Federal Privacy Regulations (HIPAA): What Mental Health Counselors Need to Know 

What do the new privacy regulations do? 

The privacy regulations establish that personal health information must be kept confidential. The regulations are designed to safeguard the privacy and confidentiality of a consumer’s health information, particularly in this age of rapid advances in technology and the subsequent ease with which information can be transmitted. The regulations establish a baseline of patient/client protections by defining the rights of individuals, the administrative obligations of covered entities, and the permitted uses and disclosures of protected health information. State laws that are stronger than the HHS privacy rule will remain effect. In addition, state legislatures are afforded the opportunity to enact stronger protections in the future. 

When will I have to comply with the regulations? 

“Covered entities” had until April 14, 2003, to implement the HIPAA privacy regulations and come into compliance. Under the regulations, failure to comply can result in civil and criminal penalties for covered entities; however, clients were not given the right to sue for violations of the regulation. 

Who or what is a “covered entity” under the regulations? 

A health care provider who transmits health/behavioral health claims-type information electronically. The definition includes practitioners, such as those in agency or private practice. 
Note: Although many mental health counselors currently do not transmit health claims–type information electronically, thus not meeting the definition of a covered entity, it is likely that over the next few years, this will become a standard and expected industry practice. AMHCA advises members to consider this as they review their status as a covered entity. 

A health plan—includes HMOs, health insurers, group health plans (except a group plan for an employer with fewer than 50 employees and which is also self-insured). 

A health care clearinghouse—defined in the rules as “a public or private entity, including a billing service, repricing company, community health management information system or community health information system, and “value-added” networks, that does either of the following functions: (1) Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction. (2) Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.” 

The HIPAA regulations require that covered entities maintain contracts with their business associates that essentially bind the business associates to the same privacy practices of the covered entities. Business associates are defined as individuals who receive health information from a covered entity or on behalf of a covered entity. Examples include a copy center, a contracted phone answering service, an accountant reviewing books, auditors, quality assurance/utilization review services, or other contracted services that might interact with protected health information. 

What information is protected by the privacy regulations? 

Protected health information includes information about a person’s health, health care, or payment of health care (the term “health” includes mental health and behavioral health issues) 
that identifies a person created or received by a covered health care plan or provider. 
All medical records or other individually identifiable health information held or disclosed by a covered entity in any form (electronically, on paper, or orally) is covered by the final regulation. 

How is this information protected? 

Protected health information may not be disclosed by a covered entity without the informed and voluntary written consent or authorization of the client. Client information can be used or disclosed by a covered entity only for purposes of health care treatment, payment, and operations. Disclosure must be limited to the minimum amount necessary for the purposes of disclosure, with the exception of transferring records for treatment, when providers need access to the full record to ensure quality care. 

Health care providers may condition treatment on obtaining client consent of protected health information for the purposes of treatment, payment, and health care operations. Similarly, health plans and health care clearinghouses also may condition enrollment on the client’s provision of a consent to disclose protected health information for the purposes of treatment, payment, and health care operations. 

What are the client’s rights under these new regulations? 

  - Clients have a right to access their medical records and are entitled to see and copy their records 
     and request amendments. A history of disclosures of protected health information must be made available 
    to clients on their request. 

  - Clients have a right to request a restriction on the use and disclosure of their protected health information 
    for the purposes of treatment, payment, or health care operations. 

  - Covered entities are required to provide clients with a clear, written explanation of how their 
     protected health information can be used and disclosed. 

Administrative Requirements for Covered Entities 

  Covered entities are required to: 

 - designate a privacy official who will develop and implement the privacy policies and procedures of  the 
 - develop policies and procedures designed to ensure that covered entities are in compliance with the 
   standards and requirements of the privacy rule. 
 - maintain a record of all versions of their privacy policies and procedures, along with any complaints filed and 
  disclosures of protected health information, for six years. 
 - provide privacy training to the workforce. Staff must be trained by the compliance date (April 
    14, 2003). 
 - develop a system of sanctions for employees who violate the entity’s policies. 
    meet documentation requirements. 
 - provide written notice of privacy practices in plain English. The notice of privacy practices 
   must include a description of the client’s rights; describe anticipated uses and disclosures of 
   information that may be made without authorization; identify a contact person in the event of 
   a complaint, and inform of the right to register a complaint with the secretary of HHS. This 
   notice must be posted in a visible location, and a written copy must be given to clients at their 
   first visit after the compliance date. 

Are there circumstances under which protected health information may be disclosed without a client’s consent or authorization? 

Yes. There are a number of exceptions under the regulations that allow for disclosure of a client’s protected health information without client consent or authorization. Some permitted HIPAA disclosures are: 

  - when mandated by law permitted disclosures for public health activities (such as reporting 
     diseases, collecting vital statistics, etc) 
  - disclosure about victims of abuse, neglect or domestic violence 
  - health oversight activities 
  - disclosures for judicial or administrative proceedings 
  - disclosures for law enforcement purposes 
  - use and disclosure for research purposes 
  - disclosures to avert a serious threat to health or safety. 

The HIPAA regulations are “permissive,” which means that these are the circumstances under the regulations in which health care providers are permitted to disclose protected health information without client consent or authorization. However, other laws (such as state privacy and confidentiality regulations) or a professional code of ethics may require providers to proceed in a different manner. Mental health counselors are expected to adhere to their professional code of ethics when determining whether it is necessary or appropriate to make these permitted HIPAA disclosures. 

Do the same requirements apply to mental health records and to medical records? 

There are stricter requirements for mental health records than for other medical records. 

"Psychotherapy notes” are afforded special privacy protections under this regulation. Ordinarily, a written client consent is required before psychotherapy notes can be disclosed to anyone. 

A health plan may not condition a client’s enrollment or eligibility on the provision of the client’s authorization or consent for disclosure of psychotherapy notes. 

Psychotherapy notes are excluded from the provision that gives clients the right to see and copy their health information. 

How are psychotherapy notes defined? 

Psychotherapy notes are defined in the regulation as “notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record.” 

The definition of psychotherapy notes excludes medication prescription and monitoring, counseling session start and stop times, modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, treatment plan, symptoms, prognosis, and progress to date. 

What are the circumstances when psychotherapy notes can be used or disclosed without authorization or consent from the client? 

The regulation allows limited uses/disclosures without consent or authorization in the following circumstances: 

  - when required for enforcement of the regulations by HHS 
  - when mandated by law 
  - when needed for oversight of the provider who created the psychotherapy notes 
  - when sent to a coroner or medical examiner 
  - when needed to avert a serous and imminent threat to health or safety. 

What do I need to do as a Mental Health Counselor? 

First, determine if the regulations apply to you: 

If yes, 

  - Start and maintain a file of information about the privacy regulations. 

  - Get a copy of the privacy regulations (see References) and check appropriate Web sites 
     periodically to download updates and implementation guidelines. HHS has indicated that they         will develop and issue guidelines on the privacy regulations. 

  - Review record keeping policies and procedures including those for psychotherapy notes, if 

  - Set a time frame and establish a plan to meet the basic requirements of the regulations  
    immediately. This plan should include designating a privacy officer, training staff, and revising or     developing appropriate consent and authorization forms. 

If no, 

  - Continue to monitor your status and stay abreast of current developments in the HIPAA 

  - Questions about interpretation or application of the regulations can be addressed to HHS                directly by calling 1-866-627-7748, 1-866-788-4989 (TTY) or submitting an email to:
     ocrprivacy@os.dhhs.gov . 

  - Questions about state law (such as whether a state privacy law is more protective than the      
     federal regulation) should be addressed to the Attorney General for New York State. 

To view the regulation in its entirety, go to http://www.hhs.gov/ocr/hipaa/.