Hint: Remember that state laws trump HHS guidelines.
On Feb. 20, the Department of Health and Human Services (HHS) released new guidance on the HIPAA Privacy Rule and sharing mental health-related information – but that doesn’t mean you should automatically follow the advice.
Here’s why: If your state’s laws regarding privacy are more stringent than those under the HIPAA Privacy Rule, following the HHS guidance will do your facility more harm than good.
Overview: “The new guidance is generally consistent with HHS’s previous guidance concerning communication with patients and families,” attorneys stated in a recent vonBriesen & Roper Health Law Blog posting. Except for psychotherapy notes, the Privacy Rule gives the same protection to all PHI, including mental health records.
Check the HHS Stance on Your Top Questions
In the guidance, HHS addresses some of the frequently asked questions (FAQs) regarding the Privacy Rule’s stance on when you can share the PHI of a patient being treated for a mental health condition. For instance, when does HIPAA permit healthcare providers to:
Beware of Letting HHS Info Overrule State Laws
Although these answers to FAQs are certainly helpful in understanding your duties under the HIPAA Privacy Rule regarding mental health information, you’ll need to keep a close eye on your state’s laws.
Experts strongly encourage you to review your applicable state privacy laws before relying on the HHS guidance. “In many cases, state health information laws are often more stringent, and therefore, may preempt federal regulations,” warned a Feb. 28 HIPAA Alert blog analysis by the law firm Nixon Peabody LLP.
Also: “Keep in mind that the latest HHS guidance does not affect obligations that may arise under stricter state or federal statutes and regulations governing behavioral health (including mental health and substance abuse) records or information,” according to vonBriesen & Roper.
Example: The stricter requirements of federal rules governing the release of substance abuse information and similar state laws still apply and may not allow the disclosures that HHS describes in this latest guidance, vonBriesen & Roper pointed out.
Watch for Changes in Your State Laws, Too
And state laws can vary widely, ranging from very strict to none at all, Nixon Peabody noted. Approximately 46 states and the District of Columbia have confidentiality statutes for mental health treatment records. State laws are also frequently changing.
For instance, providers in Washington State are facing compliance with new statutes regulating mental health record disclosures, which will take effect on July 1, according to attorney Elana Zana with Seattle-based Ogden Murphy Wallace, PLLC.
Lesson learned: You must be mindful of federal and state protections for all health information, particularly sensitive mental health information, Nixon Peabody urged. Make sure that you comply with state-specific requirements before implementing use and disclosure policies related to mental health treatment records.
Determine Which Law You Should Follow
If your state law is different from HIPAA regarding mental health PHI, you need to figure out which law to follow. You should use the following decision-making process, ccording to a February 2014 whitepaper by Bruce Borkosky, Psy.D., for MalvernGroup Incorporated:
1. If you can find a way to comply with both the state law and HIPAA, then do so.
Resource: The newly released HHS information is available at www.hhs.gov/ocr/privacy/hipaa/understanding/special/mhguidance.html.
2. If your state laws are silent on the matter, then follow HIPAA.
3. If the state law gives the patient greater rights or greater information, then follow state law.
4. If the state law is in conflict with or contrary to HIPAA, then you have a dilemma and you may need to seek legal advice.