Pediatric Coding Alert

Patient Privacy:

Patient Satisfaction Survey Could Belie HIPAA Breach

Sometimes, just being associated with a certain practice is considered a breach.

Sure, you know it’s against the HIPAA rules to leave a message with a patient’s boss about the patient’s lab results—but that’s just the tip of the privacy iceberg. In fact, when it comes to especially sensitive health data, simply disclosing that a person is associated with a particular facility that provides certain services is enough to qualify as a HIPAA breach.

This can be particularly true when your pediatrician is treating a patient for mental health issues, eating disorders, addiction care, birth control counseling, or other ultra-sensitive issues.

Postcards are Just Not a Good Idea

Case in point: In February, the Ohio Department of Mental Health and Addiction Services (OMHAS) mailed out survey postcards to its patients requesting feedback on its services. OMHAS sent out these surveys annually to solicit feedback from its patients who’ve sought addiction or mental health treatment.

In fact, OMHAS mailed out two different satisfaction surveys, which displayed patient names and addresses, as well as a request to participate in the survey regarding the services they received through OMHAS, local news outlet WDTN reported. OMHAS didn’t place these postcards in sealed envelopes, so anyone could see the protected health information (PHI) on the postcards.

OMHAS has sent these mailings for the past five years, exposing the PHI of about 59,000 patients during that time. Even though the survey postcards didn’t state what types of services the individuals received from OMHAS, the mailings revealed that the individuals had received or were receiving treatment for mental health or addiction issues.

On April 22, OMHAS Director Tracy Plouck issued an apology for the breach (see http://mha.ohio.gov/Portals/0/assets/News/pressReleases/20160422-Media-Notice-Privacy-Breach.pdf) and stated that OMHAS is conducting “a thorough review of its internal processes and policies relating to consumer outreach and data use to assure better oversight and protection of health information, including additional training for all department staff members.”

Pediatricians that perform mental health services should certainly be aware of the implications of mental health disclosures, and following a few simple best practices can keep you on the right side of the HIPAA laws.

Know When it’s a Breach

One lesson you can learn from this breach case is that “even if your establishment is not disclosing the actual mental health data and treatment plans, you are still at risk for a privacy breach,” warns Kristen Marotta, an attorney with Nixon Peabody LLP. “Here, patient ‘association’ with mental health treatment was sufficient to flag the situation as a data breach.”

HIPAA regulations would consider this a privacy data breach that triggers notification not only to the individuals affected by the breach, but also to the HHS and the media.

Mental Health Notes Require Additional Protection

Not only is mental health information considered to be PHI under HIPAA, psychotherapy notes require even greater protection, Marotta stresses. Psychotherapy notes include notes recorded by health care professionals to analyze conversations during private, family, or group counseling sessions.

“Specific patient authorization is almost always required under HIPAA for the release of these notes to any type of entity, due to the fact that these notes contain highly sensitive information that may not be related to the patient’s diagnosis or treatment plan,” Marotta explains.

Always Beware of Stricter State Laws

You should understand your state laws regarding mental health information, too.

“Healthcare professionals should be mindful that, in addition to HIPAA, many states have enacted statutes that impose stricter protections for the privacy of mental health records,” Marotta says. “Some of these state laws require specific language in patient authorization documents for the release of mental health records and may limit the entities to which such records can be disclosed.”

Promote Privacy to Reduce the Stigma

Finally, the better you can protect individuals’ mental health-related PHI, the more confident they may feel in seeking needed mental health treatment and addiction services.

“The privacy of mental health data is crucial in making patients feel comfortable seeking mental health treatment, given that there is still a stigma associated with seeking such treatment,” Marotta notes. “Thus, in order to encourage people to seek the professional attention they need, it is important that these patients trust that their mental health information will be protected.”

Lesson learned: “As demonstrated by this case, as well as the other recent mental health breaches by Veterans Affairs facilities, the stigma extends to even the association of an individual with a mental health facility,” she adds.