Inpatient Facility Coding & Compliance Alert

HIPAA:

Don't Let Misunderstanding State Laws Complicate Your Mental Health Compliance

Hint: Remember that state laws trump HHS guidelines. 

On Feb. 20, the Department of Health and Human Services (HHS) released new guidance on the HIPAA Privacy Rule and sharing mental health-related information – but that doesn’t mean you should automatically follow the advice. 

Here’s why: If your state’s laws regarding privacy are more stringent than those under the HIPAA Privacy Rule, following the HHS guidance will do your facility more harm than good.

Overview: “The new guidance is generally consistent with HHS’s previous guidance concerning communication with patients and families,” attorneys stated in a recent vonBriesen & Roper Health Law Blog posting. Except for psychotherapy notes, the Privacy Rule gives the same protection to all PHI, including mental health records. 

Check the HHS Stance on Your Top Questions

In the guidance, HHS addresses some of the frequently asked questions (FAQs) regarding the Privacy Rule’s stance on when you can share the PHI of a patient being treated for a mental health condition. For instance, when does HIPAA permit healthcare providers to:

  • Communicate with a patient’s family members, friends, or others involved in the patient’s care?
  • Communicate with family members when the patient is an adult?
  • Communicate with the parent of a patient who is a minor?
  • Consider the patient’s capacity to agree or object to the sharing his information?
  • Involve a patient’s family members, friends, or others in dealing with patient failures to adhere to medication or other therapy?
  • Listen to family members about their loved ones receiving mental health treatment?
  • Communicate with family members, law enforcement, or others when the patient presents a serious and imminent threat of harm to self or others?
  • Communicate to law enforcement about the release of a patient brought in for an emergency psychiatric hold?

Beware of Letting HHS Info Overrule State Laws

Although these answers to FAQs are certainly helpful in understanding your duties under the HIPAA Privacy Rule regarding mental health information, you’ll need to keep a close eye on your state’s laws. 

Experts strongly encourage you to review your applicable state privacy laws before relying on the HHS guidance. “In many cases, state health information laws are often more stringent, and therefore, may preempt federal regulations,” warned a Feb. 28 HIPAA Alert blog analysis by the law firm Nixon Peabody LLP. 

Also: “Keep in mind that the latest HHS guidance does not affect obligations that may arise under stricter state or federal statutes and regulations governing behavioral health (including mental health and substance abuse) records or information,” according to vonBriesen & Roper.

Example: The stricter requirements of federal rules governing the release of substance abuse information and similar state laws still apply and may not allow the disclosures that HHS describes in this latest guidance, vonBriesen & Roper pointed out.

Watch for Changes in Your State Laws, Too

And state laws can vary widely, ranging from very strict to none at all, Nixon Peabody noted. Approximately 46 states and the District of Columbia have confidentiality statutes for mental health treatment records. State laws are also frequently changing.

For instance, providers in Washington State are facing compliance with new statutes regulating mental health record disclosures, which will take effect on July 1, according to attorney Elana Zana with Seattle-based Ogden Murphy Wallace, PLLC.

Lesson learned: You must be mindful of federal and state protections for all health information, particularly sensitive mental health information, Nixon Peabody urged. Make sure that you comply with state-specific requirements before implementing use and disclosure policies related to mental health treatment records.

Determine Which Law You Should Follow

If your state law is different from HIPAA regarding mental health PHI, you need to figure out which law to follow. You should use the following decision-making process, ccording to a February 2014 whitepaper by Bruce Borkosky, Psy.D., for MalvernGroup Incorporated:

1. If you can find a way to comply with both the state law and HIPAA, then do so.
2. If your state laws are silent on the matter, then follow HIPAA.
3. If the state law gives the patient greater rights or greater information, then follow state law.
4. If the state law is in conflict with or contrary to HIPAA, then you have a dilemma and you may need to seek legal advice.

Resource: The newly released HHS information is available at www.hhs.gov/ocr/privacy/hipaa/understanding/special/mhguidance.html.