Disclose Confidential Information to the Parents of a Minor?

Parents, guardians, and persons acting in loco parentis are considered by the law to be the “personal representative” of the minor child. Generally, the HIPAA privacy rules allow the provider to share patient information with parents or with those in the parent role. There are exceptions to the general rule. Federal law defers to state law to determine when parents are entitled to information.

1. When state law allows a minor to consent to a specific medical procedure. If the minor consents, the parent or guardian has no right to be informed.
2. When a parent agrees to a minor having a confidential relationship with a counselor or other provider. In that circumstance, the provider has no right or obligation to disclose information to the parents.
3. When the parent or guardian is abusive. If abuse or neglect is alleged or suspected, a provider can refuse to provide the parent with information. Legally, the provider decides the parent or guardian is not the personal representative of the child, and, therefore, is not entitled to information.

What About Disclosure of Psychotherapy Notes?

Psychotherapy notes are protected under the law. They are not considered medical records but are the private notes of the therapist. HIPAA defines psychotherapy notes as “notes recorded by a health care provider who is a mental professional documenting or analyzing the contents of a conversation during a private counseling session or a group, joint, or family counseling session and that are separate from the rest of the patient’s medical record.” Psychotherapy notes do not include medication orders and records, clinical and laboratory tests, or any records contained in a patient’s regular medical chart. Psychotherapy notes are not shared with family. Even parents of a minor child cannot require a therapist to share his or her psychotherapy notes of sessions with their child.

What Information is Available for Family Members of Someone Under Involuntary Psychiatric Commitment?

Just because a patient is involuntarily committed to a psychiatric facility does not mean the patient is incompetent to make decisions about disclosure of information. HIPAA does allow facilities to disclose relevant information to help families locate a loved one under commitment. Beyond basic location information, the general HIPAA rules apply. Patients who are conscious, present, and have not been declared incompetent by a court of law have the option to decide whether to share information with family and friends.

What Happens When the Doctor Thinks the Patient May Injure Himself or Others?

HIPAA and state law make exceptions to privacy rules when the health care provider believes the patient is a risk for harming himself or others. If there is an imminent risk of serious harm to the patient or to other people, the provider may contact family and/or law enforcement and report the concerns. In fact, Arizona health care providers are specifically required to report concerns if a patient poses an imminent risk to others. A.R.S. § 36-517.02 requires a report made to law enforcement and all reasonable precautions be taken to avoid the harm. That may include notifying law enforcement when the patient is discharged.

How is HIPAA Enforced?

The OCR at the Department of Health and Human Services is the agency responsible for enforcing HIPPA rights. The OCR publishes rules and guidelines to instruct health care providers on their duties and obligations under the statute. HIPPA violations are investigated by the OCR. Significant or systematic violations may be referred to the United States Department of Justice for criminal prosecution.

How does HIPAA Interact with Arizona Law?

Arizona law and HIPAA generally complement one another. A.R.S. § 36-509 parrots some of the provisions seen in HIPAA. In 2016, the Arizona Legislature passed SCR 1005, the Caregiver Bill of Rights which is intended to delineate the legislature’s support for families and caregivers of patients with serious mental illness. It is a resolution, not a law. SCR 1005 is aspirational in nature. It states that the Arizona Legislature recognizes that family members and caregivers need to communicate with doctors and nurses caring for their loved one; that they deserve access to information. However, the resolution does not trump HIPAA or A.R.S. § 36-509. The patient’s right to privacy is the paramount consideration. 

Resources

United States Department of Health and Human Services - Frequently Asked Questions About Mental Health

United States Department of Health and Human Services - When can I obtain treatment information about my loved one?

United States Department of Health and Human Services - How OCR Enforces the HIPAA Privacy & Security Rules

National Alliance on Mental Illness - Understanding What HIPAA Means for Mental Illness