The Health Insurance Portability and Accountability Act (HIPAA) was designed to provide protection for consumers of health insurance. Specific to mental health, HIPAA promotes the confidentiality of information being passed from one organization to another. By understanding what HIPAA is and how it applies specifically to consumers of mental health services, it will help those seeking out needed information or services.
Definition
According to the U.S. Department of Labor, HIPAA provides certain rights and protections for people who either participate in or are beneficiaries of group healthcare plans. An example would be a married beneficiary who is able to receive health insurance through work. HIPAA rights would extend to the person who is the member and family (spouse or children) covered under that plan. In addition to those rights, HIPAA states that any person who changes from one job to another is immediately eligible for "comparable health insurance coverage." The final piece of HIPAA is the standardization of billing and claims with health insurance, which heavily ties into the changes in privacy policies as a way to ensure that consumers' rights are being protected.
History
HIPAA was passed on August 21, 1996 as an attempt to simplify the process of applying for and receiving coverage, filing claims, identifying the people who are covered and those who are paying for that coverage. Despite HIPAA being passed in its first form back in 1996, the act went through several revisions through congress. The website HIPAA Privacy and Security reports that the final privacy regulations were not issued until December 2000 and went into effect on April 14, 2001. A two-year grace period was granted, meaning by April 14, 2003, all facilities handling any type of medical insurance for any reason had to be in compliance with HIPAA.
HIPAA Privacy Rule
The Department of Health and Human Services (HHS) has a detailed explanation of the HIPAA Privacy Rule. An overview of its contents highlight the key factors in determining what rights and protections apply specifically to mental health. First, both health plans and providers must follow the privacy rule. This means private or state (Medicare or Medicaid) individual or group insurance plans must follow the HIPAA privacy rule.
The same applies to all healthcare providers who electronically submit health information involving eligibility of benefits, claims, authorizations for services and other protected health information that typically involves confidential information involving treatment or conditions. This is defined on the HHS website as documents with "individually identifiable health information." HHS specifies demographic information, such as past, present or future physical or mental health conditions, any care provided, and information regarding payment for services falls under this definition. It is important to note that HIPAA does not protect what is called "de-identified" information, which would mean any document where all identifying information is removed.
Permitted Uses and Disclosures
The purpose behind the HIPAA privacy rule is to limit access to confidential health information. HHS reports there are only two occasions where an entity is required to disclose this information. The first is at the request of the individual, which must be obtained in writing. The second is when HHS is completing a compliance investigation with HIPAA. There are some other exceptions to the above, which will depend on who is being asked to release the information.
Specific to mental health information and rights, information can be disclosed when involving public safety regarding child abuse. This would involve disclosing this information to a government agency authorized to receive the report of that information. The next exception deals specifically with reports of abuse and neglect. It is important to note that mental healthcare providers in each state undergo their own training to become mandated reporters--this means these employees are bound by law to report any suspected child or elder abuse or neglect. The specific laws and training may vary by state.
The third exception is for judicial or law enforcement purposes. HIPAA specifies that information that is requested through a court order can be provided. Information of this nature could pertain either to legal proceedings or an open police investigation. However, there are specific conditions the legal system still has to follow, which include having a court order, the need to identify or locate a suspect, and when that protected health information may be evidence in a crime. The fourth exception pertains to research. The conditions for obtaining information for research include a signed authorization from the owner of that information (the patient or client)--the research must also be approved by a review board prior to conducting the research.
Parents Access to Records
Whether parents have full rights to access their child's medical record depends on whether they are recognized as the "personal representative." In most cases, the parents are the personal representatives and have access to records and can act on the child's behalf. In some rare cases, the parents may not be the personal representatives and then the state of residency must decide whether the parents have access to the records. If a child is at risk in the home due to abuse, neglect or domestic violence, the entity treating the child may not recognize the parents as the personal representative.
Enforcement and Penalties for Noncompliance
HHS indicates the Office for Civil Rights is charged with the responsibility of making sure that all involved organizations follow HIPAA regulations. Monetary penalties are the most common for HIPAA violations, but in some cases violations of the privacy rule can result in criminal charges. It is important to know that if involved in this type of case, the victim has the right to pursue criminal or civil cases.
Monetary penalties after February 2009 can range from $100 to $50,000 depending on the case. If the case involves a violation of the privacy rule, that monetary penalty can increase to $100,000 and be combined with a one-year prison sentence. It is important to note that all participating entities will be notified if they are in violation and can submit evidence refuting the claim. Furthermore, a violation must be seen as a willful neglect in order for a penalty to be imposed.
Tags: health information, mental health, abuse neglect, health insurance, important note, important note that, note that