CONFIDENTIALITY OF CLIENT RECORDS AND INFORMATION
Many proponents of integrated behavioral care feel that maintaining a single medical chart is essential for intra-agency collaboration, but a myriad of regulations along with, in some instances, privacy concerns of behavioral health clientele has made this option complex.
Because federal and state laws governing confidentiality of medical records for California are complicated and sometimes contradictory, we will not offer conclusions here, but will simply reference applicable statutes and regulations. The only advice we can proffer is that, as a general rule, the best approach is to obtain clients’ consent before any disclosure is made.
To shed light on this complex area, we have included an article regarding medical records confidentiality requirements for primary care clinics in California by health care attorney Elizabeth Saviano. Another guide for healthcare information-sharing has been developed by the Pennsylvania Department of Public Welfare. Inclusion of these resources in this website should not imply endorsement by IBHP of their contents; rather we are furnishing it simply for informational purposes to response to the great demand for information in this area. California clinics are advised to check with their own legal counsel about adherence to state and federal requirements and/or purchase the Mental Health Law Manual, a comprehensive analysis of these issues by the California Hospital Association.
Bi-Directional Exchange of Information (between primary care and mental health agencies): In 2011, Kathy Reynolds, then Executive Director of the SAMHSA-HRSA Center for Integrated Health Solutions, offered this advice:
The Health Insurance Portability and Accountability Act does allow the sharing of information between organizations for the purpose of healthcare coordination. In order to feel comfortable with sharing information under HIPAA, partnering organizations often become Organized Health Care Delivery Systems (OHCDS). Section 160.103 of HIPAA describes this arrangement. Specifically the law allows:
"A clinically integrated care setting in which individuals typically receive health care from more than one health care provider or an organized system of health care in which more than one covered entity participates, and in which the participating covered entities:
- Hold themselves out to the public as participating in a joint arrangement; and
- Participate in joint activities that include at least one of the following:
- Utilization review, in which health care decisions by participating covered entities are reviewed by other participating covered entities or by a third party on their behalf;
- Quality assessment and improvement activities, in which treatment provided by participating covered entities is assessed by other participating covered entities or by a third party on their behalf; or
- Payment activities, if the financial risk for delivering health care is shared, in part or in whole, by participating covered entities through the joint arrangement and if protected health information created or received by a covered entity is reviewed by other participating covered entities or by a third party on their behalf for the purpose of administering the sharing of financial risk."
To become an OHCDS, the respective chief executive officers send letters to each other confirming their intent to hold themselves out as an OHCDS and identifying the utilization review or quality assessment and improvement activities in which they will jointly participate. To solidify this arrangement organizations then often change their privacy statements to reflect the OHCDS and may add language to all consents to treatment reflecting their partnerships and with whom they will be sharing healthcare information.
Exchange of Substance Use Information: Ms. Reynolds (see above) provided this information:
42 CFR Part II defines the parameters for sharing substance information for organizations that hold themselves out as substance abuse treatment providers. The Substance Abuse and Mental Health Services Administration's Center for Substance Abuse Treatment actively addresses issues related to the sharing of substance abuse treatment information under 42 CFR Part II. However, if organizations enter into a Qualified Service Agreement (QSA), they are often required to share needed substance abuse information for healthcare coordination. The key resources to review as you develop your QSA include SAMHSA's Frequently Asked Questions: Applying the Substance Abuse Confidentiality Regulations to Health Information Exchanges and The Confidentiality of Alcohol and Drug Abuse Regulation and the HIPAA Privacy Rule: Implications for Alcohol and Drug Abuse Programs- June 2004. The latter is a valuable review of the linkages between HIPAA and 42 CFR Part II and helps agencies understand the elements of a Qualified Service Agreement.
Information-Sharing at School-Based Health Centers: Information about confidentiality as it applies to school-based health centers can be found in the SCHOOL CONNECTION section of this website.
APPLICABLE FEDERAL STATUTES
Health Insurance Portability and Accountability Act of 1996 (HIPAA), Standards for Privacy of Individually Identifiable Health Information (45 CFR Parts 160 and 164) covers all health recording, including mental health, and gives enhanced protections for psychotherapy notes.
42 CFR Part 2, is the federal statutory authority for confidentiality of alcohol and substance abuse patient records. In 2004, SAMHSA published an explanation of its confidentiality provisions and their implications for alcohol and substance abuse programs. More recent, readable and relevant is SAMHSA's guide for Applying the Substance Abuse Confidentiality Regulations to Health Information Exchange, in the format of frequently asked questions.
For an official report on “Privacy Issues in Mental Health and Substance Abuse Treatment: Information Sharing Between Providers and Managed Care Organizations”, click here.
The Office of the National Coordination for Health Information Technology has published a Guide to Privacy and Security of Health Information which addresses confidentiality as it relates to IT systems, patients' individual rights and provider responsibilities.
GOVERNING CALIFORNIA STATUTES
The Confidentiality of Medical Records Act (CMIA), as delineated in California Civil Code 56 et seq., covers all California providers of health care and health care service plans, and specifies the conditions under which medical information can be disclosed. To access these statutes, click here.
The Lanterman Petris Short Act also specifies the conditions under which medical information may be released. For its provisions, check California’s Welfare and Institutions Code, particularly in Section 5328, which can be found at by clicking here.
Other applicable laws are found in the Information and Privacy Protection Act (Insurance Code Section 791 et seq.), and the Information Practices Act (Civil Code Section 1798 et seq.).
Another set of California laws, The Patient Access to Health Records Act, contained in Health and Safety Code Sections 123110 et seq., is discussed in the helpful Consumer Guide To Health Information Privacy in California promulgated by the California Office of Privacy Protection. Providers as well as clients may benefit by this easy-to-comprehend discussion of confidentiality laws.
The following is taken from footnotes in The Consumer Guide to Health Information Privacy in California. Note that requirements of the Welfare and Institutions Codes are omitted from reference:
- For notice, see HIPAA, 45 CFR § 164.520. Also on notice, see California Civil Code Section 1798.17, which applies to state agencies.
- For use and disclosure of health information for treatment, payment, or healthcare operations, see HIPAA, 45 CFR § 164.506, and California Civil Code Section 56.10 subdivision (c)(a).
- For disclosure limits, see HIPAA, 45 CFR § 164.502, and California Civil Code Section 56.10.
- For confidentiality of HIV test results, see California Health & Safety Code Sections 120975-121125.
- For confidentiality of psychiatric records, see California Civil Code section 56.104. Also see HIPAA, 45 CFR § 164.50, 1 for definition of “psychotherapy notes” and 45 CFR § 164.508 subdivision (a)(2) for authorization requirements for use or disclosure of psychotherapy notes.
- For authorization, see HIPAA, 45 CFR § 164.508, and California Civil Code Section 56.11.
- For limits on use and disclosure for treatment, payment or healthcare operations, see HIPAA, 45 CFR § 164.522 subdivision (a).
- For confidential communications requirements, see HIPAA, 45 CFR § 164.522 subdivision (b).
- For disclosure to employers, see HIPAA, 45 CFR § 164.512 subdivision (b)(1)(v), and California Civil Code Section 56.20.
- For accounting of disclosures, see HIPAA 45 CFR § 164.528, and California Civil Code sections 1798.25 and1798.28.
- For marketing use, see HIPAA 45 CFR § 164.508 subdivision (a)(3), California Civil Code Section 56.10 subdivision (d), California Health & Safety Code Section 123148, and California Insurance Code Sections 791.13subdivision (k) and 791.05.
- For access to records, see HIPAA, 45 CFR § 164.524, California Health & Safety Code Section 123110subdivision (a), and California Civil Code Section 1798.32.
- For copying records, see HIPAA, 45 CFR § 164.524, California Health & Safety Code Section 123110subdivision (b), and California Civil Code Section 1798.33.
- For amending records, see HIPAA, 45 CFR § 164.526, California Health & Safety Code Section 123111, and California Civil Code section 1798.35.
- For complaints under HIPAA, see 45 CFR § 164.530 subdivision (d). HIPAA complaints must be filed with the Office of Civil Rights within 180 days of the date when the complainant knew or should have known of the violation (45 CFR § 160.306).
- For remedies for improper use of information by California providers, see California Civil Code Section 56.35; for violation of access rights, see California Health & Safety Code Section 123120 and for remedies for violations by state agencies, see California Civil Code Sections 1798.45-1798.57.