Many proponents of integrated behavioral care feel that maintaining a single medical chart is essential for intra-agency collaboration, but a myriad of regulations along with, in some instances, privacy concerns of behavioral health clientele has made this option complex.
Because federal and state laws governing confidentiality of medical records for California are complicated and sometimes contradictory, we will not offer conclusions here, but will simply reference applicable statutes and regulations. The only advice we can proffer is that, as a general rule, the best approach is to obtain clients’ consent before any disclosure is made.
To shed light on this complex area, we have included an article regarding medical records confidentiality requirements for primary care clinics in California by health care attorney Elizabeth Saviano. Another guide for healthcare information-sharing has been developed by the Pennsylvania Department of Public Welfare. Inclusion of these resources in this website should not imply endorsement by IBHP of their contents; rather we are furnishing it simply for informational purposes to response to the great demand for information in this area. California clinics are advised to check with their own legal counsel about adherence to state and federal requirements and/or purchase the Mental Health Law Manual, a comprehensive analysis of these issues by the California Hospital Association.
Bi-Directional Exchange of Information (between primary care and mental health agencies): In 2011, Kathy Reynolds, then Executive Director of the SAMHSA-HRSA Center for Integrated Health Solutions, offered this advice:
The Health Insurance Portability and Accountability Act (HIPAA) does allow the sharing of information between organizations for the purpose of healthcare coordination. In order to feel comfortable with sharing information under HIPAA, partnering organizations often become Organized Health Care Delivery Systems (OHCDS). Section 160.103 of HIPAA describes this arrangement. Specifically the law allows:
“A clinically integrated care setting in which individuals typically receive health care from more than one health care provider or an organized system of health care in which more than one covered entity participates, and in which the participating covered entities:
- Hold themselves out to the public as participating in a joint arrangement; and
- Participate in joint activities that include at least one of the following:
- Utilization review, in which health care decisions by participating covered entities are reviewed by other participating covered entities or by a third party on their behalf;
- Quality assessment and improvement activities, in which treatment provided by participating covered entities is assessed by other participating covered entities or by a third party on their behalf; or
- Payment activities, if the financial risk for delivering health care is shared, in part or in whole, by participating covered entities through the joint arrangement and if protected health information created or received by a covered entity is reviewed by other participating covered entities or by a third party on their behalf for the purpose of administering the sharing of financial risk.”
To become an OHCDS, the respective chief executive officers send letters to each other confirming their intent to hold themselves out as an OHCDS and identifying the utilization review or quality assessment and improvement activities in which they will jointly participate. To solidify this arrangement organizations then often change their privacy statements to reflect the OHCDS and may add language to all consents to treatment reflecting their partnerships and with whom they will be sharing healthcare information.
The Center for Integrated Health Solutions offers a wealth of information and advice about confidentiality and working with restrictions in sharing information between systems.
The following was provided by the U.S. Department of Health and Human Services, Office of Civil Rights about HIPAA [note that state statutes may be more restrictive]:
If the patient is present and has the capacity to make health care decisions, when does HIPAA allow a health care provider to discuss the patient’s health information with the patient’s family, friends, or others involved in the patient’s care or payment for care?
If the patient is present and has the capacity to make health care decisions, a health care provider may discuss the patient’s health information with a family member, friend, or other person if the patient agrees or, when given the opportunity, does not object. A health care provider also may share information with these persons if, using professional judgment, he or she decides that the patient does not object. In either case, the health care provider may share or discuss only the information that the person involved needs to know about the patient’s care or payment for care. Here are some examples:
- An emergency room doctor may discuss a patient’s treatment in front of the patient’s friend if the patient asks that her friend come into the treatment room.
- A doctor’s office may discuss a patient’s bill with the patient’s adult daughter who is with the patient at the patient’s medical appointment and has questions about the charges.
- A doctor may discuss the drugs a patient needs to take with the patient’s health aide who has accompanied the patient to a medical appointment.
- A doctor may give information about a patient’s mobility limitations to the patient’s sister who is driving the patient home from the hospital.
A nurse may discuss a patient’s health status with the patient’s brother if she informs the patient she is going to do so and the patient does not object. BUT: A nurse may not discuss a patient’s condition with the patient’s brother after the patient has stated she does not want her family to know about her condition.
If the patient is not present or is incapacitated, may a health care provider still share the patient’s health information with family, friends, or others involved in the patient’s care or payment for care?
Yes. If the patient is not present or is incapacitated, a health care provider may share the patient’s information with family, friends, or others as long as the health care provider determines, based on professional judgment, that it is in the best interest of the patient. When someone other than a friend or family member is involved, the health care provider must be reasonably sure that the patient asked the person to be involved in his or her care or payment for care. The health care provider may discuss only the information that the person involved needs to know about the patient’s care or payment.
Here are some examples:
- A surgeon who did emergency surgery on a patient may tell the patient’s spouse about the patient’s condition while the patient is unconscious.
- A pharmacist may give a prescription to a patient’s friend who the patient has sent to pick up the prescription.
- A hospital may discuss a patient’s bill with her adult son who calls the hospital with questions about charges to his mother’s account.
- A health care provider may give information regarding a patient’s drug dosage to the patient’s health aide who calls the provider with questions about the particular prescription.
- BUT: A nurse may not tell a patient’s friend about a past medical problem that is unrelated to the patient’s current condition. A health care provider is not required by HIPAA to share a patient’s information when the patient is not present or is incapacitated, and can choose to wait until the patient has an opportunity to agree to the disclosure.
Does HIPAA require that a health care provider document a patient’s decision to allow the provider to share his or her health information with a family member, friend, or other person involved in the patient’s care or payment for care?
No. HIPAA does not require that a health care provider document the patient’s agreement or lack of objection. However, a health care provider is free to obtain or document the patient’s agreement, or lack of objection, in writing, if he or she prefers. For example, a provider may choose to document a patient’s agreement to share information with a family member with a note in the patient’s medical file.
Exchange of Substance Use Information: Ms. Reynolds (see above) provided this information:
42 CFR Part II defines the parameters for sharing substance information for organizations that hold themselves out as substance abuse treatment providers. The Substance Abuse and Mental Health Services Administration’s Center for Substance Abuse Treatment actively addresses issues related to the sharing of substance abuse treatment information under 42 CFR Part II. However, if organizations enter into a Qualified Service Agreement (QSA), they are often required to share needed substance abuse information for healthcare coordination. The key resources to review as you develop your QSA include SAMHSA’s Frequently Asked Questions: Applying the Substance Abuse Confidentiality Regulations to Health Information Exchanges and The Confidentiality of Alcohol and Drug Abuse Regulation and the HIPAA Privacy Rule: Implications for Alcohol and Drug Abuse Programs- June 2004. The latter is a valuable review of the linkages between HIPAA and 42 CFR Part II and helps agencies understand the elements of a Qualified Service Agreement. George Washington University has prepared a comparative map showing requirements for the disclosure of substance abuse patient records with patient consent in all 50 states.
Information-Sharing at School-Based Health Centers: Information about confidentiality as it applies to school-based health centers can be found in the SCHOOL CONNECTION section of this website.
Applicable Federal Statutes
Health Insurance Portability and Accountability Act of 1996 (HIPAA), Standards for Privacy of Individually Identifiable Health Information (45 CFR Parts 160 and 164) covers all health recording, including mental health, and gives enhanced protections for psychotherapy notes.
42 CFR Part 2, is the federal statutory authority for confidentiality of alcohol and substance abuse patient records. In 2004, SAMHSA published an explanation of its confidentiality provisions and their implications for alcohol and substance abuse programs. More recent, readable and relevant is SAMHSA’s guide for Applying the Substance Abuse Confidentiality Regulations to Health Information Exchange, in the format of frequently asked questions.
For an official report on “Privacy Issues in Mental Health and Substance Abuse Treatment: Information Sharing Between Providers and Managed Care Organizations”, click here.
The Office of the National Coordination for Health Information Technology has published a Guide to Privacy and Security of Health Information which addresses confidentiality as it relates to IT systems, patients’ individual rights and provider responsibilities.
Governing California Statutes
The Confidentiality of Medical Records Act (CMIA), as delineated in California Civil Code 56 et seq., covers all California providers of health care and health care service plans, and specifies the conditions under which medical information can be disclosed. To access these statutes, click here.
The Lanterman Petris Short Act also specifies the conditions under which medical information may be released. For its provisions, check California’s Welfare and Institutions Code, particularly in Section 5328, which can be found at by clicking here.
Other applicable laws are found in the Information and Privacy Protection Act (Insurance Code Section 791 et seq.), and the Information Practices Act (Civil Code Section 1798 et seq.).
Another set of California laws, The Patient Access to Health Records Act, contained in Health and Safety Code Sections 123110 et seq., is discussed in the helpful Consumer Guide To Health Information Privacy in California promulgated by the California Office of Privacy Protection. Providers as well as clients may benefit by this easy-to-comprehend discussion of confidentiality laws.
The following is taken from footnotes in The Consumer Guide to Health Information Privacy in California. Note that requirements of the Welfare and Institutions Codes are omitted from reference:
- For notice, see HIPAA, 45 CFR § 164.520. Also on notice, see California Civil Code Section 1798.17, which applies to state agencies.
- For use and disclosure of health information for treatment, payment, or healthcare operations, see HIPAA, 45 CFR § 164.506, and California Civil Code Section 56.10 subdivision (c)(a).
- For disclosure limits, see HIPAA, 45 CFR § 164.502, and California Civil Code Section 56.10.
- For confidentiality of HIV test results, see California Health & Safety Code Sections 120975-121125.
- For confidentiality of psychiatric records, see California Civil Code section 56.104. Also see HIPAA, 45 CFR § 164.50, 1 for definition of “psychotherapy notes” and 45 CFR § 164.508 subdivision (a)(2) forauthorization requirements for use or disclosure of psychotherapy notes.
- For authorization, see HIPAA, 45 CFR § 164.508, and California Civil Code Section 56.11.
- For limits on use and disclosure for treatment, payment or healthcare operations, see HIPAA, 45 CFR § 164.522 subdivision (a).
- For confidential communications requirements, see HIPAA, 45 CFR § 164.522 subdivision (b).
- For disclosure to employers, see HIPAA, 45 CFR § 164.512 subdivision (b)(1)(v), and California Civil Code Section 56.20.
- For accounting of disclosures, see HIPAA 45 CFR § 164.528, and California Civil Code sections 1798.25 and1798.28.
- For marketing use, see HIPAA 45 CFR § 164.508 subdivision (a)(3), California Civil Code Section 56.10 subdivision (d), California Health & Safety Code Section 123148, and California Insurance Code Sections 791.13subdivision (k) and 791.05.
- For access to records, see HIPAA, 45 CFR § 164.524, California Health & Safety Code Section 123110subdivision (a), and California Civil Code Section 1798.32.
- For copying records, see HIPAA, 45 CFR § 164.524, California Health & Safety Code Section 123110subdivision (b), and California Civil Code Section 1798.33.
- For amending records, see HIPAA, 45 CFR § 164.526, California Health & Safety Code Section 123111, and California Civil Code section 1798.35.
- For complaints under HIPAA, see 45 CFR § 164.530 subdivision (d). HIPAA complaints must be filed with the Office of Civil Rights within 180 days of the date when the complainant knew or should have known of the violation (45 CFR § 160.306).
- For remedies for improper use of information by California providers, see California Civil Code Section 56.35; for violation of access rights, see California Health & Safety Code Section 123120 and for remedies for violations by state agencies, see California Civil Code Sections 1798.45-1798.57.
Colleen O’Donnell from the National Council for Behavioral Healthcare has provided an update on recent advances in sharing specially protected HIPAA protected health information (PHI) using national data and technology standards: “National standards impact every state HIE and every provider. They are being rapidly adopted by primary and specialty care providers all over the country. The privacy and security of PHI is central to the success of this effort.
This is a brief summary of the challenges being addressed:
- Keep in mind that HIPAA Protected Health Information (PHI) may be exchanged between HIPAA-covered entities without patient consent. However, if this HIPAA PHI happens to include information that has additional ‘special” protections’, patient consent or other special conditions may be required. This has prevented the full participation of many different types of specialty care providers in state and regional health information exchange.
- Within this subset of specially protected PHI, BH providers are usually most concerned about PHI that has 42 CFR Part 2 protections. This includes PHI that originates from a treatment “program” that may identify the individual as a patient of the treatment program (see the statutory definition for a treatment “program”). Controlling the re-release of this data in an electronic environment has been the sticking point.
- In addition to national-level regs, organizational policies that operationalize state regulations may require “heightened protections” for specially protected PHI.
Until recently, it has not been feasible to design EHRS that are able to manage the different types of specially protected health information for exchange and create interoperability. EHR vendors needed an approved national data and technology standard for this task. In May, 2014, the Office of the National Coordinator for Health Information Technology (ONCHIT) Standards and Interoperability Framework approved this standard, expressed in the HL7 Implementation Guide for “Data Segmentation for Privacy” or DS4P. This functionality is being incorporated into EHRs now.
Until this functionality is widespread, exchanging HIPAA PHI that is ‘Specially Protected’ by 42 CFR Part 2 in particular can be achieved in one of two ways:
- Through Direct Secure Messaging (point-to-point transmission and receipt of the PHI data set national standards, the Clinical and Transition of Care Summaries). The organization would apply the same consent rules for exchanging PHI in other types of point-to-point transmission, such as fax and surface mail. There would only need to be some changes to procedures for the electronic environment.
- Most primary care providers use the state HIE for HIPAA-protected PHI, and Nationwide Health Information Direct (NwHIN Direct) to exchange Specially Protected PHI. This is greatly simplified in Stage 1 2014 and Stage 2 certified EHRS, which fully integrate Direct secure messaging with the patient record.
- A Direct secure messaging account can be obtained from the State Health Information Exchange, and is very inexpensive. The Direct secure messaging standard now plays a critical role in every state’s plan for Health Information Exchange.
- A plug-in that can be used today to parse PHI for 42 CFR Part 2 information, called Consent2Share (C2S). It is free online, and can be downloaded by the EHR vendor for use in their products. The value is that HIPAA information may be shared but specially protected information can be withheld.
Here is a link to some resources generated during a year-long project on state-level health information exchange of specially protected PHI. These resources illustrate avenues for meeting requirements through implementing national data and technology standards, all developed in consultation with the ONCHIT and SAMHSA.
And here is a link to a real-life implementation of the universal consent form developed by this group, operationalized by Rhode Island Behavioral Health.
The National Council has a few accessible webinars that deal with release and exchange of patient information, among them: Sharing Mental Health Information: New HIPAA Privacy Rule (2014) and Create a Culture of Wellness to Support Health Behavior Change (2013).
The 2014 Current State of Sharing Behavioral Health Information in Health Information Exchanges by the Center for Integrated Health Solutions outlines challenges and opportunities for sharing this information based on case studies in 11 states.
In the new national paradigm for health care (i.e., ‘Meaningful Use’), sharing PHI plays a central role. Keep in mind that rules and regulations on this are not intended to prevent the sharing of PHI; rather, they ensure specially protected PHI is shared appropriately.
For more information, go to: http://www.hhs.gov/ocr/hipaa
May a health care provider discuss a patient’s health information over the phone with the patient’s family, friends, or others involved in the patient’s care or payment for care?
Yes. Where a health care provider is allowed to share a patient’s health information with a person, information may be shared face-to-face, over the phone, or in writing.