Under HIPAA, there are mandatory disclosures (which do not require patient consent). These are limited to disclosures to patients themselves and also disclosures to the Secretary of HHS, when the Secretary seeks information to investigate or determine a provider’s compliance with HIPAA. (In comparison, Federal confidentiality regulations do not provide for any mandatory disclosures but permit disclosures to the client himself or herself.)
Disclosures that do not require client authorization (consent).
HIPAA requires that when a healthcare provider discloses protected health information to or requests information from another covered healthcare provider, it make “reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure or request”, unless the disclosure or request is for the purpose of treatment. The regulations discourage disclosure of the client’s entire record. The minimum necessary rule does not apply when disclosure is made to the individual, for the purpose of treatment, pursuant to an authorization or as required by law.
The authorization provision is similar to the confidentiality rules’ consent provision, however, is somewhat more restrictive; revocation of consent need not be in writing and re-disclosure is prohibited. The only element HIPAA adds to the requirements of 42 CFR Part 2 is the statement concerning the program’ s ability or inability to condition treatment on the patient’s signing the authorization form. Because federal rules are more restrictive, programs must continue to follow the federal confidentiality regulations’ consent rules.
HIPAA gives special protection to “psychotherapy notes” which it defines as notes “recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during private counseling session or a group, joint or family counseling session and that are separated from the rest of the individual’s medical record”. Psychotherapy notes are process notes that capture the therapist’s impressions about the patient, contain details of the psychotherapy conversation considered to be inappropriate for the medical record and are used by the provider for future sessions. They do not include summary information, such as the current state of the patient, symptoms, the theme of the psychotherapy session, diagnoses, medications prescribed, side effects or any other information necessary for treatment or payment. Summary information should be placed in the patient’s medical record.
The originator of the psychotherapy notes can use them without the patient’s authorization. The program may use or disclose the notes (1) for its own training programs in which students or practitioners in mental health learn under supervision to practice or improve their skills and (2) to defend itself in a legal action. Programs may disclose psychotherapy notes when the Secretary of HHS requires it as a part of an investigation or the program’s compliance with HIPAA and in Tarasoff situations. Programs must obtain the client’s authorization (consent) to make any other disclosure of psychotherapy notes.
NOTE: Programs subject to both HIPAA and the Federal alcohol and drug confidentiality regulations must comply with the more stringent standard.