Print Version Email this page Increase Font Size Decrease Text Size

Position Statement 27: Standards For Management of and Access to Consumer Information

Policy Position

Mental Health America supports careful implementation and clarification of the standards of confidentiality incorporated in the Health Information Portability and Accountability Act of 1996 ("HIPAA"), with the following additions:  flexibility in emergency situations; requirement of minor assent as well as parental consent; appointment of a guardian when needed; mandatory reporting of child and elder abuse; lack of confidentiality in custody disputes; exceptions for court orders; and special protection of substance abuse records and treatment records of HIV infection.

Background and Call to Action

Consumers, families, clinicians and treatment facilities are concerned that confidentiality be protected when mental health treatment is provided.  Automated record keeping, advancements in information system technology, and the growing need for communication among multiple parties under complex administrative arrangements such as managed care have made this a difficult task.  With the passage of HIPAA, P.L. 104-191(1996), 42 U.S.C.§---, and associated rulemaking by the Department of Health and Human Services, many of the necessary privacy protections have been codified.  In accordance with HIPAA statute, the MHA recommends that all managed care and government delivery programs, health care providers and health insurance companies carefully implement and clarify the following standards.  The goal is to ensure that HIPAA provides consumers with maximum protection of privacy while simultaneously enhancing the quality of consumer care and alleviating unreasonable burdens on consumers, families, clinicians and health care administrators.

Mental Health America supports careful implementation and clarification of the following HIPAA standards[1][2]:

  1. Notice of Privacy Standards. Under HIPAA, covered health plans, doctors and health care providers must notify consumers of their rights and how and with whom their personal medical information can be shared.  Mental Health America urges that such notifications occur before service delivery, if possible, and be in plain and simple language. In addition, requests for restrictions on the disclosure of personal information beyond what is covered by HIPAA should be honored.

  2. Written and Enforced Privacy Standards. Under HIPAA, covered health plans, doctors, health care providers and business associates with access to consumer information must have written privacy standards. These standards must include descriptions of staff with access to confidential information, how consumer information will be used and when and to whom it may be released. All health care employees and business associates must be trained in privacy procedures and must designate individuals to oversee internal compliance of privacy standards.

  3. Limits on the Sharing of Personal Medical Information. Under HIPAA, personal health information may not be used for purposes unrelated to health care.  Mental Health America urges health care providers to share only the minimum amount of protected information to ensure the highest quality care for the consumer, while maintaining non-duplicative and fully-informed service delivery. Under HIPAA, consumers must sign a specific authorization before a covered health care provider may release protected information to a life insurer, bank, marketing firm or any other agency for purposes unrelated to the patient’s health care. In addition, Mental Health America advises that a consumer’s request that information not be shared with certain people, groups, or companies within the health care industry be honored.

Under HIPAA, when information is released, it must be documented with notation of the date, circumstances of disclosure, the specific information released, the names of individuals to whom the information was disclosed and the name of the individual who disclosed the information. Consumers have the right to request and receive a list of all parties with whom their personal information has been shared.

  1. Standards for Electronic Communications.  Mental Health America advocates that all health care entities comply with HIPAA privacy standards and take every precautionary measure possible when engaging in electronic maintenance or transmission of health information, while simultaneously ensuring the highest quality care and rapid, fully-informed service delivery for the consumer.

  1. Right to Privacy in Correspondence. Under HIPAA, consumers have the right to specify where and how they are contacted and that providers and health insurers must comply as long as the request is reasonable.  Mental Health America urges providers and insures to respect the right of consumers to have their privacy protected in this way.

  1. Right to File Complaints.  Under HIPAA, consumers have the right to file a formal complaint with their provider, health insurer or Health and Human Service’s Office for Civil Rights if they believe their information was shared in a way that is not permitted under the privacy law and HIPAA.[3] Mental Health America believes that information about filing complaints should be included in each health care provider’s notice of patient privacy practices. It is Mental Health America’s stance that immediate action must be taken with all consumer complaints and that consumers should be permitted a fair hearing on all complaints.

  1. Access to Health Records. Under HIPAA, consumers have the right to ask for, see and receive free copies of their medical records and other personal health information in a timely manner. At the time of admission for treatment or services, health care providers must present consumers with a written policy on access to health records.  In addition, Mental Health America believes that consumers should have their health records explained to them by their physician or health care provider.  

  1. Corrections to Health Information. Under HIPAA, consumers can request to change or add information to their file if it is incorrect or incomplete. If a health care provider does not fulfill such a request, the disagreement must be permanently noted in the consumer’s file.

  1. Comprehensive and Frequent Examination of HIPAA Implementation. Standards and protocols should be in place in all health care facilities ensuring compliance to HIPAA standards in a timely and efficient manner, identifying barriers to enhanced patient care and examining areas for future improvement.

  1. Enforcement and Criminal Penalties. Civil and criminal penalties, as delineated in HIPAA, should be enforced for health care facilities that misuse personal health information.

Standards for Special Circumstances Regarding Sensitive Consumer Information:

In addition to HIPAA statute, states have some flexibility in special circumstances. Though states vary according to state-specific regulations, Mental Health America recommends the following standards to ensure that consumers’ best interests are protected:

  1. Medical Emergencies. Information should be available to health care personnel for the purpose of treating a condition that poses an immediate threat to the health of the consumer[4].[5]

  1. Minors. Involvement of children, youth and their families in their care is essential. Therefore, the signatures of both the minor and a parent/guardian should be required on the disclosure/assent/consent form unless state law authorizes treatment without parental consent.

  1. Consumers Who Are Legally Incompetent. A legal guardian should be appointed to make decisions concerning release of confidential information for consumers who are legally incompetent.

  1. Child and Elder Abuse and Neglect. All states require the reporting of suspected child and elder abuse or neglect without consumer or parent/guardian consent. If information requested as a follow-up to this initial report requires consent from a person who may be subject to prosecution, written consent is insufficient, and a court order should be required.

  1. Custody Disputes. For evaluations of children for custody decisions, clinicians should explain to each parent that confidentiality is waived for communications with the court.

  1. Court Orders.  The courts may authorize disclosure of confidential information where there exists good cause, as delineated in court rules and procedures.  For court orders authorizing disclosure for other than criminal purposes, the consumer should receive formal notice of the request and an opportunity to respond.  The judge should weigh the need for disclosure against the potential harm to the consumer or to the clinician-consumer relationship and its impact on the treatment process. The order should limit disclosure to information essential to the purpose, and provide protection against future public scrutiny.

  1. Consumers with HIV and Other Infectious Diseases. Clinicians may be required to report such cases to public health authorities, but only a few states require the consumer’s name.  Clinicians should be aware of the requirements in their state and only provide the necessary information

  1. Psychiatric Advance Directives. Individuals should have the right to release HIPAA protected information to their designated health care proxies and in their psychiatric advance directives.

  1. Cultural Competency. Information should be transmitted in language that is understandable to the child, youth and family, taking account of literacy and English language proficiency.

Effective Period

The Mental Health America Board of Directors approved this policy on September 8, 2006.  It will remain in effect for five (5) years and is reviewed as required by the Mental Health America Prevention and Adults Mental Health Services Committee.

Expiration: September 8, 2009
 

[1,2] Department of Health and Human Services. 2003. “Fact Sheet: Protecting the Privacy of Patients’ Health Information” http://www.hhs.gov/news/facts/privacy.html

[3] Consumers can find more information about filing a complaint at http://www.hhs.gov/ocr/hipaa or by calling (866) 627-7748. 

[4] In addition there is a duty to Threats of violence to third parties. Should be available to health care personnel and parties that are threatened.

[5] Mental health providers are required to disclose creditable threats of harm. Tarasoff v. Regents of the University of California, 17 Cal. 3d 425, 131 Cal. Rptr. 14, 551 P. 2d 334, 83 ALR 3d 1166 (1976)

 

Page last updated: 07/02/2007