HIPAA and Mental Health Information: Know the Law

by Linda A. Malek and Brian Krex

The privacy regulations promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 (the privacy regulations) will clearly have a tremendous impact on most healthcare entities. However, the effect of the privacy regulations on mental health providers with respect to confidentiality of mental health information may be felt less strongly, as this type of sensitive information is generally already well protected. The question for mental health providers will not be simply “how do we comply with the privacy regulations?” but instead, “how do we identify both federal and state law, and how do we choose which law to comply with?” The issue of whether state law is preempted by, or is more stringent than, the privacy regulations is very important when looking at individually identifiable information that pertains to mental health. As you may know, the privacy regulations do not preempt state law that is “more stringent than” federal law.

What’s the Difference?

The privacy regulations do not distinguish mental health information from the general rule that allows a provider with a direct treatment relationship with a patient to use or disclose protected health information (PHI) for treatment, payment, or healthcare operations without any particular legal permission, except in the case of psychotherapy notes. The privacy regulations define psychotherapy notes as “session” notes, or notes made for the benefit of the therapist during a session, whether individual or group, and whether written or oral.With very few exceptions, the privacy regulations do not allow a covered entity to use or disclose psychotherapy notes for any purpose without a patient’s authorization and the covered entity must keep the notes separate from the rest of the patient’s medical record.

Each covered entity will need to undertake a preemption analysis to determine what laws and regulations apply to the mental health information it may wish to use or disclose. The privacy regulations preempt “contrary” state law that relates to the privacy of health information. Contrary generally means that a covered entity would find it impossible to comply with both the state and federal requirements. The privacy rule does not preempt state law, which is “more stringent” than the privacy rule. More stringent generally means that with respect to a use or disclosure, the state law would prohibit or restrict a use or disclosure that would be permitted by the privacy regulations.

A state law is also more stringent if it generally gives individuals greater rights regarding their health information. A state may request that a provision of state law not be preempted by submitting a request to the secretary, based on the above criteria.

What Does the Law Say?

To illustrate how a preemption analysis might be performed, we will examine relevant New York state laws regarding mental health information. New York law already places a high priority on the confidentiality of mental health information. New York’s Mental Hygiene Law section 33.13 protects the confidentiality of clinical records that are maintained at facilities licensed or operated by New York’s Office of Mental Health (OMH) or the Office of Mental Retardation and Developmental Disabilities (OMRDD). These state offices prohibit the release of the clinical record, including the identification of patients or clients or clinical information tending to identify patients or clients, to any person or agency outside of the offices without the written consent of the patient except to specifically enumerated individuals or agencies.

Both the privacy regulations and New York law allow disclosures pursuant to legal permission. The privacy regulations allow disclosures with authorization if the health information is psychotherapy notes but do not generally otherwise require legal permission in order to use or disclose PHI for treatment, payment, or healthcare operations. However, New York law requires a patient’s consent to release a clinical record except in certain specified instances. The disclosure may be made only to persons or entities that have a demonstrable need for such information, provided that disclosure will not reasonably be expected to be detrimental to the patient, client, or another (this does not include disclosures to a patient or client.)

The New York law and the privacy regulations are clearly contrary here, but which is stricter? Certainly the New York law adds additional layers to the requirement of the privacy regulations, because under the privacy regulations there is no need to ascertain whether a person or entity has a “demonstrable need” for the information, nor does it require the additional analysis of whether the disclosure would be detrimental. Under the privacy regulations where any legal permission is required, authorization is all that is necessary, and the additional steps required by New York law are not required. However, the difficulty in this analysis is that if the information to be disclosed included psychotherapy notes, a covered entity would be required to have an authorization under the privacy regulations, which is arguably more protective of the individual than the consent required under New York law. Therefore, in this instance, New York law may be preempted.

However, if the PHI did not include psychotherapy notes, the New York law would be more protective, since New York law would generally require consent to use or disclose the information even in some instances in which the HIPAA privacy regulations would not require consent. For example, even though New York law generally does not require consent for most treatment and payment purposes, certain activities that constitute healthcare operations under the privacy regulations, such as disclosure of PHI to auditors that are not government oversight entities or their designees, or disclosure to non-governmental entities for certain business planning and development purposes, would likely require consent under New York law, while the privacy regulations would not generally require any form of legal permission. In these examples, because New York law would be more protective of the patient, it would probably not be preempted by the privacy regulations.

Next Steps

In order to determine how to deal with uses and disclosures of mental health information while taking into account the privacy regulations and your state’s law, your organization should take the following steps:

1. Examine your state’s law on clinical record confidentiality generally and determine, as a rule of thumb, whether the state law dealing with mental health information is more protective of individuals whose medical information is at issue or imposes stricter penalties for violations than do the privacy regulations.
2. Coordinate with your state’s oversight agencies as these agencies will likely be in the process of analyzing preemption issues or requesting letter opinions as part of their analysis.
3. Determine whether your state has laws that specifically address psychotherapy notes and if so, whether your state’s laws on this issue are more restrictive than the psychotherapy notes requirements of the privacy rule.

Linda A. Malek is a partner at Moses & Singer LLP in New York, NY, and chair of the healthcare practice group. She can be reached via e-mail at lmalek@mosessinger.com. Brian Krex is an associate in the firm’s healthcare practice group.