Join or renew now
Get CE Credits Now
About AMHCA
Exclusive Member Benefits
Practice Resources
Register for Events
Affect Public Policy
Buy AMHCA Products
Student Benefits
Journal Authors Guidelines
Malpractice Protection
Health and Casualty Insurance
Find a Job or Employee
Connect with Chapters
AMHCA Mentor Handbook
Contact AMHCA

Practice Resources

Federal Privacy Regulations: What Mental Health Counselors Need to Know

This article is an introductory advisory to AMHCA members on the final Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy regulations. It summarizes key features of the regulation, highlights areas of significant change from the proposed regulation, and provides some "action steps" to assist mental health counselors in moving toward compliance with the regulation's requirements.

Nothing in this advisory constitutes legal advice, which can only be obtained in consultation with an attorney. The information published here is believed to be accurate at the time of publication, but it is subject to change and does not purport to be a complete statement of all relevant issues. AMHCA encourages its members to consult with their own attorney should they have questions about the regulation or its application. We recommend that you review this document carefully, to determine if you meet the definition of a “covered entity” under the regulations. AMHCA continues to review and analyze the 1535 page regulation and will notify its members when updates or further information is warranted.

Introduction

In 1996, the U.S. Congress recognized the importance of protecting the privacy of medical records when it passed the Health Insurance Portability and Accountability Act (HIPAA), which, among other things, authorized Congress to establish uniform privacy standards for health information that is transmitted electronically. Under this law, Congress was also required to enact comprehensive health privacy legislation by August 21, 1999. Congress failed to address the issue and responsibility for issuing privacy regulations fell to the Secretary of Health and Human Services (HHS) as mandated by HIPAA. HHS issued proposed regulations on October 29, 1999, and allowed for an extended comment period. More than 52,000 comments were received in response to these regulations, including comments submitted by the American Mental Health Counselors Association (AMHCA). The final privacy regulations were issued by HHS just before the end of President Clinton’s term. However, on February 26, 2001, the Bush Administration reopened the comment period for an additional 30 days. On April 12, 2001, President Bush announced that the privacy regulations as issued by the Clinton administration would take effect on April 14, 2001, but left open the possibility that the rules could be significantly modified before the compliance date of April 14, 2003. HHS is expected to release a series of guidance materials to assist health care providers and others affected by the regulations comply with the regulations.

The controversy and debate, however, over the regulations have not diminished. Recent comments by President Bush and HHS Secretary Tommy Thompson indicate plans to “soften” the regulations and to re-examine some of their more controversial parts over the next two years. However, the clock has started on the two-year window for compliance, and health care providers need to determine now whether they meet the definition of a covered entity and what modifications they must make to be in compliance by April 14, 2003.

What do the new privacy regulations do?

The privacy regulations establish that personal health information must be kept confidential. The regulations are designed to safeguard the privacy and confidentiality of a consumer’s health information, particularly in this age of rapid advances in technology and the subsequent ease with which information can be transmitted. The regulations establish a baseline of patient/client protections by defining the rights of individuals, the administrative obligations of covered entities, and the permitted uses and disclosures of protected health information. State laws that are stronger than the HHS privacy rule will remain effect. In addition, state legislatures are afforded the opportunity to enact stronger protections in the future.

When will I have to comply with the regulations?

“Covered entities” have until April 14, 2003, to implement the HIPAA privacy regulations and come into compliance. Under the regulations, failure to comply can result in civil and criminal penalties for covered entities; however, clients were not given the right to sue for violations of the regulation.

Who or what is a “covered entity” under the regulations?

  • A health care provider who transmits health/behavioral health claims-type information electronically. The definition includes practitioners, such as those in agency or private practice.
    Note: Although many mental health counselors currently do not transmit health claims–type information electronically, thus not meeting the definition of a covered entity, it is likely that over the next few years, this will become a standard and expected industry practice. AMHCA advises members to consider this as they review their status as a covered entity.

  • A health plan—includes HMOs, health insurers, group health plans (except a group plan for an employer with fewer than 50 employees and which is also self-insured).

  • A health care clearinghouse—defined in the rules as “a public or private entity, including a billing service, repricing company, community health management information system or community health information system, and “value-added” networks, that does either of the following functions: (1) Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction. (2) Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.”

The HIPAA regulations require that covered entities maintain contracts with their business associates that essentially bind the business associates to the same privacy practices of the covered entities. Business associates are defined as individuals who receive health information from a covered entity or on behalf of a covered entity. Examples include a copy center, a contracted phone answering service, an accountant reviewing books, auditors, quality assurance/utilization review services, or other contracted services that might interact with protected health information.

What information is protected by the privacy regulations?

Protected health information includes information

  • about a person’s health, health care, or payment of health care (the term “health” includes mental health and behavioral health issues)
  • that identifies a person
  • created or received by a covered health care plan or provider.

All medical records or other individually identifiable health information held or disclosed by a covered entity in any form (electronically, on paper, or orally) is covered by the final regulation.

How is this information protected?

Protected health information may not be disclosed by a covered entity without the informed and voluntary written consent or authorization of the client. Client information can be used or disclosed by a covered entity only for purposes of health care treatment, payment, and operations. Disclosure must be limited to the minimum amount necessary for the purposes of disclosure, with the exception of transferring records for treatment, when providers need access to the full record to ensure quality care.

Health care providers may condition treatment on obtaining client consent of protected health information for the purposes of treatment, payment, and health care operations. Similarly, health plans and health care clearinghouses also may condition enrollment on the client’s provision of a consent to disclose protected health information for the purposes of treatment, payment, and health care operations.

What are the client’s rights under these new regulations?

  • Clients have a right to access their medical records and are entitled to see and copy their records and request amendments. A history of disclosures of protected health information must be made available to clients on their request.

  • Clients have a right to request a restriction on the use and disclosure of their protected health information for the purposes of treatment, payment, or health care operations.

  • Covered entities are required to provide clients with a clear, written explanation of how their protected health information can be used and disclosed.

Administrative Requirement for Covered Entities

Covered entities are required to

  • designate a privacy official who will develop and implement the privacy policies and procedures of the organization.
  • develop policies and procedures designed to ensure that covered entities are in compliance with the standards and requirements of the privacy rule.
  • maintain a record of all versions of their privacy policies and procedures, along with any complaints filed and disclosures of protected health information, for six years.
  • provide privacy training to the workforce. Staff must be trained by the compliance date (April 14, 2003).
  • develop a system of sanctions for employees who violate the entity’s policies.
  • meet documentation requirements.
  • provide written notice of privacy practices in plain English. The notice of privacy practices must include a description of the client’s rights; describe anticipated uses and disclosures of information that may be made without authorization; identify a contact person in the event of a complaint, and inform of the right to register a complaint with the secretary of HHS. This notice must be posted in a visible location, and a written copy must be given to clients at their first visit after the compliance date.

Are there circumstances under which protected health information may be disclosed without a client’s consent or authorization?

Yes. There are a number of exceptions under the regulations that allow for disclosure of a client’s protected health information without client consent or authorization. Some permitted HIPAA disclosures are:

  • when mandated by law
  • permitted disclosures for public health activities (such as reporting diseases, collecting vital statistics, etc)
  • disclosure about victims of abuse, neglect or domestic violence
  • health oversight activities
  • disclosures for judicial or administrative proceedings
  • disclosures for law enforcement purposes
  • use and disclosure for research purposes
  • disclosures to avert a serious threat to health or safety.

The HIPAA regulations are “permissive,” which means that these are the circumstances under the regulations in which health care providers are permitted to disclose protected health information without client consent or authorization. However, other laws (such as state privacy and confidentiality regulations) or a professional code of ethics may require providers to proceed in a different manner. Mental health counselors are expected to adhere to their professional code of ethics when determining whether it is necessary or appropriate to make these permitted HIPAA disclosures.

Do the same requirements apply to mental health records and to medical records?

There are stricter requirements for mental health records than for other medical records.

  • "Psychotherapy notes” are afforded special privacy protections under this regulation. Ordinarily, a written client consent is required before psychotherapy notes can be disclosed to anyone.

  • A health plan may not condition a client’s enrollment or eligibility on the provision of the client’s authorization or consent for disclosure of psychotherapy notes.

  • Psychotherapy notes are excluded from the provision that gives clients the right to see and copy their health information.

How are psychotherapy notes defined?

  • Psychotherapy notes are defined in the regulation as “notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record.

  • The definition of psychotherapy notes excludes medication prescription and monitoring, counseling session start and stop times, modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, treatment plan, symptoms, prognosis, and progress to date.

What are the circumstances when psychotherapy notes can be used or disclosed without authorization or consent from the client?

The regulation allows limited uses/disclosures without consent or authorization in the following circumstances:

  • when required for enforcement of the regulations by HHS
  • when mandated by law
  • when needed for oversight of the provider who created the psychotherapy notes
  • when sent to a coroner or medical examiner
  • when needed to avert a serous and imminent threat to health or safety.

What do I need to do as a Mental Health Counselor?

First, determine if the regulations apply to you:

If yes,

  • Start and maintain a file of information about the privacy regulations.

  • Get a copy of the privacy regulations (see References) and check appropriate Web sites periodically to download updates and implementation guidelines. HHS has indicated that they will develop and issue guidelines on the privacy regulations.

  • Review record keeping policies and procedures including those for psychotherapy notes, if applicable.

  • Set a time frame and establish a plan to meet the basic requirements of the regulations by the compliance date of April 14, 2003. This plan should include designating a privacy officer, training staff, and revising or developing appropriate consent and authorization forms.

  • Watch for future AMHCA guidance on this issue.

If no,

  • Continue to monitor your status and stay abreast of current developments in the HIPAA regulations. Watch for future AMHCA guidance on this issue.

  • Questions about interpretation or application of the regulations can be addressed to HHS directly by calling 1-866-627-7748, 1-866-788-4989 (TTY) or submitting an email to: ocrprivacy@os.dhhs.gov .

  • Questions about state law (such as whether a state privacy law is more protective than the federal regulation) should be addressed to the Attorney General for your state.

To view the regulation in its entirety, go to http://www.hhs.gov/ocr/hipaa/.


Return to Homepage | Join or Renew Now

American Mental Health Counselors Association
801 N. Fairfax Street Suite 304
Alexandria, VA 22314
800-326-2642 | 703-548-6002
Fax 703-548-4775

© 2004 by the American Mental Health Counselors Association. All rights reserved. No portion of this website may be copied or reproduced without the express written consent of the American Mental Health Counselors Association.