Position Statement 27: Standards For Management of and Access to Consumer Information
Mental Health America (MHA) supports careful implementation and clarification of the standards of confidentiality incorporated in the Health Information Portability and Accountability Act of 1996 ("HIPAA"), with the following additions: flexibility in emergency situations; requirement of minor assent as well as parental consent; appointment of a guardian when needed; mandatory reporting of child and elder abuse; lack of confidentiality in custody disputes; exceptions for court orders; and special protection of treatment records of HIV infection. MHA believes that, in an integrated system, mental health and substance abuse records should be treated with the same care and confidentiality as other medical records.
Background and Call to ActionConsumers, families, clinicians and treatment facilities are legitimately concerned that confidentiality be protected when mental health treatment is provided. Automated record keeping, advancements in information system technology, and the growing need for communication among multiple parties under complex administrative arrangements such as managed care have made this a difficult task. With the passage of HIPAA, P.L. 104-191(1996), 29 U.S.C. §1181, 42 U.S.C. §1320, 1395, and associated rulemaking by the Department of Health and Human Services, 45 C.F.R. §§160-164, many of the necessary privacy and security protections have been codified in federal law.
The HIPAA Privacy Rule regulates the use and disclosure of information held by Covered Entities (generally, health care clearinghouses, employer sponsored health plans, health insurers, and health care providers). It establishes regulations for the use and disclosure of Protected Health Information (PHI). PHI is any information held by a Covered Entity which concerns health status, provision of health care, or payment for health care that can be linked to an individual. The HIPAA Security Rule complements the Privacy Rule. While the Privacy Rule pertains to all PHI including paper and electronic PHI, the Security Rule deals specifically with Electronic Protected Health Information (EPHI). It lays out three types of security safeguards required for compliance: administrative, physical, and technical. These standards are easily accessed by internet.
In accordance with HIPAA statute, MHA recommends that all health care plans and health care providers carefully implement and clarify the following standards. The goal is to ensure that HIPAA provides consumers with maximum protection of privacy while simultaneously enhancing the quality of consumer care and alleviating unreasonable burdens on consumers, families, clinicians and health care administrators.
Mental Health America supports careful implementation and clarification of the following HIPAA standards:
Notice of Privacy Standards. Under HIPAA, health care plans and health care providers must notify consumers of their rights and how and with whom their personal medical information can be shared. MHA urges that such notifications occur before service delivery, if possible, and be in plain and simple language. In addition, requests for restrictions on the disclosure of personal information beyond what is covered by HIPAA should be honored.
Written and Enforced Privacy Standards. Under HIPAA, health care plans, health care providers and business associates with access to consumer information must have written privacy standards. These standards must include descriptions of staff with access to confidential information, how consumer information will be used and when and to whom it may be released. All health care employees and business associates must be trained in privacy procedures and must designate individuals to oversee internal compliance of privacy standards.
Limits on the Sharing of Personal Medical Information.Under HIPAA, personal health information may not be used for purposes unrelated to health care. MHA urges health care providers to share only the minimum amount of protected information that should be shared to ensure the highest quality care for the consumer. Under HIPAA, consumers must sign a specific authorization before a health care provider may release protected information to a life insurer, bank, marketing firm or any other agency for purposes unrelated to health care. In addition, MHA advises that a consumer’s request that information not be shared with certain people, groups, or companies within the health care industry be honored.
Under HIPAA, when information is released, it must be documented with notation of the date, circumstances of disclosure, the specific information released, the names of individuals to whom the information was disclosed and the name of the individual who disclosed the information. Consumers have the right to request and receive a list of all parties with whom their personal information has been shared.
Standards for Electronic Communications. MHA advocates that all health care entities comply with HIPAA privacy standards and take every precautionary measure possible when engaging in electronic maintenance or transmission of health information, while simultaneously ensuring the highest quality care and rapid, fully-informed service delivery for the consumer.
Right to Privacy in Correspondence. Under HIPAA, consumers have the right to specify where and how they are contacted, and providers and health insurers must comply as long as the request is reasonable. MHA urges providers and insurers to respect the right of consumers to have their privacy protected in this way.
Right to File Complaints. Under HIPAA, consumers have the right to file a formal complaint with their provider, health insurer or the United States Health and Human Services Department’s Office for Civil Rights if they believe their information was shared in a way that is not permitted under HIPAA. MHA believes that information about filing complaints should be included in each health care provider’s notice of patient privacy practices. Prompt action should be taken, and consumers should be permitted a fair hearing on all complaints.
Access to Health Records. Under HIPAA, consumers have the right to ask for, see and receive free copies of their medical records and other personal health information in a timely manner. At the time of admission for treatment or services, health care providers must present consumers with a written policy on access to health records. In addition, MHA believes that consumers should have their health records explained to them by their physician or health care provider.
Corrections to Health Information. Under HIPAA, consumers can request to change or add information to their file if it is incorrect or incomplete. If a health care provider does not fulfill such a request, the disagreement must be permanently noted in the consumer’s file.
Comprehensive and Frequent Examination of HIPAA Implementation. Standards and protocols should be in place in all health care facilities, ensuring compliance to HIPAA standards in a timely and efficient manner, identifying barriers to enhanced patient care, and examining areas for future improvement.
Enforcement and Criminal Penalties. Civil and criminal penalties, as delineated in HIPAA, should be enforced against health care providers that misuse personal health information.
Standards for Special Circumstances Regarding Sensitive Consumer Information:
In addition to HIPAA statute, states have some flexibility in special circumstances. Though states vary according to state-specific statutes and regulations, MHA recommends the following standards to ensure that consumers’ best interests are protected:
Medical Emergencies. Information should be available to health care personnel for the purpose of treating a condition that poses an immediate threat to the health of the consumer or others.
Minors. Involvement of children, youth and their families in their care is essential. Therefore, the signatures of both the minor and a parent/guardian should be required on the disclosure/assent/consent form unless state law authorizes treatment without parental consent.
Consumers Who Are Legally Incompetent. A legal guardian should be appointed to make decisions concerning release of confidential information for consumers who are legally incompetent.
Child and Elder Abuse and Neglect. All states require the reporting of suspected child and elder abuse or neglect without consumer or parent/guardian consent. If information requested as a follow-up to the initial report requires consent from a person who may be subject to prosecution, a court order should be obtained.
Custody Disputes. For evaluations of children for custody decisions, clinicians should explain to each parent that confidentiality is waived for communications with the court.
Court Orders. The courts may authorize disclosure of confidential information where there exists good cause, as delineated in court rules and procedures. For court orders authorizing disclosure for other than criminal purposes, the consumer should receive formal notice of the request and an opportunity to respond. The judge should weigh the need for disclosure against the potential harm to the consumer and to the clinician-consumer relationship and its impact on the treatment process. The order should limit disclosure to information essential to the demonstrated purpose, and provide protection against future public scrutiny, such as by sealing court records.
Consumers with HIV and Other Infectious Diseases. Clinicians may be required to report such cases to public health authorities, but only a few states require reporting the consumer’s name. Health care providers should be aware of the requirements in their state and only provide the necessary information
Psychiatric Advance Directives. Individuals should have the right to release HIPAA protected information to their designated health care proxies and in their psychiatric advance directives.
Cultural and Linguistic Competency. Information should be transmitted in language that is understandable to the child, youth and family, taking account of literacy and English language proficiency.
The Mental Health America Board of Directors approved this policy on December 5, 2009. It will remain in effect for five (5) years and is reviewed as required by the Public Policy Committee.
Expiration: December 31, 2014
- Consumers can find more information about filing a complaint at http://www.hhs.gov/ocr/hipaa or by calling (866) 627-7748.
- Mental health providers are required to disclose creditable threats of harm. Tarasoff v. Regents of the University of California, 17 Cal. 3d 425, 131 Cal. Rptr. 14, 551 P. 2d 334, 83 ALR 3d 1166 (1976)