Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Managing Mental Health and Substance Abuse Records Accessing Using Protecting Sharing Chris Simons, MS, RHIA This information does not constitute legal advice. Consult your organization’s legal counsel for answers to specific privacy and security questions.
Is it really that different? Unfortunately, YES While most providers have become accustomed to the idea that medical records will be accessed by their patients, many are reluctant to release so called “sensitive information” Patients have unrealistic expectations of privacy- and we encourage them!!
STIGMA Stigma and discrimination against people with mental illnesses leads others to avoid living, socializing or working with, renting to, or employing people with mental illnesses. It leads to low self-esteem and hopelessness. And it deters the public from seeking and wanting to pay for care. Worst of all, it often causes people with mental illnesses to become so embarrassed or ashamed that they conceal symptoms—and avoid seeking the very treatment, services, and supports they need and deserve. --Substance Abuse and Mental Health Services Administration (SAMHSA)
Ask yourself-- • Would I hire someone with a mental illness? • Would I vote for someone with a mental illness? • Would I think differently of the person sitting next to me if I knew they had a mental illness or SA problem? • If you feel that way, imagine the rest of the public?
People with mental illness and SA • Are denied/lose jobs • Are denied loans • Are perceived as weak, or lacking self control • Are denied and/or lose housing • Feel they will not be taken seriously when they present for care- they will be written off as “crazy” • May in fact have trouble getting appropriate care (especially needed pain medications) • Studies show people are afraid to seek help- info will go right to their medical file
Information MUST be protected, but also we need to know it to treat patients • Patient safety concerns with incomplete medication lists are a particular concern • Minimum Necessary • Need to know
What does the LAW say? • Varies from state to state • Federal law protects substance abuse treatment records- but definitions vary High % of SA and MH in primary care and ED records • NO federal protection for MH records, contrary to what most believe
But what about “Psychotherapy Notes”? • HIPAA Concept • Confusion abounds • Records must be kept separately and cannot be used to substantiate treatment or billing • When was the last time you met a provider who was willing to document twice?
Laws Govern Handling PHI • Maine • 1711C • HIV • Rights of Recipients of Mental Health Services (Adult and Child) • Federal • CFR 42 (substance abuse treatment) • HIPAA • ARRA and HITECH
Do all these laws agree? • R U Kidding? • Follow the law that provides the strictest protection to be safe • Remember, “When in doubt, don’t give it out.”
Bottom line- Key concepts are Patient Autonomy and Informed Consent • Patient/LAR is in the driver’s seat and must know what you are doing with his/her information, as well as approve it, in almost all circumstances (we will discuss exceptions later) • Do YOU know what is being done with your medical records/PHI? • TPO • Health Info Net • Data clearinghouses • Insurers • CMS/Medicaid
Getting the information you need to treat your patient • Proper written authorization required in nearly all circumstances, including for treatment • Should include: • Patient name, DOB or SSN (careful here), signature, date • Right to refuse, revoke, review, restrict and receive a copy • Specific information to be released (include name of organization) • Specify the BIG Three- SA, MH, HIV • Expiration date • Specify who is getting/releasing info, but ok to include more than one- again, patient consent is the key
So, before beginning treatment • Notice of Privacy explains (get written acknowledgement of receipt) • Consent explains (update yearly) • Conversation between patient and provider explains (include limits) Document! • Patient Rights handout explains • Consider separate NOP and Consent for those patients referred for MH Care • Release of Information for explains and authorizes • Opting out- important to determine exactly how you will handle this– and follow your procedures • OCHAs, RIOs, HIEs and more…
Creating/Using the Information • Must specially protect MH, SA and HIV info, but not necessary keep separately • Again, pt in driver’s seat and fully informed • Remember special insurance concerns (Mental Health “Carve Outs”)
Ideas for documenting MH and SA issues in Primary Care records Goal is to easily ID MH notes to avoid releasing improperly • Different color paper for MH notes • Stripe down the side of the sheet • Separate filing system –good idea? • Separate section in the record-? • Good documentation practices- very important • Could use HIPAA’s psychotherapy notes for more detail but they must be kept SEPARATELY
All Notes should: • Be Specific • Be Objective • Avoid mentioning others by full name • Content sufficient to support billing and communicate w/providers but not more than is needed • Assume your patient or his lawyer will read your notes • Adopt templates and other practices to help segregate (but careful here- cut and paste and auto-populate are problems • Train your providers on good documentation practices • The Seinfeld Note
Electronic protections • Special flags an option • HIPAA requires audit trails and training • Role based access and “need to know” • New fed law may require encryption of PHI
Protecting the information • All PHI should be locked when not attended (watch out for cleaning crews) • All staff need documented Privacy and Security Training and Confidentiality Statements- suggest annual updates- and now Red Flag Training and Training on Breach Reporting • All organizations must have Privacy and Security Officers (can be same person) • Update those BA agreements
More Protections • Watch out for: • Faxing • Emailing • PDA’s • Cell Phones • Lap tops • Copies leaving the building • Trash • Appointment reminders • Disgruntled employees • Telecommuters
Incidental disclosures- HIPAA requires you minimize these and document a risk assessment • Interesting stories in and outside the office • Keep discussions private and confined to those who need to know • Don’t forget minimum necessary • Privacy screens at work stations • Don’t let paper pile up on printers/faxes • Seeing patients in the community
Sharing Your information • All release of information standards apply plus extra protections • Release must SPECIFICALLY say MH records (as well as SA and HIV if appropriate)
Common Concerns- Pt Rights • Right to Review -rare to deny- no need for physician review in most cases • Use copy charge as a way of limiting amount released, if you want • Never leave patient alone with record • If on your staff, use proper procedures for all • Use good documentation practices- assume patient will read anything written (along with many others!) • The right to amend • The right to restrict • Right to revoke • Accounting of disclosures • Breach notification
Minors • Legal interpretations differ • Generally, if minors may consent for treatment, they may also consent to release info for that treatment- be PROACTIVE in OP setting • Don’t promise privacy– any record can be obtained with a court order • Don’t forget the bill • You have some wiggle room under the law to share w/parents if dangerous behavior
Divorce • ME law- both bio parents have equal rights in absence of order • Document your advice to include the other partner in decision making, if appropriate. • Remind parents that you are health care organization, not a court room!
Interested Parties • Step parents have no legal rights but can get a release • Babysitters, foster parents, grandparents, all can get a letter authorizing treatment • Consider witnessing phone consent if necessary • Deceased patients- ask for proof that requestor is the Personal Representative unless absolutely clear who that is
Law Enforcement/Child Protective/DHHS/Schools • Must follow the ROI rules just like everyone else, or get a court order • You must respond to a subpoena, but not necessarily with the record (Investigative subpoenas you must respond to unless Substance Abuse) • Be very careful here– releasing info can have a serious impact on a person’s life. Get legal advice if not sure.
Mandatory Reporting • Document following mandatory reporting rules • Whenever possible include patient in discussion- rarely should you report anonymously • Release not required by law, but document • Distinguish between MAY report and MUST report
Destroying PHI No special rules about destroying MH/SA records– but be sure to do it confidentially as with any records Do your policies cover destroying ESI? (electronically stored info?)
What a wonderful time to be in Healthcare!!! • Questions?