HIPAA Privacy Rule and Mental Health Records

On May 15, 2014 Representative Tim Murphy, as Chair of the House Energy and Commerce Oversight and Investigations Subcommittee released a  report on the state of mental health services in the U.S., with one of the key findings being that health care providers are not consistently and properly applying the HIPAA privacy rule, causing family members of those with serious mental illnesses to be left in the dark.   In light of the recent shooting in Santa Barbara, this report and Representative Murphy’s bill – Helping Families in Mental Health Crisis- have receive heightened attention.

Congressman Murphy introduced house bill HR 3717, the Helping Families in Mental Health Crisis Act, in December 2013.   According to Representative Murphy’s website, “The Helping Families In Mental Health Crisis Act fixes the nation’s broken mental health system by focusing programs and resources on psychiatric care for patients and families most in need of services.”   Part of Representative Murphy’s bill would broaden the ability of caregivers of those with serious mental health issues to obtain protected health information (PHI).

Title III of the proposed Act specifically addresses the Health Insurance Portability and Accountability Act (HIPAA) and proposes that the caregiver of a person with a serious mental illness be treated as a personal representative pursuant to HIPAA, even if the individual does not give consent to the disclosure, if the individual’s treating provider determines that it is necessary for the health, welfare or safety of the mentally ill individual or the safety at least one other person.

An individual with a serious mental illness is defined in HR 3717 as an individual who:

(A) is 18 years of age or older; and

(B) has, within one year before the date of  the disclosure, been evaluated, diagnosed, or treated for a mental, behavioral, or emotional disorder that—

(i) is determined by a physician to be of sufficient duration to meet diagnostic criteria specified within the Diagnostic and Statistical Manual of Mental Disorders;  and

(ii) results in functional impairment of the individual that substantially interferes with or limits one or more major life activities of the individual.

Currently under the Privacy Rule for HIPAA, a covered entity can share PHI with a caregiver if the patient does not object.  Pursuant to 45 CFR 164.510(b), if the patient is not present or unable to object or consent due to incapacity or emergency, the covered entity may use its professional judgment to determine if disclosure is in the best interests of the individual.  Such disclosures must be directly relevant to the caregiver’s involvement in the individual’s health care or payment related to health care

Notably, if the patient has capacity and objects to the provider sharing information with the patient’s family 45 CFR 164.512(j) allows the covered entity to share information as necessary to avert a serious threat to the health or safety of the patient or others, but only if  doing so is consistent with applicable law and standards of ethical conduct, the covered entity has a good faith belief that the patient poses a threat to the health or safety of the patient or others, and the family member is reasonably able to prevent or lessen that threat.

Following the mass shootings in Newton, CT and Aurora, CO, the Office of Civil Rights (OCR) issued a letter to health care providers in January 2013 to emphasize that 45 CFR 164.512(j) does allow for PHI to be disclosed when a patient presents a serious danger to himself or others.

Furthermore, 45 CFR 164.512(f) allows for a covered entity to disclose PHI to identify or locate a suspect, fugitive, material witness or missing person, provided certain requirements are met.  OCR  provides further information on the disclosure of mental health information here: http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/mhguidance.html.






Speak Your Mind