Attorney Articles | Recommended Practices for School Based Psychotherapists Part II

Articles by Legal Department Staff

The Legal Department articles are not intended to serve as legal advice and are offered for educational purposes only. The information provided should not be used as a substitute for independent legal advice and it is not intended to address every situation that could potentially arise. Please be aware that laws, regulations and technical standards change over time. As a result, it is important to verify and update any reference or information that is provided in the article.

Recommended Practices for School Based Psychotherapists Part II

This article is Part II of a three part series called Practice Guidelines for School Based Psychotherapists. The article discusses the application of HIPAA,
California laws and professional ethical codes to school based practice.

The Application of California law, HIPAA and Ethical Codes in School-Based Therapy Programs
by Michael Griffin, JD, LCSW
Staff Attorney
The Therapist
March/April 2018

This article is Part II of a three-part series entitled Practice Guidelines for School-Based Psychotherapists. In the March/ April, 2017 issue of The Therapist, Part I of this series discussed the Family Educational Rights and Privacy Act (FERPA)1 and its application to school-based psychotherapists.2 This article discusses the application of the Health Insurance Portability and Accountability Act (HIPAA), California laws and professional ethical codes to school based practice, and Part III of the series (in this issue), applies the principles discussed in Part I and Part II to a variety of common scenarios.

As discussed in Part I, FERPA applies to education records which are created and maintained by schools (public or private), that receive funding from the U.S. Department of Education, and which are directly related to the student.3 FERPA does not apply to records which are kept in sole possession of the maker and which are not accessible or revealed to any other person, including records which were created and maintained for the purpose of documenting confidential mental health treatment.4 Records which are maintained by mental health providers who are either contracted or employed with the school district to provide mental health treatment to students, could not therefore, be shared with any other person or entity unless the disclosure was permitted by the applicable provisions of (HIPAA), state laws and professional ethical codes.

Overview of HIPAA
HIPAA was passed for the purpose of establishing national security and privacy standards for the protection of private health information.5 While HIPAA is comprised of many components, the following discussion is intended as an overview of selected key elements of the law.6

Covered Entities
HIPAA only applies to individuals and organizations which qualify as “covered entities” under the law. A covered entity is defined as: 1) a health plan; 2) a healthcare clearinghouse; or, 3) a health care provider who transmits health information in electronic form in connection with certain administrative and financial transactions, also known as “covered transactions.”7 Covered transactions include, but are not limited to, billing a health plan electronically; checking a client’s eligibility and health benefits via the health plan’s website; and receiving confidential client information from health plans via e-mail. Merely e-mailing clients, storing client records electronically, or providing therapy services electronically are not “covered transactions” under HIPAA, and such transactions do not qualify the provider as a “covered entity.” Most schools are not HIPAA covered entities as they do not engage in one or more of these covered transactions. However, some school-based mental health treatment programs may elect to voluntarily comply with HIPAA, and this article provides an overview of relevant requirements.

Business Associates
If a HIPAA-covered entity engages a person or other business entity to perform certain functions or activities that involve the use or disclosure of protected health information on behalf of the covered entity, the third party is known as a “business associate.” In such instances, the covered entity must have a Business Associate Agreement (“BAA”) with the third party. A BAA must describe what the business associate has been contracted to do, and it must require the business associate to comply with HIPAA.

The HIPAA Privacy Rule
One of the core components of HIPAA is known as the “Privacy Rule.” The HIPAA Privacy Rule requires covered entities to protect individuals’ private health information (“PHI”), by requiring appropriate safeguards to protect client’s privacy, and defines conditions which govern the uses and disclosures of PHI without client authorization.8 The Privacy Rule provides the following six rights:

  1. The right to request restrictions on certain uses and disclosures of their PHI
  2. The right to receive confidential communications from health care providers
  3. The right to inspect and receive a copy of their PHI
  4. The right to receive an accounting of disclosures of their PHI
  5. The right to amend their PHI, and
  6. The right to receive a paper copy of the provider’s Notice of Privacy Practices

Before You Get Started

  1. Consider whether the mental health treatment records will be kept separate and apart from the education records.
  2. Consider the form (electronic storage/hard copies) mental health treatment records are to be maintained and the security protocol implemented to ensure confidentiality of the records. If records are to be stored electronically, what type of password protection and back-up system will be used? How often will the system be backed up? Where will the backed-up version be stored? How often, if ever, will hard copies be printed? If records will be maintained in hard copy, will they be stored in a locked cabinet?
  3. Consider who has access to the mental health treatment records and implement policies/procedures regarding this matter.
  4. Consider if the protocol for how a mental health program may obtain consent to treat minors, to include, who must consent for the minor’s treatment; are consent forms sent home or is the consent form provided at the time the services are being requested; and whether the school mental health program allow minors to consent under the California consent laws (Health & Safety Code §124260 and/or Family Code §6924).
  5. Consider the process a therapist must follow when responding to the subpoena.
  6. Consult with legal counsel and other experts regarding the implementation of a school-based mental health program.
  7. Consult with CAMFT on psychotherapists’ legal and ethical obligations.