U.S. Representative Tim Murphy (R-PA) has been a vocal advocate for mental health reform for a number of years.  Part of his crusade is driven by his concern that the HIPAA privacy rule “routinely interferes with the timely and continuous flow of health information between health care providers, patients, and families, thereby impeding patient care, and in some cases, public safety.”  Congressman Murphy’s efforts have resulted in the inclusion in the recently-passed 21st Century Cures Act of a provision entitled “Compassionate Communications on HIPAA” targeted at improving understanding of what mental health information can be shared with family members and caregivers.

The 21st Century Cures Act streamlines the drug approval process, authorizes $4.8 billion in new health research funding, including $1.8 billion for Vice President Joe Biden’s “cancer moonshot” and $1.6 billion for brain diseases such as Alzheimer’s, and provides grants to combat the opioid epidemic.

Of most interest to readers of this blog, the Act also calls for the Department of Health and Human Services (HHS) to clarify the situations in which HIPAA permits health care professionals to communicate with caregivers of adults with a serious mental illness to facilitate treatment.  By December 13, 2017, the Secretary of HHS is required to issue guidance  regarding when such disclosures would require the patient’s consent; when the patient must be given an opportunity to object; when disclosures may be made based on the exercise of professional judgment regarding whether the patient would object when consent may not be obtained due to incapacity or emergency; and when disclosures may be made in the best interest of the patient when the patient is not present or is incapacitated.   HHS is directed to address communications to family members or other individuals involved in the care of the patient, including facilitating treatment and medication adherence.  Guidance is also required regarding communications when a patient presents a serious and imminent threat of harm to self or others.  HHS is directed to develop model training materials for healthcare providers, patients and their families.

The law incorporates the Substance Abuse and Mental Health Administration’s definition of the term “serious mental illness” as “a diagnosable mental, behavioral, or emotional disorder that results in serious functional impairment and substantially interferes with or limits one or more major life activities.”

Importantly, the law neither changes existing regulatory exceptions under HIPAA nor directs HHS to modify them.  Instead, it calls for further explanation of existing rules that are often poorly understood by providers, patients and caregivers alike or may actually be used inappropriately to thwart the flow of meaningful and helpful information leading to barriers to effective communication that would benefit patients and improve mental health outcomes.

An existing public safety exception permits a covered entity to use or disclose PHI if the covered entity, in good faith, believes the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and the disclosure is made to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat.

The existing exception for caregivers permits disclosures to a family member, other relatives, or a close personal friend of the individual, or any other person identified by the individual, but only regarding PHI that is directly relevant to such person’s involvement with the individual’s health care or payment for care.

PHI may also be disclosed when the patient is present and provides consent, does not object to a disclosure of PHI to another individual accompanying them when given the opportunity to object, or where the covered entity reasonably infers from the circumstances, based on the exercise of professional judgment, that the patient does not object to the disclosure.

Other existing exceptions address emergency situations as well as cases where the patient is incapacitated, and permit disclosure of only the PHI that is directly relevant to the other person’s involvement with the patient’s care or payment.

The new law falls short of Rep. Murphy’s previous legislative proposals.  In 2015, Murphy introduced a bill entitled the Helping Families In Mental Health Crisis Act. which he said would “allow the doctor or mental health professional to provide the diagnosis, treatment plans, appointment scheduling, and prescription information to the family member and known caregiver for a patient with a serious mental illness. This change would apply for those who can benefit from care yet are unable to follow through on their own self-directed care.”   This bill was passed by the House by a wide margin but was not enacted.

While the new law does not expand HIPAA exceptions, it does make it more likely that those exceptions already on the books will be more clearly understood and implemented in cases involving serious mental illness.

President Obama announced a series of Executive Orders on January 4, 2016 to address gun-related violence in America. Among those orders was an initiative to increase mental health reporting to the background check system. But this does not mean that mental health records will be widely released or that anyone who has sought treatment for mental illness will be banned from gun ownership.  It only means that information about individuals who are already prevented from owning guns under current law will be made available for background checks.

A fact sheet released by the administration includes this summary:

Remove unnecessary legal barriers preventing States from reporting relevant information to the background check system. Although States generally report criminal history information to [the National Instant Criminal Background Check System, (NICS)], many continue to report little information about individuals who are prohibited by Federal law from possessing or receiving a gun for specific mental health reasons. Some State officials raised concerns about whether such reporting would be precluded by the Privacy Rule issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Today, the Department of Health and Human Services issued a final rule expressly permitting certain HIPAA covered entities to provide to the NICS limited demographic and other necessary information about these individuals.

A Final Rule was posted by the Office of Civil Rights of the Department Health and Human Services (OCR) at https://federalregister.gov/a/2015-33181.  In an announcement posted by OCR, the agency emphasized that this rule is narrowly drawn and applies only to a limited category of covered entities:

The new modification is carefully and narrowly tailored to preserve the patient-provider relationship and ensure that individuals are not discouraged from seeking voluntary treatment. This rule applies only to a small subset of HIPAA covered entities that either make the mental health determinations that disqualify individuals from having firearms or are designated by their States to report this information to NICS – and it allows such entities to report only limited identifying, non-clinical information to the NICS.

The rule does not apply to most treating providers and does not allow reporting of diagnostic, clinical, or other mental health treatment information. [emphasis added]

OCR emphasizes that individuals who seek help for mental health conditions and/or receives mental health services are not automatically legally prohibited from having a firearm, and that nothing in the final rule changes that.

The rule only applies to state agencies or other agencies that are designated by the state to report, or which collects information for purposes of reporting, on behalf of the state, to the NICS; or a court, board, commission, or other lawful authority that makes the commitment or adjudication that causes an individual to lose the right to possess firearms under existing federal law.  It authorizes such agencies to disclose the information only to NICS or an entity designated by the state to report, or which collects information for purposes of reporting, on behalf of the State, to NICS, and permits disclosure of only such limited demographic and certain other information needed for purposes of NICS reporting.  It expressly prohibits disclosure of diagnostic or clinical information for such purposes.

In light of the heightened emotions surrounding any government action relating to firearms, especially as it may involve mental health and HIPAA, it is likely that misunderstandings, exaggerations, misinformation (or even intentional disinformation)  about this limited change will circulate through social media and similar channels.  Healthcare providers and other covered entities should be aware that the rule changes nothing except for certain state agencies and their agents.

 

 

With gun violence and mental health concerns in the headlines, the Office of Civil Rights of the Department of Health and Human Services has published a letter to health care providers clarifying when it is permissible to reveal PHI when a patient is reasonably believed to present a serious danger to himself or others.   The long-awaited HIPAA Omnibus Rule, finally released yesterday, also addresses concerns about how to balance patient privacy with public safety.

Long before HIPAA, court decisions have supported the right, and the duty, of health care providers to reveal a patient’s health information where it may be necessary to protect the patient or the public from identifiable risks of harm.  The seminal case is the 1974 decision of the California Supreme Court in Tarasoff v. the Regents of the University of California. In that case, the family of a murder victim brought suit based on the failure of the university psychologist who had treated her killer to warn her that he had threatened her life during therapy sessions. The psychologist had recommended that the patient be hospitalized and did inform campus police, but he was not deemed dangerous enough to detain involuntarily, and later carried out his plan.   This landmark case established a duty of health care providers to warn potential victims and the authorities when an individual makes a credible threat of violence.  Most states follow the Tarasoff rule, either by statute or case law.

As the recent OCR letter indicates, the HIPAA rule permits disclosures in similar situations. 

When a health care provider believes in good faith that such a warning is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others, the Privacy Rule allows the provider, consistent with applicable law and standards of ethical conduct, to alert those persons whom the provider believes are reasonably able to prevent or lessen the threat. Further, the provider is presumed to have had a good faith belief when his or her belief is based upon the provider’s actual knowledge (i.e., based on the provider’s own interaction with the patient) or in reliance on a credible representation by a person with apparent knowledge or authority (i.e., based on a credible report from a family member of the patient or other person). These provisions may be found in the Privacy Rule at 45 CFR § 164.512(j).

Under these provisions, a health care provider may disclose patient information, including information from mental health records, if necessary, to law enforcement, family members of the patient, or any other persons who may reasonably be able to prevent or lessen the risk of harm. For example, if a mental health professional has a patient who has made a credible threat to inflict serious and imminent bodily harm on one or more persons, HIPAA permits the mental health professional to alert the police, a parent or other family member, school administrators or campus police, and others who may be able to intervene to avert harm from the threat.

In the spirit of the "imminent threat" exception, and recalling the famous Tarasoff decision quote, "The protective privilege ends where the public peril begins,"  the Omnibus rule resolves a controversy over when and how student immunization records may be shared with school officials. The rule simplifies the process to permit oral or written authorization to health care providers or other covered entities to supply this information to schools where required by state law for admission. 

The final rule adopts the proposal to The final rule adopts the proposal to amend § 164.512(b)(1) by adding a new paragraph that permits a covered entity to disclose proof of immunization to a school where State or other law requires the school to have such information prior to admitting the student. While written authorization will no longer be required to permit this disclosure, covered entities will still be required to obtain agreement, which may be oral, from a parent, guardian or other person acting in loco parentis for the individual, or from the individual himself or herself, if the individual is an adult or emancipated minor. We believe that the option to provide oral agreement for the disclosure of student immunization records will relieve burden on parents, schools, and covered entities, and greatly facilitate the role that schools play in public health, while still giving parents the opportunity to consider whether to agree to the disclosure of this information.

Documentation of the parental permission is still required, but the form of that documentation is up to the covered entity.  Note that once a school is in possession of a student’s PHI, the school’s handling of those records is governed by the Family Educational Rights and Privacy Act (FERPA), not HIPAA.

The Omnibus rule is described by OCR director Leon Rodriguez as making "the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented."  Many of these changes appeared in the Notice of Proposed Rulemaking published on July 14, 2010.  We will be analyzing these changes in forthcoming posts in the near future.   

In light of the Obama Administration’s initiatives following the Sandy Hook, CT and Aurora, CO tragedies, HHS appears to be responding to criticism of overly restrictive privacy rules that allegedly would have prevented disclosure of mental health information that may have saved lives.  Clearly the current rules permit disclosure of imminent, concrete threats directed at specific targets, and there is no indication that either of the gunmen had expressed any such threats in advance to healthcare providers or otherwise.  Nevertheless, the time may be right to dispel any misinformation about when such threats can be legally communicated to authorities and potential victims.