Outside Provider HIPAA Violation

[green]

Has anyone taken action against a private provider regarding the improper sharing of medical information with the VA?  I recently went to see a private cardiologist for some tests on my ticker.  I told the office staff 3 times each during two appointments NOT to share my information with the VA.  Yep, you guessed it, they sent copies of the doctor notes and evaluative tests to the VA without my permission.

Green

[Buck52]

This is just a part of HIPPA Regulations. as to MH not sure about Heart Conditions.

HIPAA Privacy Rule and Sharing Information Related to Mental Health

Download PDF version

 

Background

 

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule provides consumers with important privacy rights and protections with respect to their health information, including  important controls over how their health information is used and disclosed by health plans and health care providers.  Ensuring strong privacy protections is critical to maintaining individuals’ trust in their health care providers and willingness to obtain needed health care services, and these protections are especially important where very sensitive information is concerned, such as mental health information.  At the same time, the Privacy Rule recognizes circumstances arise where health information may need to be shared to ensure the patient receives the best treatment and for other important purposes, such as for the health and safety of the patient or others.  The Rule is carefully balanced to allow uses and disclosures of information—including mental health information—for treatment and these other purposes with appropriate protections.  

 

In this guidance, we address some of the more frequently asked questions about when it is appropriate under the Privacy Rule for a health care provider to share the protected health information of a patient who is being treated for a mental health condition.  We clarify when HIPAA permits health care providers to:

 

• • Communicate with a patient’s family members, friends, or others involved in the patient’s care;
  • Communicate with family members when the patient is an adult;
  • Communicate with the parent of a patient who is a minor;
  • Consider the patient’s capacity to agree or object to the sharing of their information;
  • Involve a patient’s family members, friends, or others in dealing with patient failures to adhere to medication or other therapy;
  • Listen to family members about their loved ones receiving mental health treatment;
  • Communicate with family members, law enforcement, or others when the patient presents a serious and imminent threat of harm to self or others; and
  • Communicate to law enforcement about the release of a patient brought in for an emergency psychiatric hold.

 

In addition, the guidance provides relevant reminders about related issues, such as the heightened protections afforded to psychotherapy notes by the Privacy Rule, a parent’s right to access the protected health information of a minor child as the child’s personal representative, the potential applicability of Federal alcohol and drug abuse confidentiality regulations or state laws that may provide more stringent protections for the information than HIPAA, and the intersection of HIPAA and FERPA in a school setting.

 

Questions and Answers about HIPAA and Mental Health

 

Does HIPAA allow a health care provider to communicate with a patient’s family, friends, or other persons who are involved in the patient’s care?

 

Yes. In recognition of the integral role that family and friends play in a patient’s health care, the HIPAA Privacy Rule allows these routine – and often critical – communications between health care providers and these persons.  Where a patient is present and has the capacity to make health care decisions,   health care providers may communicate with a patient’s family members, friends, or other persons the patient has involved in his or her health care or payment for care, so long as the patient does not object.  See 45 CFR 164.510(b).  The provider may ask the patient’s permission to share relevant information with family members or others, may tell the patient he or she plans to discuss the information and give them an opportunity to agree or object, or may infer from the circumstances, using professional judgment, that the patient does not object. A common example of the latter would be situations in which a family member or friend is invited by the patient and present in the treatment room with the patient and the provider when a disclosure is made.

 

Where a patient is not present or is incapacitated, a health care provider may share the patient’s information with family, friends, or others involved in the patient’s care or payment for care, as long as the health care provider determines, based on professional judgment, that doing so is in the best interests of the patient. Note that, when someone other than a friend or family member is involved, the health care provider must be reasonably sure that the patient asked the person to be involved in his or her care or payment for care.

 

In all cases, disclosures to family members, friends, or other persons involved in the patient’s care or payment for care are to be limited to only the protected health information directly relevant to the person’s involvement in the patient’s care or payment for care.

 

OCR’s website contains additional information about disclosures to family members and friends in fact sheets developed for consumers and providers.

 

Does HIPAA provide extra protections for mental health information compared with other health information?

 

Generally, the Privacy Rule applies uniformly to all protected health information, without regard to the type of information. One exception to this general rule is for psychotherapy notes, which receive special protections. The Privacy Rule defines psychotherapy notes as notes recorded by a health care provider who is a mental health professional documenting or analyzing the contents of a conversation during a private counseling session or a group, joint, or family counseling session and that are separate from the rest of the patient’s medical record. Psychotherapy notes do not include any information about medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, or results of clinical tests; nor do they include summaries of diagnosis, functional status, treatment plan, symptoms, prognosis, and progress to date.  Psychotherapy notes also do not include any information that is maintained in a patient’s medical record. See 45 CFR 164.501. 

 

Psychotherapy notes are treated differently from other mental health information both because they contain particularly sensitive information and because they are the personal notes of the therapist that typically are not required or useful for treatment, payment, or health care operations purposes, other than by the mental health professional who created the notes. Therefore, with few exceptions, the Privacy Rule requires a covered entity to obtain a patient’s authorization prior to a disclosure of psychotherapy notes for any reason, including a disclosure for treatment purposes to a health care provider other than the originator of the notes. See 45 CFR 164.508(a)(2).  A notable exception exists for disclosures required by other law, such as for mandatory reporting of abuse, and mandatory “duty to warn” situations regarding threats of serious and imminent harm made by the patient (State laws vary as to whether such a warning is mandatory or permissible).

 

Is a health care provider permitted to discuss an adult patient’s mental health information with the patient’s parents or other family members?

 

In situations where the patient is given the opportunity and does not object, HIPAA allows the provider to share or discuss the patient’s mental health information with family members or other persons involved in the patient’s care or payment for care.  For example, if the patient does not object:

 

• • A psychiatrist may discuss the drugs a patient needs to take with the patient’s sister who is present with the patient at a mental health care appointment.
  • A therapist may give information to a patient’s spouse about warning signs that may signal a developing emergency.

 

    BUT:

 

• • A nurse may not discuss a patient’s mental health condition with the patient’s brother after the patient has stated she does not want her family to know about her condition.

 

In all cases, the health care provider may share or discuss only the information that the person involved needs to know about the patient’s care or payment for care. See 45 CFR 164.510(b).  Finally, it is important to remember that other applicable law (e.g., State confidentiality statutes) or professional ethics may impose stricter limitations on sharing personal health information, particularly where the information relates to a patient’s mental health.

 

When does mental illness or another mental condition constitute incapacity under the Privacy Rule? For example, what if a patient who is experiencing temporary psychosis or is intoxicated does not have the capacity to agree or object to a health care provider sharing information with a family member, but the provider believes the disclosure is in the patient’s best interests?

 

Section 164.510(b)(3) of the HIPAA Privacy Rule permits a health care provider, when a patient is not present or is unable to agree or object to a disclosure due to incapacity or emergency circumstances, to determine whether disclosing a patient’s information to the patient’s family, friends, or other persons involved in the patient’s care or payment for care, is in the best interests of the patient.¹Where a provider determines that such a disclosure is in the patient’s best interests, the provider would be permitted to disclose only the PHI that is directly relevant to the person’s involvement in the patient’s care or payment for care.

 

This permission clearly applies where a patient is unconscious. However, there may be additional situations in which a health care provider believes, based on professional judgment, that the patient does not have the capacity to agree or object to the sharing of personal health information at a particular time and that sharing the information is in the best interests of the patient at that time. These may include circumstances in which a patient is suffering from temporary psychosis or is under the influence of drugs or alcohol.  If, for example, the provider believes the patient cannot meaningfully agree or object to the sharing of the patient’s information with family, friends, or other persons involved in their care due to her current mental state, the provider is allowed to discuss the patient’s condition or treatment with a family member, if the provider believes it would be in the patient’s best interests.  In making this determination about the patient’s best interests, the provider should take into account the patient’s prior expressed preferences regarding disclosures of their information, if any, as well as the circumstances of the current situation.  Once the patient regains the capacity to make these choices for herself, the provider should offer the patient the opportunity to agree or object to any future sharing of her information. 

 

If a health care provider knows that a patient with a serious mental illness has stopped taking a prescribed medication, can the provider tell the patient’s family members?

 

So long as the patient does not object, HIPAA allows the provider to share or discuss a patient’s mental health information with the patient’s family members.  See 45 CFR 164.510(b). If the provider believes, based on professional judgment, that the patient does not have the capacity to agree or object to sharing the information at that time, and that sharing the information would be in the patient’s best interests, the provider may tell the patient’s family member. In either case, the health care provider may share or discuss only the information that the family member involved needs to know about the patient’s care or payment for care.

 

Otherwise, if the patient has capacity and objects to the provider sharing information with the patient’s family member, the provider may only share the information if doing so is consistent with applicable law and standards of ethical conduct, and the provider has a good faith belief that the patient poses a threat to the health or safety of the patient or others, and the family member is reasonably able to prevent or lessen that threat. See 45 CFR 164.512(j). For example, if a doctor knows from experience that, when a patient’s medication is not at a therapeutic level, the patient is at high risk of committing suicide, the doctor may believe in good faith that disclosure is necessary to prevent or lessen the threat of harm to the health or safety of the patient who has stopped taking the prescribed medication, and may share information with the patient’s family or other caregivers who can avert the threat. However, absent a good faith belief that the disclosure is necessary to prevent a serious and imminent threat to the health or safety of the patient or others, the doctor must respect the wishes of the patient with respect to the disclosure.

 

Can a minor child’s doctor talk to the child’s parent about the patient’s mental health status and needs?

 

With respect to general treatment situations, a parent, guardian, or other person acting in loco parentis usually is the personal representative of the minor child, and a health care provider is permitted to share patient information with a patient’s personal representative under the Privacy Rule. 

[Navy04]

Did the VA pay for the Treatment? If they did, then your Civilian Docs would have to inform the VA as they would be paid to provide a service. Also, I don't understand, why would you not want the VA to know? A good friend of mine that was a Korean and Vietnam Vet died last year of Heart Issues, and in fact he could have had better treatment from the VA at the end, if his civilian Docs would have given all Treatment Records to the VA. Don't know exactly what you are asking for bud, but Good luck and wish you the best.

[green]

No, I paid for the visit.  I didn't want the information to go to the VA before I had a chance to review.  Sharing it should have been my decision, not the dr's office.

[green]

So I had a conversation with the Doctor's office HR person a few days ago explaining the sharing of my personal information despite my having asked several folks not to share it with the VA.  I received a call today that was very apologetic explaining they had researched the issue and they admitted that I had told everyone that would listen I didn't want them to share this information and even noted it on the release of information form.

So her question to me was "what can we do to make this right?"  I explained that at this point I didn't even know how to quantify the impact of their actions.  She asked me to call her back in a week after I had a chance to think about it.  Has anyone been down this road before???

Please keep in mind I am not trying to keep information from the VA, it's just that I feel I should be able to determine when and if information is shared.

 

Thank you,

Green

[lotzaspotz]

Green, there's a six-year statute of limitations on filing a formal HIPAA complaint, which of course is probably your healthcare provider's primary concern. That's six years to find out what kind of impact, if any, this transgression will have on your relationship with the VA.  You obviously have to ask yourself if this unfortunate incident destroyed your trust in your healthcare provider to the extent that you need to switch providers, since I wouldn't advise filing a complaint against someone who you intend to continue treating you.

This an excellent example of the fact that once a bell is rung, it can't be "un-rung."  It's now a matter of how much this upsets you, your relationship with your doctor, and determining if any damage is done within the next six years.  At least they've asked you the question about how to "make this right," even though there may not be any way to do that.  

 

Edited September 9, 2015 by lotzaspotz

[green]

Green, there's a six-year statute of limitations on filing a formal HIPAA complaint, which of course is probably your healthcare provider's primary concern. That's six years to find out what kind of impact, if any, this transgression will have on your relationship with the VA.  You obviously have to ask yourself if this unfortunate incident destroyed your trust in your healthcare provider to the extent that you need to switch providers, since I wouldn't advise filing a complaint against someone who you intend to continue treating you.

This an excellent example of the fact that once a bell is rung, it can't be "un-rung."  It's now a matter of how much this upsets you, your relationship with your doctor, and determining if any damage is done within the next six years.  At least they've asked you the question about how to "make this right," even though there may not be any way to do that.  

 

lotzaspotz (great nick btw), Thank you for your response. 

I don't have a relationship with this physician per se.  He is one specialist in a very large network of same-name clinics and I set up the appointment because the VA really wasn't taking the issue seriously and I needed information.

The frustration here is that I told at least 5 people at the clinic not to send these reports, noted it on the release form as well, and still they sent it.  I wanted to review the information first because as you know the VA takes information out of context and it can have long term financial impacts when they do so.  I would not utilize the clinic again given the breach of trust. 

Apparently the first course of action is reporting the unapproved sharing of personal information to the DOL Office of Civil Rights.  HHS will impose a penalty of at least $1000 per transgression and in this case there were two.  The clinic representative told me that by law they have to self-report the incident to DOL.

I really wasn't expecting the representative to ask me the $ question.