Don’t rely on new HHS guidance until you check your state laws first.
New guidance from the Department of Health and Human Services (HHS) may help to answer your toughest mental health information-related questions under the HIPAA Privacy Rule. But if your state’s laws are more stringent, following the guidance will do more harm than good.
On Feb. 20, HHS released new guidance on the HIPAA Privacy Rule and sharing mental health-related information, which is now available at www.hhs.gov/ocr/privacy/hipaa/understanding/special/mhguidance.html.
Overview: “The new guidance is generally consistent with HHS’s previous guidance concerning communication with patients and families,” attorneys stated in a recent vonBriesen & Roper Health Law Blog posting. Except for psychotherapy notes, the Privacy Rule gives the same protection to all PHI, including mental health records.
Learn the Answers to Your Burning Questions
In the guidance, HHS addresses some of the frequently asked questions (FAQs) regarding the Privacy Rule’s stance on when you can share the PHI of a patient being treated for a mental health condition. For instance, when does HIPAA permit healthcare providers to:
Tread Carefully: Don’t Let Guidance Overrule Your State’s Laws
Although these answers to FAQs are certainly helpful in understanding your duties under the HIPAA Privacy Rule regarding mental health information, you’ll need to keep a close eye on your state’s laws.
Experts strongly encourage you to review your applicable state privacy laws before relying on the HHS guidance. “In many cases, state health information laws are often more stringent, and therefore, may preempt federal regulations,” warned a Feb. 28 HIPAA Alert blog analysis by the law firm Nixon Peabody LLP.
Also: “Keep in mind that the latest HHS guidance does not affect obligations that may arise under stricter state or federal statutes and regulations governing behavioral health (including mental health and substance abuse) records or information,” according to vonBriesen & Roper.
Example: The stricter requirements of federal rules governing the release of substance abuse information and similar state laws still apply and may not allow the disclosures that HHS describes in this latest guidance, vonBriesen & Roper pointed out.
Watch for Changes in Your State Laws, Too
And state laws can vary widely, ranging from very strict to none at all, Nixon Peabody noted. Approximately 46 states and the District of Columbia have confidentiality statutes for mental health treatment records. State laws are also frequently changing.
For instance, providers in Washington State are facing compliance with new statutes regulating mental health record disclosures, which will take effect on July 1, according to attorney Elana Zana with Seattle-based Ogden Murphy Wallace, PLLC.
Lesson learned: You must be mindful of federal and state protections for all health information, particularly sensitive mental health information, Nixon Peabody urged. Make sure that you comply with state-specific requirements before implementing use and disclosure policies related to mental health treatment records.
How to Decide Which Law to Follow
If your state law is different from HIPAA regarding mental health PHI, you need to figure out which law to follow. According to a February 2014 whitepaper by Bruce Borkosky, Psy.D., for MalvernGroup Incorporated, you should use the following decision-making process:
1. If you can find a way to comply with both the state law and HIPAA, then do so.
2. If your state laws are silent on the matter, then follow HIPAA.
3. If the state law gives the patient greater rights or greater information, then follow state law.
4. If the state law is in conflict with or contrary to HIPAA, then you have a dilemma and you may need to seek legal advice.