About Us | Chapters | Advertising | Join
The Legal Department articles are not intended to serve as legal advice and are offered for educational purposes only. The information provided should not be used as a substitute for independent legal advice and it is not intended to address every situation that could potentially arise. Please be aware that laws, regulations and technical standards change over time. As a result, it is important to verify and update any reference or information that is provided in the article.
Diligent readers of The Therapist know that the Health Insurance Portability & Accountability Act of 1996 (HIPAA) will have consequences for certain health care providers, including psychotherapists, who are "covered entities" within the meaning of HIPAA. The purpose of this article is to enable you to understand and to prepare some of the more important forms that HIPAA will require covered entities to use after April 14, 2003.
by David G. Jensen, JD Staff Attorney The Therapist (November/December 2002) Updated 2010 Updated 2012
Diligent readers of The Therapist know that the Health Insurance Portability & Accountability Act of 1996 (HIPAA) will have consequences for certain health care providers, including psychotherapists, who are "covered entities" within the meaning of HIPAA. (As a reminder, a "covered entity" is a therapist who interacts electronically with other covered entities, such as health plans or insurance companies, while conducting certain administrative or financial transactions, such as getting treatment authorized, submitting claims for reimbursement, and being reimbursed for such claims.) Such consequences include having covered entities implement national standards for electronic health care transactions and having such entities implement security and privacy practices and standards in order to protect the personal health information (PHI) of their patients.
Assuming you are a "covered entity," like ripples' emanating from a pond after a stone has been thrown into it, these consequences will lap up against your office walls and directly affect your practice. Consequently, you must understand the rights that individuals have concerning their PHI and you must be prepared to address such rights in your practice. One of the ways you can prepare to address these rights is to adopt certain forms, which will both educate your clients and streamline the process for addressing their rights under HIPAA.
The purpose of this article is to enable you to understand and to prepare some of the more important forms that HIPAA will require covered entities to use on or after April 14, 2003. For lack of a better name, I've collectively called these forms "The Three-Headed Monster," with the documents that comprise such a beast being the Notice of Privacy Practices; an Authorization for Release of Health Information; and, a Request for Amendment of Health Information. Each of these forms is discussed in turn and sample forms have been prepared for your edification.
The Notice of Privacy Practices Pursuant to 45 CFR 164.520, a covered entity must provide its patients with a written notice describing the entity's privacy practices (Notice), and such Notice must be given to the patient at his or her first appointment that occurs after April 14, 2003. You must also make a good faith effort to obtain a written acknowledgement from your clients of their receipt of your Notice. I think the best way to handle this acknowledgement aspect, for new patients, is to include the acknowledgement in your informed consent documents. For existing patients, you should have them acknowledge in writing that they have received a copy of your Notice. Additionally, a copy of your Notice must be posted in your office. Please note, however, that the compliance date for delivering and posting the Notice is April 14, 2003. Consequently, you do not have to give out and post your Notice until then, although you may do so earlier if you wish.
In terms of the Notice itself, it must include:
It is also important to note that HIPAA imposes requirements on when and how a covered entity's privacy practices can be revised. In fact, notice must be given to your clients before you can implement any new policies or make changes to existing ones. Any such changes can be retroactive if you reserve the right to make such changes in your Notice by informing your clients that such changes will apply to previously created or received PHI. The Sample Notice of Privacy Practices, which can be found on page ___, contains such a reservation.
Written Authorizations & Consents to Release Health Information The concept of a written authorizations/consents to release health information should not be new to you. As you undoubtedly know, the information communicated to you in session is confidential, and such information cannot be communicated to anyone else without the client's written authorization unless the disclosure is mandated or permitted by law. HIPAA builds on these fundamental ideas, but it also adds some wrinkles.
One such wrinkle is that HIPAA makes a distinction between authorizations to use or disclose PHI ("Authorization") and consents to use or disclose PHI ("Consent"). They are not the same thing. Authorizations are required by HIPAA for uses and disclosures of PHI that are not otherwise allowed by HIPAA. Consents, on the other hand, are not required by HIPAA, but covered entities may use them for uses and disclosures of PHI for the covered entity's own treatment, payment, and health care operations. Admittedly, this is fairly complicated stuff, but fundamentally it is important to understand that under HIPAA, Authorizations and Consents are different beasts. HIPAA mandates the use of Authorizations; it allows for the use of Consents.
A second wrinkle is that HIPAA distinguishes a "use" from a "disclosure." PHI is "used" when it is shared, examined, utilized, applied, or analyzed within a covered entity; PHI is "disclosed" when it is released, transferred, has been given to, or otherwise divulged outside of the covered entity.
And, a third wrinkle is the concept of "treatment, payment, and health care operations" or TPO. HIPAA defines "treatment" as the "provision, coordination, or management of healthcare, including consultations and referrals between health care providers." It defines "payment" as including, but not limited to, efforts to obtain reimbursement; determine eligibility; billing; claims management; review of healthcare for determining whether it is medically necessary; and utilization review." And, HIPAA defines "health care operations" as including such things as quality assessment and improvement activities; case management and care coordination; arranging for legal services; and business planning, among others.
Consents. Pursuant to 45 CFR 164.506(b), a general consent is permitted, but not required, for uses or disclosures of PHI for the covered entity's TPO. Covered entities that choose to have clients sign Consents for uses or disclosures of PHI for TPO have complete discretion in designing the Consent form. HIPAA does not specify any requirements for the content of such form. Since there are no mandatory requirements for Consent forms, however, nothing prohibits you from incorporating HIPAA's consent concepts into your informed consent documents. Moreover, as required by HIPAA, these concepts will also be spelled out in your Notice of Privacy Practices.
Authorizations. Authorizations, however, are treated differently under HIPAA. In general, Authorizations must be used for uses and disclosures of PHI that are not required or permitted by HIPAA. And, for psychotherapists, an Authorization must be obtained for most disclosures of "psychotherapy notes." The use of Authorizations should not be new to California therapists, however, because California law has required such authorizations for many years. But, although the concepts are similar, HIPAA does add a wrinkle for "psychotherapy notes."
HIPAA defines the concept of "psychotherapy notes" very narrowly. HIPAA limits the information that constitutes such notes to "notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of a conversation during a private counseling session or a group, joint, or family counseling session that are separated from the rest of the individual's medical record." Specifically excluded, however, from the definition of "psychotherapy notes" are counseling session start and stop times; the modalities and frequencies of treatment furnished; results of clinical tests; and, any summaries of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.
Unlike the Consent form, HIPAA includes detailed requirements for the contents of Authorization forms. Authorizations must contain certain core elements; however, the form that HIPAA requires is quite similar to the one California requires. Hence, it's possible to draft an omnibus authorization, i.e., one that complies with both HIPAA and applicable California law. Such an authorization must, at a minimum:
And, if a health care provider, such as a psychotherapist, seeks an Authorization to use or disclose health information that the provider maintains, the Authorization must also state that the provider will not condition treatment on the patient providing the requested Authorization and that the individual has the right to refuse to sign the form. A copy of a Sample Authorization Form can be found by clicking on the link at the bottom of this article..
The Request for Amendment of Health Information Pursuant to 45 CFR 164.526, HIPAA gives individuals the right to amend or supplement their own PHI. For instance, if one of your patients disagrees with your diagnosis of him or her, that patient could submit a second opinion to be included in the medical record that you maintain for such patient. Your client has this right for as long as you maintain the information.
Before you panic with the thought of having your conclusions about a patient continually second guessed by such patient, keep in mind that you can accept or deny requests for amendments. If you accept an amendment, you must notify your patient that you are accepting the information, which basically means that you are agreeing to add the information to the patient's medical record, or you are agreeing to make the necessary changes to the patient's medical record. You are then required to provide the amended information to individuals or entities identified by your patient and to other individuals or entities known to have received the erroneous information.
However, it is also possible for you to deny the patient's request to amend his or her PHI. You may deny such a request if:
If you deny a client's request to amend his or her PHI, you must give the client a timely, written denial, which includes (1) the basis for the denial; (2) the client's right to submit a written statement disagreeing with the denial and how to exercise that right; (3) a statement that the client can request you to include the client's request and the denial with any future disclosures of the PHI; and, (4) a description of how the individual can file a complaint with you or the Secretary of Health and Human Services. Thereafter, if your patient files a statement of disagreement with you, you may also file a rebuttal to such statement. For your review, a Sample Request for Amendment Form is set forth on page ___. Handling Requests for Amendment of Patient Information is fairly complex; consequently, CAMFT will devote an entire article to the subject in a future issue of The Therapist.
Sample Notice of Privacy Practices
Notice of Privacy Practices
I. THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. (Please note that this particular provision must be set forth in your notice of privacy practices exactly as it is set forth here.)
II. I HAVE A LEGAL DUTY TO SAFEGUARD YOUR PROTECTED HEALTH lNFORMATION (PHI) I am legally required to protect the privacy of your PHI, which includes information that can be used to identify you that I've created or received about your past, present, or future health or condition, the provision of health care to you, or the payment of this health care. I must provide you with this Notice about my privacy practices, and such Notice must explain how, when, and why I will "use" and "disclose" your PHI. A "use" of PHI occurs when I share, examine, utilize, apply, or analyze such information within my practice; PHI is "disclosed" when it is released, transferred, has been given to, or is otherwise divulged to a third party outside of my practice. With some exceptions, I may not use or disclose any more of your PHI than is necessary to accomplish the purpose for which the use or disclosure is made. And, I am legally required to follow the privacy practices described in this Notice.
However, I reserve the right to change the terms of this Notice and my privacy policies at any time. Any changes will apply to PHI on file with me already. Before I make any important changes to my policies, I will promptly change this Notice and post a new copy of it in my office and on my website (if applicable). You can also request a copy of this Notice from me, or you can view a copy of it in my office or at my website, which is located at (insert website address, if applicable).
III. HOW I MAY USE AND DISCLOSE YOUR PHI. I will use and disclose your PHI for many different reasons. For some of these uses or disclosures, I will need your prior authorization; for others, however, I do not. Listed below are the different categories of my uses and disclosures along with some examples of each category.
A. Uses and Disclosures Relating to Treatment, Payment, or Health Care Operations Do Not Require Your Prior Written Consent. I can use and disclose your PHI without your consent for the following reasons:
B. Certain Uses and Disclosures Do Not Require Your Consent. I can use and disclose your PHI without your consent or authorization for the following reasons:
C. Certain Uses and Disclosures Require You to Have the Opportunity to Object.
1. Disclosures to Family, Friends, or Others. I may provide your PHI to a family member, friend, or other person that you indicate is involved in your care or the payment for your health care, unless you object in whole or in part. The opportunity to consent may be obtained retroactively in emergency situations.
D. Other Uses and Disclosures Require Your Prior Written Authorization. In any other situation not described in sections III A, B, and C above, I will ask for your written authorization before using or disclosing any of your PHI. If you choose to sign an authorization to disclose your PHI, you can later revoke such authorization in writing to stop any future uses and disclosures (to the extent that I haven't taken any action in reliance on such authorization) of your PHI by me.
IV WHAT RIGHTS YOU HAVE REGARDING YOUR PHI
You have the following rights with respect to your PHI:
A. The Right to Request Limits on Uses and Disclosures of Your PHI. You have the right to ask that I limit how I use and disclose your PHI. I will consider your request, but I am not legally required to accept it. If I accept your request, I will put any limits in writing and abide by them except in emergency situations. You may not limit the uses and disclosures that I am legally required or allowed to make.
B. The Right to Choose How I Send PHI to You. You have the right to ask that I send information to you to at an alternate address (for example, sending information to your work address rather than your home address) or by alternate means (for example, e?mail instead of regular mail) I must agree to your request so long as I can easily provide the PHI to you in the format you requested.
C. The Right to See and Get Copies of Your PHI. In most cases, you have the right to look at or get copies of your PHI that I have, but you must make the request in writing. If I don't have your PHI but I know who does, I will tell you how to get it. I will respond to you within 30 days of receiving your written request. In certain situations, I may deny your request. If I do, I will tell you, in writing, my reasons for the denial and explain your right to have my denial reviewed.
If you request copies of your PHI, I will charge you not more than $.25 for each page. Instead of providing the PHI you requested, I may provide you with a summary or explanation of the PHI as long as you agree to that and to the cost in advance.
D. The Right to Get a List of the Disclosures I Have Made. You have the right to get a list of instances in which I have disclosed your PHI. The list will not include uses or disclosures that you have already consented to, such as those made for treatment, payment, or health care operations, directly to you, or to your family. The list also won't include uses and disclosures made for national security purposes, to corrections or law enforcement personnel, or disclosures made before April 15, 2002.
I will respond to your request for an accounting of disclosures within 60 days of receiving your request. The list I will give you will include disclosures made in the last six years unless you request a shorter time. The list will include the date of the disclosure, to whom PHI was disclosed (including their address, if known), a description of the information disclosed, and the reason for the disclosure. I will provide the list to you at no charge, but if you make more than one request in the same year, I will charge you $[insert fee] for each additional request.
E. The Right to Correct or Update Your PHI. If you believe that there is a mistake in your PHI or that a piece of important information is missing, you have the right to request that I correct the existing information or add the missing information. You must provide the request and your reason for the request in writing. I will respond within 60 days of receiving your request to correct or update your PHI. I may deny your request in writing if the PHI is (i) correct and complete, (ii) not created by me, (iii) not allowed to be disclosed, or (iv) not part of my records. My written denial will state the reasons for the denial and explain your right to file a written statement of disagreement with the denial. If you don't file one, you have the right to request that your request and my denial be attached to all future disclosures of your PHI. If I approve your request, I will make the change to your PHI, tell you that I have done it, and tell others that need to know about the change to your PHI.
F. The Right to Get This Notice by E?Mail. You have the right to get a copy of this notice by e-mail. Even if you have agreed to receive notice via e?mail, you also have the right to request a paper copy of it.
V. HOW TO COMPLAIN ABOUT OUR PRIVACY PRACTICES
If you think that I may have violated your privacy rights, or you disagree with a decision I made about access to your PHI, you may file a complaint with the person listed in Section Vl below. You also may send a written complaint to the Secretary of the Department of Health and Human Services at 200 Independence Avenue S.W., Washington, D.C. 20201. I will take no retaliatory action against you if you file a complaint about my privacy practices.
VI. PERSON TO CONTACT FOR INFORMATION ABOUT THIS NOTICE OR TO COMPLAIN ABOUT MY PRIVACY PRACTICES
If you have any questions about this notice or any complaints about my privacy practices, or would like to know how to file a complaint with the Secretary of the Department of Health and Human Services, please contact me at: [insert provider's name, address, phone #, and email].
VlI EFFECTIVE DATE OF THIS NOTICE This notice went into effect on April 14, 2003.
--------------------------------------------------------------------------------
The information contained in this article is intended to provide guidelines for addressing difficult legal dilimmas. It is not intended to address every situation that could possibly arise, nor is it intended to be substitute for independent legal advice or consultation. When using such infformation as a guide, be aware that laws, regulations, and technical standards change over time, and thus one should verify and update any references or information contained herein.