ocr’s guidance on the hipaa privacy rule and sharing information related to mental health and...

Office for Civil Rights

OCR’s Guidance on the HIPAA Privacy Rule and Sharing Information Related to Mental Health

and Recent OCR Activities

Sherri Morgan, JD, MSW and Marissa Gordon-Nguyen, JD, MPHHealth Information Privacy Specialists

U.S. Dept. of Health & Human Services, Office for Civil RightsNovember 12, 2014

1


• Mental health guidance– Background– Family and Friends – Health and Safety

• Other recent guidance and outreach

• Enforcement updates

Topics Covered

2


• Context for guidance includes President’s Executive Actions on Reducing Gun Violence and Congressional inquiries.

• Guidance clarifies how the Privacy Rule applies in certain situations to the disclosure of protected health information (PHI) of a patient who is being treated for a mental health condition.

• Does not create a new rule or amend existing standards.

HIPAA Privacy Rule and Sharing Information Related to Mental health

3


Available at:

http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/mhguidance.html

OCR Guidance on Sharing Information Related to Mental health

4





• Strong privacy protections are critical for maintaining individuals’ trust in health care providers and willingness to access treatment, particularly for mental health conditions.

• At times, sharing health and mental health information is needed to enhance treatment and for the health and safety of the patient or others.

• The HIPAA Privacy Rule is balanced to protect privacy and allow uses and disclosures of information for treatment and certain other purposes.

Background

5


• HIPAA generally applies uniformly to all PHI, including mental health information.

• An exception exists for psychotherapy notes, which receive special protections.

• Psychotherapy notes: 1. document or analyze the content of a counseling session;2. are maintained separately from the rest of the medical record; and3. do not include medications, session start and stop times, treatment

modalities and frequencies, clinical test results, and certain summary clinical information.

45 CFR § 164.508(a)(2)—Protections for psychotherapy notes

HIPAA Protections for Mental Health Information

6


• Patients and personal representatives do not have a right to access psychotherapy notes under HIPAA.

• Generally, separate written authorization is required to disclose psychotherapy notes to a third party.

• Exceptions (subject to minimum necessary): authorization is not required to disclose psychotherapy notes to prevent or lessen serious and imminent threats, as required by law (e.g., for mandatory reporting such as reporting of abuse), for mental health training, for defending a lawsuit, to coroners and medical examiners, for OCR to determine compliance, or for oversight of the originator of the notes.

Psychotherapy Notes $ Access and Disclosure

7


• 45 CFR § 164.510(b)—Uses and disclosures of PHI requiring an opportunity for the individual to agree or object

• 45 CFR § 164.502(g)—Personal representatives of adults and minors

• 45 CFR § 164.524(a)(1)(i)—No right to access psychotherapy notes

Sharing Information with Family and Friends

8


• Must give patient opportunity to agree or object:– Ask patient’s permission– Inform patient of intent to inform family or friends and give

opportunity to object– Infer from circumstances, using professional judgment, that

patient does not object

• May disclose only the PHI directly relevant to person’s involvement in patient’s care/payment for care

45 CFR § 164.510(b)

Communications with Family, Friends and Others Involved in a Patient’s Care—Individuals Who are

Present and Have Decision Making Capacity

9


• If a patient with capacity objects to disclosure, the provider may only disclose if:– Doing so is consistent with applicable law and standards of

ethical conduct; and– Provider has a good faith belief that patient poses a serious

and imminent threat to self or others, and family member or friend is reasonably able to prevent or lessen that threat.

– See 45 CFR 512(j)

Exception for Threats to Health or Safety

Communications with Family, Friends and Others Involved in a Patient’s Care—Individuals with

Decision Making Capacity Who Object

10


Permissible, where patient does not object:• A psychiatrist discusses with a patient’s sister who is present at an

appointment, the drugs the patient needs to take• A mental health clinician gives information to a patient’s spouse

about warning signs that may signal a developing mental health emergency

Impermissible:• A nurse discusses a patient’s mental health information with the

patient’s brother after the patient stated she does not want family to know about her condition.

Examples of Sharing Patients’ PHI With Family

11


• Health care provider determines, based on professional judgment, that sharing information is in best interests of the patient

• May disclose only the PHI directly relevant to person’s involvement in patient’s care/payment for care

45 CFR § 164.510(b)(3)

Communications with Family, Friends and Others Involved in a Patient’s Care—Individuals Not

Present or Without Decision Making Capacity

12


• Incapacity may be temporary or long-term.

• If a patient does not have capacity to agree or object due to current mental state, the provider may disclose limited information to family and friends if provider determines, based on professional judgment, that disclosure is in the patient’s best interests, taking into account the patient’s prior expressed preferences and circumstances of the current situation.

• Once patient regains capacity, provider should offer patient opportunity to agree or object to any future sharing of information.

Mental Condition May Constitute Incapacity

13


• Rules on sharing information with family and friends generally apply.

• Permission to disclose a serious and imminent threat may apply, depending on the circumstances.

Disclosing Patients’ Medication Non-compliance

14


• HIPAA protects the confidentiality decisions of patients if they choose not to allow disclosure of mental health information to family and friends.

• HIPAA doesn’t prevent providers from listening to family members or other caregivers who may have concerns about the health and well-being of the patient.– If patient later requests access to record, provider may

withhold from the patient information that was shared by another person under a promise of confidentiality, if disclosing the information would reveal its source.

45 CFR § 164.524(a)(2)(v)

Options for Concerned Family and Friends

15


Fact Sheet for Providers on Disclosures to Family Members and Friendswww.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/provider_ffg.pdf

Related OCR Resources

16

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/provider_ffg.pdf

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/provider_ffg.pdf


• Generally, parents are the personal representatives of their minor children for HIPAA purposes, and providers may share patient information with a patient’s personal representative.

• However, there are certain exceptions, e.g., where a minor may obtain certain health care services without parental consent under State or other law.

• HIPAA defers to state law to determine age of majority.

See OCR Guidance on Personal Representatives, http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/personalreps.html

Parents and Minors

17

45 CFR § 164.502(g)

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/personalreps.html

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/personalreps.html


• 45 CFR § 164.512(j)—Disclosures to prevent or lessen a serious and imminent threat to health or safety

• 45 CFR § 164.512(f)(2)—Disclosures to locate or identify suspects, fugitives, material witnesses, or missing persons

• 45 CFR § 164.512(f)(1)—Disclosures to law enforcement pursuant to court orders, warrants, and subpoenas; and administrative requests

• 45 CFR § 164.512(a), (c)—State and other law mandatory disclosures (e.g., abuse, domestic violence injuries, etc.)

Disclosures for Health and Safety Purposes

18


• Disclosures are permitted to law enforcement, family, friends or others who are in a position to avert the threatened harm—when disclosure “is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others.”

• Disclosures must be consistent with applicable law and standards of ethical conduct.

• See Letter to Nation’s Health Care Providers (1/15/2013) www.hhs.gov/ocr/office/lettertonationhcp.pdf

45 CFR 164.512(j)

Dangerous Patients and Public Safety Disclosures

19

http://www.hhs.gov/ocr/office/lettertonationhcp.pdf


A health care facility may notify law enforcement that a psychiatric patient has been released from the facility in response to:• Law enforcement requests, if the patient is a suspect,

fugitive, material witness (only certain information may be disclosed)

• Court orders, warrants, judicial subpoenas, written administrative requests

• Mandatory reporting requirements• Serious and imminent threats

Temporary Psychiatric Holds

20

45 CFR § 164.512


• Concurrent diagnosis for a mental health disorder and drug or alcohol abuse is not uncommon.

• Providers in federally assisted drug and alcohol abuse treatment programs are subject to 42 USC § 290dd-2 and 42 CFR § 2.11, et. seq. (“Part 2”).

• Part 2 confidentiality rules are more stringent than HIPAA and may apply in dual diagnosis cases, if treatment is in a Part 2 program.

42 CFR Part 2 Programs

Dually-diagnosed Patients with Drug or Alcohol Abuse

21


• FERPA, not HIPAA, generally applies to schools’ information about students.

• OCR Guidance on FERPA and HIPAA http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hipaaferpajointguide.pdf

School Personnel Notifications to Parents or Law Enforcement

22

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hipaaferpajointguide.pdf





Additional Resources and Guidance

23


• Part of HHS implementation of the United States v. Windsor decision

• 45 CFR § 160.103 Definitions• Spouse – includes individuals who are in a legally valid

same-sex marriage celebrated in a state, territory or foreign jurisdiction.

• Marriage – includes both same-sex and opposite-sex marriages

• Family member – includes dependents of a same-sex marriage

OCR Guidance on HIPAA and Same-sex Marriage

Understanding Spouse, Family Member, and Marriage

24


• Definition of “family member” is relevant to:– § 164.510(b) - uses and disclosures of PHI to persons involved

in the individual’s care or payment for care, and for notification purposes.

– § 164.502(a)(5)(i) – prohibition against uses and disclosures of genetic information for underwriting purposes. Applies to genetic tests of a family member of the individual or the manifestation of a disease or disorder in a family member of the individual.

• Available at http://www.hhs.gov/ocr/privacy/hipaa/understanding

Same-sex Marriage Guidance Applied

25

http://www.hhs.gov/ocr/privacy/hipaa/understanding

http://www.hhs.gov/ocr/privacy/hipaa/understanding


OCR RULEMAKING UPDATEWhat’s Done? What’s to Come?

26

• What’s Done: – Interim Final Rules

• Enforcement penalties• Breach Notification

– Omnibus Final Rule• HITECH provisions,

including final rulemaking on IFR above

• GINA provisions• Other rule changes

– NICS NPRM– CLIA Final Rules

• Access to test results directly from labs

• What’s to Come:– From HITECH

• Accounting of Disclosures• Methods for sharing

penalty amounts with harmed individuals

– NICS Final Rule


Notice of Privacy Practices

http://www.hhs.gov/ocr/privacy/hipaa/modelnotices.html

27




Medscape Resource Center:

Public Outreach Initiatives

http://www.medscape.org/sites/advances/patients-rights

28




Medscape Training Videos:

Public Outreach Initiatives

http://www.medscape.org/viewarticle/810563


29





Mobile Devices:

http://www.healthit.gov/mobiledevices

Mobile Devices

30





What’s to Come

More Guidance:• Business Associates

• Breach Notification Rule

• Security Rule

• Cloud

• Individual Rights

• Minimum Necessary

• Emergency Situations

• Other Privacy Rule Topics

More Training:• Online Training Modules

Audit Program

31


Enforcement Information

32


500+ Breaches by Type of Breachas of 9/2014

33

Theft47%

Loss11%

Unauthorized Access/Disclo-

sure18%

Hacking/IT In-cident

8%

Improper Disposal4% Other

10%

Unknown2%


500+ Breaches by Location of Breachas of 9/2014

34

Paper Records21%

Desktop Computer

14%Laptop

23%

Portable Electronic

Device11%

Network Server12%

Email5%

EMR3% Other

11%


35

Breach Highlights

September 2009 through September 2014

• Approximately 1,113 reports involving a breach of PHI affecting 500 or more individuals– Theft and loss are 58% of large breaches– Laptops and other portable storage devices account for 34%

of large breaches– Paper records are 21% of large breaches

• Approximately 120,000+ reports of breaches of PHI affecting less than 500 individuals


Lessons Learned

Appropriate Safeguards Prevent Breaches

• Evaluate the risk to e-PHI when at rest on removable media, mobile devices and computer hard drives

• Take reasonable and appropriate measures to safeguard e-PHI– Store all e-PHI to a network – Encrypt data stored on portable/movable devices & media– Employ a remote device wipe to remove data when lost or

stolen – Train workforce members on how to effectively safeguard

data and timely report security incidents

36


Lessons Learned:• HIPAA covered entities and their business associates are required

to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have appropriate safeguards in place to protect this information.

• Take caution when implementing changes to information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers’ health data using the Internet.

• Senior leadership helps define the culture of an organization and is responsible for knowing and complying with the HIPAA privacy and security requirements to ensure patients’ rights are fully protected as well as the confidentiality of their health data.

Recent Enforcement Actions

37


• Sherri Morgan, JD, MSW Health Information Privacy SpecialistHHS, Office for Civil Rights

• Marissa Gordon-Nguyen, JD, MPHHealth Information Privacy SpecialistHHS, Office for Civil Rights

Q & A

38

ocr’s guidance on the hipaa privacy rule and sharing information related to mental health and...

Documents

mental health conditions

mental health training

friends health

psychotherapy notes

disclosures of information

health care providers

health human services

hipaa privacy rule