Policy Position
NMHA supports careful implementation and clarification of the standards
of confidentiality incorporated in the Health Information Portability and
Accountability Act of 1996 ("HIPAA"), with the following additions:
flexibility in emergency situations; requirement of minor assent as well
as parental consent; appointment of a guardian when needed; mandatory reporting
of child and elder abuse; lack of confidentiality in custody disputes; exceptions
for court orders; and special protection of substance abuse records and
treatment records of HIV infection.
Background and Call to Action
Consumers, families, clinicians and treatment facilities are concerned
that confidentiality be protected when mental health treatment is provided.
Automated record keeping, advancements in information system technology,
and the growing need for communication among multiple parties under complex
administrative arrangements such as managed care have made this a difficult
task. With the passage of HIPAA, P.L. 104-191(1996), 42 U.S.C.§---,
and associated rulemaking by the Department of Health and Human Services,
many of the necessary privacy protections have been codified. In accordance
with HIPAA statute, the NMHA recommends that all managed care and government
delivery programs, health care providers and health insurance companies
carefully implement and clarify the following standards. The goal is to
ensure that HIPAA provides consumers with maximum protection of privacy
while simultaneously enhancing the quality of consumer care and alleviating
unreasonable burdens on consumers, families, clinicians and health care
administrators.
NMHA supports careful implementation and clarification of the following
HIPAA standards1:
-
Notice of Privacy Standards. Under HIPAA, covered health plans, doctors
and health care providers must notify consumers of their rights and
how and with whom their personal medical information can be shared.
NMHA urges
that such notifications occur before service delivery, if possible,
and be in plain and simple language. In addition, requests for restrictions
on the disclosure of personal information beyond what is covered
by HIPAA
should be honored.
-
Written and Enforced Privacy Standards. Under HIPAA, covered health
plans, doctors, health care providers and business associates with
access to consumer information must have written privacy standards.
These standards
must include descriptions of staff with access to confidential information,
how consumer information will be used and when and to whom it may
be released. All health care employees and business associates must
be trained in privacy
procedures and must designate individuals to oversee internal compliance
of privacy standards.
-
Limits on the Sharing of Personal Medical Information. Under
HIPAA, personal health information may not be used for purposes unrelated
to health care. NMHA urges health care providers to share only the
minimum amount
of protected information to ensure the highest quality care for
the
consumer, while maintaining non-duplicative and fully-informed service
delivery. Under
HIPAA, consumers must sign a specific authorization before a covered
health care provider may release protected information to a life
insurer, bank,
marketing firm or any other agency for purposes unrelated to the
patient’s
health care. In addition, NMHA advises that a consumer’s request
that information not be shared with certain people, groups, or
companies within
the health care industry be honored.
Under HIPAA, when information
is released, it must be documented with notation of the date, circumstances
of disclosure, the specific information
released,
the names of individuals to whom the information was disclosed and
the name of the individual who disclosed the information. Consumers
have the right
to request and receive a list of all parties with whom their personal
information has been shared.
-
Standards for Electronic Communications. NMHA advocates that all
health care entities comply with HIPAA privacy standards and take every
precautionary
measure possible when engaging in electronic maintenance or transmission
of health information, while simultaneously ensuring the highest
quality care and rapid, fully-informed service delivery for the consumer.
-
Right to Privacy in Correspondence. Under HIPAA, consumers have the
right to specify where and how they are contacted and that providers
and health insurers must comply as long as the request is reasonable.
NMHA urges
providers and insures to respect the right of consumers to have their
privacy protected in this way.
-
Right to File Complaints. Under HIPAA, consumers have
the right to file a formal complaint with their provider, health insurer
or Health
and Human
Service’s Office for Civil Rights if they believe their information
was shared in a way that is not permitted under the privacy law and HIPAA.2 NMHA believes that information about filing complaints should be included
in each health care provider’s notice of patient privacy practices.
It is NMHA’s stance that immediate action must be taken with
all consumer complaints and that consumers should be permitted a fair
hearing
on all
complaints.
-
Access to Health Records. Under HIPAA, consumers have the right to
ask for, see and receive free copies of their medical records and other
personal
health information in a timely manner. At the time of admission for
treatment or services, health care providers must present consumers
with a written
policy on access to health records. In addition, NMHA believes that
consumers should have their health records explained to them by their
physician or
health care provider.
-
Corrections to Health Information. Under HIPAA, consumers
can request to change or add information to their file if it is incorrect
or
incomplete. If a health care provider does not fulfill such a request,
the disagreement
must be permanently noted in the consumer’s file.
-
Comprehensive and Frequent Examination of HIPAA Implementation. Standards
and protocols should be in place in all health care facilities ensuring
compliance to HIPAA standards in a timely and efficient manner, identifying
barriers to enhanced patient care and examining areas for future
improvement.
-
Enforcement and Criminal Penalties. Civil and criminal penalties,
as delineated in HIPAA, should be enforced for health care facilities
that
misuse personal health information.
Standards for Special Circumstances Regarding Sensitive Consumer Information:
In addition to HIPAA statute, states have some flexibility in special circumstances.
Though states vary according to state-specific regulations, NMHA recommends
the following standards to ensure that consumers’ best interests are
protected:
-
Medical Emergencies. Information should be available
to health care personnel for the purpose of treating a condition that
poses an immediate
threat to the health of the consumer3.
-
Minors. Involvement of children, youth and their families in their
care is essential. Therefore, the signatures of both the minor and
a parent/guardian should be required on the disclosure/assent/consent
form unless state
law
authorizes treatment without parental consent.
-
Consumers Who Are Legally Incompetent. A legal guardian should be
appointed to make decisions concerning release of confidential information
for consumers
who are legally incompetent.
-
Child and Elder Abuse and Neglect. All states require the reporting
of suspected child and elder abuse or neglect without consumer or
parent/guardian consent. If information requested as a follow-up to
this initial report
requires consent from a person who may be subject to prosecution,
written consent is insufficient, and a court order should be required.
-
Custody Disputes. For evaluations of children for custody decisions,
clinicians should explain to each parent that confidentiality is
waived for communications with the court.
-
Court Orders. The courts may authorize disclosure of confidential
information where there exists good cause, as delineated in court rules
and procedures.
For court orders authorizing disclosure for other than criminal purposes,
the consumer should receive formal notice of the request and an opportunity
to respond. The judge should weigh the need for disclosure against
the potential harm to the consumer or to the clinician-consumer relationship
and its impact
on the treatment process. The order should limit disclosure to information
essential to the purpose, and provide protection against future public
scrutiny.
-
Consumers with HIV and Other Infectious Diseases. Clinicians
may be required to report such cases to public health authorities, but
only a few
states require the consumer’s name. Clinicians should be aware
of the requirements in their state and only provide the necessary
information
-
Psychiatric Advance Directives. Individuals should have the right
to release HIPAA protected information to their designated health care
proxies
and in their psychiatric advance directives.
-
Cultural Competency. Information should be transmitted in language
that is understandable to the child, youth and family, taking account
of literacy
and English language proficiency.
| Effective Period
This policy was approved by the NMHA Board of Directors on September
8, 2006. It will remain in effect for five (5) years and is reviewed
as required by the NMHA Prevention and Adults Mental Health Services
Committee.
Expiration: September 8, 2009 |
- Department of Health and Human Services. 2003. “Fact
Sheet: Protecting the Privacy of Patients’ Health
Information” http://www.hhs.gov/news/facts/privacy.html
- Consumers can find more information about filing a complaint at http://www.hhs.gov/ocr/hipaa
or by calling (866) 627-7748.
- In addition there is a duty to Threats of violence to third parties.
Should be available to health care personnel and parties that are threatened.
Mental health providers are required to disclose creditable threats of harm.
Tarasoff v. Regents of the University of California, 17 Cal. 3d 425, 131 Cal.
Rptr. 14, 551 P. 2d 334, 83 ALR 3d 1166 (1976)
|
