Health Information Compliance Alert

Published on Mon Jun 20, 2016 PDF

Do your patients trust your organization to keep their mental health data private?

You might think that a HIPAA breach typically involves the disclosure of protected health information (PHI) like diagnoses, Social Security numbers, or billing information. But when it comes to especially sensitive health data, simply disclosing that a person is associated with a particular facility that provides certain services is enough to qualify as a HIPAA breach.

Postcards are Just Not a Good Idea

Case in point: In February, the Ohio Department of Mental Health and Addiction Services (OMHAS) mailed out survey postcards to its patients requesting feedback on its services. OMHAS sent out these surveys annually to solicit feedback from its patients who’ve sought addiction or mental health treatment.

In fact, OMHAS mailed out two different satisfaction surveys, which displayed patient names and addresses, as well as a request to participate in the survey regarding the services they received through OMHAS, local news outlet WDTN reported. OMHAS didn’t place these postcards in sealed envelopes, so anyone could see the PHI on the postcards.

OMHAS has sent these mailings for the past five years, exposing the PHI of about 59,000 patients during that time. Even though the survey postcards didn’t state what types of services the individuals received from OMHAS, the mailings revealed that the individuals had received or were receiving treatment for mental health or addiction issues.

On April 22, OMHAS Director Tracy Plouck issued an apology for the breach (see http://mha.ohio.gov/Portals/0/assets/News/pressReleases/20160422-Media-Notice-Privacy-Breach.pdf) and stated that OMHAS is conducting “a thorough review of its internal processes and policies relating to consumer outreach and data use to assure better oversight and protection of health information, including additional training for all department staff members.”

Know When it’s a Breach

One lesson you can learn from this breach case is that “even if your establishment is not disclosing the actual mental health data and treatment plans, you are still at risk for a privacy breach,” warns Kristen Marotta, an attorney with Nixon Peabody LLP. “Here, patient ‘association’ with mental health treatment was sufficient to flag the situation as a data breach.”

HIPAA regulations would consider this a privacy data breach that triggers notification not only to the individuals affected by the breach, but also to the U.S. Department of Health and Human Services (HHS) and the media.

Psychotherapy Notes Require Additional Protection

Important: Also, not only is mental health information considered to be PHI under HIPAA, psychotherapy notes require even greater protection, Marotta stresses. Psychotherapy notes include notes recorded by mental health professionals to analyze conversations during private, family, or group counseling sessions.

“Specific patient authorization is almost always required under HIPAA for the release of these notes to any type of entity, due to the fact that these notes contain highly sensitive information that may not be related to the patient’s diagnosis or treatment plan,” Marotta explains.

Always Beware of Stricter State Laws

You should understand your state laws regarding mental health information, too.

“Healthcare professionals should be mindful that, in addition to HIPAA, many states have enacted statutes that impose stricter protections for the privacy of mental health records,” Marotta says. “Some of these state laws require specific language in patient authorization documents for the release of mental health records and may limit the entities to which such records can be disclosed.”

Promote Privacy to Reduce the Stigma

Finally, the better you can protect individuals’ mental health-related PHI, the more confident they may feel in seeking needed mental health treatment and addiction services.

“The privacy of mental health data is crucial in making patients feel comfortable seeking mental health treatment, given that there is still a stigma associated with seeking such treatment,” Marotta notes. “Thus, in order to encourage people to seek the professional attention they need, it is important that these patients trust that their mental health information will be protected.”

Lesson learned: “As demonstrated by this case, as well as the other recent mental health breaches by Veterans Affairs facilities, the stigma extends to even the association of an individual with a mental health facility,” she adds.