Compliance Conversations Podcast: The Gray Areas of HIPAA

In our most recent episode of Compliance Conversations, host CJ Wolf M.D. chatted with Brian Burton, Chief Compliance and Privacy Officer for Healthicity. They talked about HIPAA and the highly nuanced field of mental health.

“For a mental health provider, I would hope that in your Notice of Privacy Practices, you would address the unique things that happen in mental health….” CJ Wolf, M.D.

Listen to this episode, “Compliance Conversations with CJ Wolf: The Gray Areas of HIPAA in Mental Health and Substance Abuse,” now or on your commute and learn:

  • HIPAA Best Practices for Group Therapy
  • Substance Abuse and HIPAA Rules for Alerting Family
  • A Patient’s Right to Access in Psychotherapy Notes
  • And More!

Listen Here


Episode Transcript

CJ: Welcome everybody to another episode of Compliance Conversations. I am CJ Wolf with Healthicity, and today’s guest is Brian Burton, the chief compliance and privacy officer for Healthicity. Welcome, Brian.

Brian: Good morning CJ, thank you.

CJ: How are you doing today?

Brian: I’m fantastic, sir. Looking forward to today’s conversation. This is an interesting topic. I love to share with our audience.

CJ: Yes, we’ll talk a little bit about HIPAA, HIPAA chat. Brian has so much experience in HIPAA security privacy. I know just enough to be dangerous, ask the dangerous questions. I’m a pretty good issue spotter. I don’t know that I have chapter and verse at my fingertips all the time.

Question: How do you feel about it, Brian?

Brian: I don’t know that I have chapter and verse; I’ve had some opportunities to look into some potential issues with HIPAA in the past but still rely on the experts and the regulation itself. I find myself going through the law regularly to refer and ensure that I understand, interpret, and apply appropriately.

CJ: Exactly, I have to do that just to double-check myself. I think many people in compliance are a little bit compulsive that way. That’s probably what makes us go into compliance and makes us succeed in compliance as we double and triple-check ourselves sometimes. We don’t want to be wrong.

Brian: Yeah, I couldn’t agree with you more. I keep 45 CFR subpart AB, or C, B, and E up all the time.

CJ: Exactly, got it on speed dial. So today, we thought we’d talk about HIPAA and mental health and HIPAA and substance abuse because I think a lot of us understand the simple, straightforward HIPAA stuff. When you get into mental health, it seems like there are some nuances, you sometimes, and this could happen to any patient, but sometimes patients might be at risk of harming themselves or others, and that happens more in mental health and so what are you allowed to do, those sorts of things.

But let’s first start with a topic that I always wondered about when I started in psychiatry. So a lot of you know I’m an MD by schooling. I started my training in psychiatry before I left clinical to do compliance full time, and one of the things that always came up was when you were doing group therapy. So here you are, a psychologist or a psychiatrist or a therapist, and you’ve got ten (10) people in a group, and they all have slightly different problems. You know group therapy is therapeutic as far as self-awareness and helping people come to acceptance and in some cases change behaviors in others. So some of those skills are shared, and that’s why you do group therapy, but a lot of people have asked:

Question: Are you allowed to talk about the patient's issues?

The short answer, and OCR has an FAQ on this; it says yes, you can. Of course, as a therapist, you’re not going to spill all the dirty laundry, but by the fact that the patient is consenting to group therapy, there’s a lot of leeway there in sharing with the group to talk freely and openly. And I think that’s important, especially for group therapy, and HIPAA should not be a concern.

Question: Brian, do you have thoughts, or have you gotten questions or had issues with that type of scenario?

Brian: I haven’t specifically addressed issues there. Not in a practical sense, but I did have a question for you.

Question: When we’re talking about consent, do mental health providers traditionally have that one-on-one session with the individual, explain the nature of the group setting, and do mental health providers obtain separate consent for group health?

CJ: Absolutely, good question. It’s pretty rare, and I’m not going to say never, but it’s pretty rare that you would do group therapy as your first thing. You’re spot on where first you’re trying to develop a therapeutic relationship with the patient, and first, you have to do a diagnostic exam. You have to figure out what the issues are with the patient first and foremost. So you’re right. When you introduce group therapy, you go through what you just said. You explain to the patient group therapy is designed, and this kind of therapy is designed for cognitive therapy, this one is behavioral, this one is supportive, and so you kind of explain what that group therapy is what it’s going to entail though I’m not aware of a separate HIPAA release that the patient would sign. I think it’s a good practice, and I know therapists that do when the patient is first coming to you, you can have kind of a consent form that says we’re going to be talking about these sorts of things. We are going to get to another topic here about psychotherapy notes, and patients don’t always have access to that as they might have access to their EKG and X-ray and all these other things they are used to getting at their fingertips. So it makes sense to have some sort of explanatory document that says, look, mental health treatment is a little different, these are going to your rights, these are some things you might not have access to, we may do group therapy, and when we do group therapy, we may discuss sensitive issues. So yes, I think you’re spot on, and putting it in writing is always helpful. I think they do it verbally for sure; I’ve seen that as a practice, but always putting it in writing can help prevent claims of, “Oh, you never told me you were going to do this before.”

Brian: Well, I was thinking, well I would imagine that, and again mental health practices aren’t necessarily a strength of mine. I haven’t had a ton of experience in the arena of healthcare. But I would imagine as we’re issuing those notices of privacy practice to those patients that we include if you participate in a group therapy session that’s not necessarily covered through HIPAA. So CJ, I would think once we’ve issued the notices of privacy practice, I would imagine the mental health provider would have that explicit declaration within the notice of privacy practice to talk about what are the conditions of mental health and different mental health scenarios and then help the patient understand that relationship and that group mental health setting is their responsibility to when they’re communicating, that everybody keeps those conversations confidential.

Question: Once that information comes from the patient to another individual who is not the provider, that information is no longer covered by HIPAA, correct?

CJ: Right, so covered entities are bound by HIPAA. Patients are not covered entities and somebody who hears something second-hand is not a covered entity, so they may not be bound by HIPAA. Now they may be bound by good ethics and common sense and those sorts of things, so you’d hope that they wouldn’t share. I’m so glad that you brought up NPP, the Notice of Privacy Practices. How often do we think that’s something we just check off our compliance list when it’s supposed to be unique to your setting because what’s the title of it? It’s a notice of privacy practices. So for a mental health provider, let’s say you’re a mental health hospital or a mental health outpatient intensive care type of service or you’re a psychiatrist or a psychologist. I would hope in your notice of privacy practices you would address some of the unique things that happen in mental health as opposed to if you’re a cardiologist, you might not need to talk about group therapy.

Brian: Exactly, and I think it’s also important to note, as all covered entities, we should be reviewing our notices of privacy practices on a routine basis because the services we offer sometimes change. As we go through the year, we expand or contract the services we offer the patient population. It’s always a good practice to thoroughly read and understand how your particular NPP is applying to your patient population.

CJ: Spot on, and that was one that I wanted to touch on because I think it’s a unique situation to the mental health space, is group therapy. I’m trying to think of other situations where you might be exposed to kind of a group setting in healthcare. Like physical therapy, you’re all kind of in one room where other people are doing physical therapy, so you know other people are there, or maybe you’re in cardiac rehab, and everyone is in the same room, but you’re not really sitting around talking about your issues. One person is on this piece of equipment, the other person is on that piece of equipment, so you don’t really know what they have as far as any issues. Chemotherapy is another good example where if you’re seen by an oncologist, and you get chemotherapy two (2) or three (3) times a week, you’re all sitting in the same infusion room. You kind of know why people are there and what they’re getting, but you’re not talking about your issues unless you volunteer it and a healthcare professional is not engaging us to talk about it.

Brian: Right, and if I could, not to switch subjects on you, but circle back to something you mentioned earlier with the patient's right to access. And it’s like therapy notes; I think sometimes it’d be really helpful for mental health providers to include that specific language in your notices of privacy practice. You are creating that dialogue with the patient, helping them understand what they can access and what we can provide as a covered entity and what we can’t.

CJ: Exactly, and let’s talk about that a little bit Brian because I think a lot of people who are in HIPAA and privacy for a profession are probably aware of it. We might have a lot of listeners who are generalists in compliance and might not know all the details, but psychotherapy notes are specifically excluded, and most organizations, when they designate their medical records set or dataset they, ’ll say psychotherapy notes are not a part of it, but HIPAA specifically says that psychotherapy notes that are kept separate from the medical record are not something that’s required for the mental health provider to provide if the patients say I want to see my whole medical record. Part of the reason for that is, when you’re doing psychotherapy, people can be psychologically fragile and you as a therapist are making notes or planning for your next therapy session and the patient. It’s not this way, but it may seem this way to a patient in a mental health crisis that you’re manipulating them or, and you’re not really manipulating their feelings you’re trying to help them come to some conclusions that you see clearly but they haven’t come to see that yet. So that can be damaging to that therapeutic relationship. Sometimes it can be painful; it can disrupt the relationship, and people can even harm themselves in some extreme cases where they’re alerted to what a therapist thinks about a patient and those sorts of things. It’s really there to protect patients.

Brian: I couldn’t agree more. In those scenarios where patients are seeking help from their mental health provider, those psychotherapy notes can be instrumental to providing the care but to your point, the patient may not understand or interpret the notes correctly. So it’s there to protect the patient, not to hide anything from them but to protect them. And to be perfectly honest, I can only imagine or recall a few scenarios where individuals have exercised their right to access their patient information and then had that specific question of why this part is missing or redacted. What really becomes beneficial to the covered entity, in my experience, is not redacting the information, but thereby your HIM department or health information management team develop those releases of information in a way that the patient gets everything they’re required to have but you’re not creating this confusion by redacting certain documents. You just remove or limit that function, and I know a lot of EMRs today have the psychotherapy note designation so that it can be carved out completely when that medical record is printed or transmitted somewhere else.

CJ: Yeah, and a lot of psychotherapy notes may be handwritten and might not even be in this designated EMR; now, of course, you want to follow your institution's policies and procedures and other laws if it requires you to do that, but I’m aware of some scenarios where these psychotherapy notes are kept secure and protected, but they might physically be separate. It’s kind of an interesting space and I think our listeners need to be aware that those types of exceptions for psychotherapy notes do exist. And it brings me to my next topic or question, which is:

Question: Is that even true for a minor?

So you would think, I’m a mother, I’m a father, my child is ten, eleven, twelve, 16 whatever. Those ages will matter. I’m going to talk about that in a second.

Question: Can I access their psychotherapy notes as their parent or guardian?

And the same answer is not necessarily. So HIPAA allows for the psychotherapist and those notes to be held even from the parent.

Brian: Yeah, at the provider’s discretion, correct?

CJ: Yes

Brian: Determining if the mental health provider concludes that this function or portion of the record should remain confidential from both parent and patient.

CJ: Correct, and that’s a good point. I don’t think HIPAA says you mustn’t release psychotherapy notes. It says you can withhold psychotherapy notes. So there’s that discretion where the therapist could do that if they felt like that would be beneficial.

Brian: Really, I think it goes to the provider’s discretion. There might be portions of the psychotherapy notes that would be beneficial for the patient, but it’s really the mental health provider’s clinical decision making that helps make that determination because ultimately, we’re all here to help serve our patient population and help them get better no matter their ailment, mental health or otherwise, so if there are portions of it that are beneficial than the mental health professional should feel. Well, not obligated but allowed to share certain components if it benefits the patient.

CJ: Exactly, and quite frankly, a lot of psychotherapy notes are notes to the provider, to the professional to say this is where we are in this stage of therapy. We left off with the patient exploring this aspect of the problem, so a lot of those are notes to the therapist. You know they’re working with multiple patients throughout the day, and they’re all at different stages and phases of success in the therapy, so a lot of it is notes to the therapist on where we pick up, and this is where we are in this process.

So, Brian, I wanted to touch on one other thing as we talk about a parent or a guardian and teenagers and minors are specific to mental illness. I found and I’ll include this in the links to the show notes, an interesting help or aid document that’s about four pages from OCR. It’s titled, “When your child, teenager, or adult son or daughter has a mental illness or substance use disorder including opioid addiction. What parents need to know about HIPAA.” It goes through and talks about, as a parent, they say you are your minor child’s representative in most cases, and you can exercise all your child’s HIPAA rights. In most cases, that is true. They do say that some exceptions could prevent you from being your child's personal representative. The first one has to do with your child, and this has to do with state laws, and that’s why it’s important that we keep straight in our minds what HIPAA is covering and what state covers. Your child may have independently consented to a healthcare service, and if that’s true and no other consent is required by law, OCR says your child has not requested you be treated as their personal representative. When children start to become of certain ages, this can vary by state. You might reach a certain age, and this can vary by state. You might reach where they’re not 18 or 21, they may be 16 or 17, and they can actually consent to certain forms of mental health treatment. And in those cases where the child says yes, I also consent to my parents being my personal representative. Those scenarios may be some in which the parents or guardian do not qualify as a personal representative. I don’t know if you’ve dealt with that, and that may be true in some other healthcare situations, not just mental health.

Brian: Correct, and I don’t recall having addressed this on a mental health scenario, but I certainly have when you have teenage pregnancies or potential for sexually transmitted diseases, and there’s a certain state law on those. I love this article; I think it’s fantastic. If I were a mental health provider dealing with these things on a routine basis, I would have printed copies of this to give to the parents and the child. I think it’s just as important to educate the decision-maker, who is of age in this scenario. It’s just as important to educate them, and it is their parents. This is a great resource, and I highly recommend that we include this direct PDF in the show notes, but this is fantastic. It’s evident; it’s not too long because HIPAA can be super boring. But the OCR put together an excellent document here to help individuals, both parent and patient, understand their rights.

CJ: I completely agree. We might not have time to discuss a few others, but we’ll include the links because they’re all short little PDFs. With my compliance hat on and my trainer hat on, I thought these would make a great little in services. If you’re in a practice or a type of hospital that deals with mental health issues, maybe take one of these a month, and over six months, you just talk about them. They can be 5 minutes or 10-minute discussions, but they’re little reminders, and as you said, you print off their aids to help you inpatient. They’re great tools. As you said, they’re not written with a regulatory tone; they’re much more user-friendly, in my opinion.

Brian: And I love your idea about education. Whether you’re a mental health provider joining us today or you’re a HIPAA professional joining us today, these are great opportunities. CJ highlights the importance of continuing and frequent education. These are perfect examples of things that you could issue in a standing meeting with your management team. Share this content with your staff. Not just your providers but also the nurses and other clinicians that may be available because they can help you be that watch guard for are we following the regulation in the way that we’re supposed to.

CJ: Yes, spot on. So a couple of other topics just to kind of throw out there that we’ll use to do a slow conclusion here. Two things; one about mental health professionals preventing harm, and then we’ll Segway that into a major concern today, which is opioid use, and that also falls into substance abuse in general. So maybe we could talk a little bit about mental health professionals and their ability to prevent harm. HIPAA allows, and this is another one of those PDFs, so we’ll include the link, but HIPAA allows mental health professionals to prevent harm. So if a patient is at risk of harming themselves or someone else HIPAA does not restrict you and bind you and tie your arms behind your back from reaching out to maybe public health officials, public safety officers, police, that sort of thing, even family members. Family is often the support system for people. So if there’s a child or even an adult who is at risk for hurting themselves, the mental health professional can reach out to the family. They might not give you everything in the medical record, but they can reach out and say, look, I’m concerned about so and so. Will you please not leave them alone? Will you please make sure someone is watching them 24 hours a day? So you don’t have to say what all the issues are, but you can give warnings.

Brian: Absolutely, CJ. I think that’s a great point. Even if you're a compliance and privacy professional, you’re familiar with the phrase minimum necessary, and that phrase applies here. We know minimum necessary is a legal definition in HIPAA, but it applies in this scenario. When we’re sharing information to prevent harm to the patient or others, keep in mind when we’re sharing information with individuals, we only want to give them the minimum necessary information to protect the individual or others.

CJ: Right, you don’t have to say, “Oh hey, brother of patient X, he’s on this amount of this drug and this amount of this drug, and he’s done this bad thing and that bad thing, no you can just say look I’m concerned about your brother, and I just would like somebody to support him and make sure he gets to these appointments, so that type of thing is what you said, minimum necessary.”

Brian: Exactly.

CJ: What I love about the PDF that OCR published, the second to last sentence is “OCR would not second guess a health professional’s judgment about when a patient seriously and imminently threatens their own or others' health and safety.” I think that statement should give us all some confidence that OCR is not going to come after us for reaching out to a family member or a support system and saying so and so needs help, especially if they’re an imminent threat to themselves or others.

Brian: Exactly. I don’t think there’s a single case where a qualified medical professional, in their clinical judgment, determined it was appropriate to contact a family member, law enforcement, or another public safety entity, to share certain information—provided to your earlier point that they’re not going into great detail of talking about which types of narcotics might have been misused or anything like that but trying to seek help for the individual. I don’t think there’s ever going to be a scenario where the OCR or any enforcement agency will pursue a good faith attempt to protect the individual or others.

CJ: Yep and that leads us to you mentioning a bit of HIPAA related to substance abuse, and it is the same. There are some special aids; these PDFs we’ll give you links to that the OCR specifically addresses HIPAA and the opioid crisis. They talk about things like what we just talked about in mental health in general, if the patient is at risk of harming themselves or others, but you also have to remember some people with substance abuse may become mentally incapacitated and they can’t give their consent for contacting a family member but what OCR outline here is let’s say a patient has OD’d or something and they’re in an emergency room and the patient is non responsive but the facility has a contact information for a family member in the record. They give scenarios and examples where it would be appropriate to reach out to those family members because the patient is not in a state to say,  'No, don’t reach out to them,” and unless the patient has declared previously, don’t reach out to them. So they give those scenarios where it’s okay to reach out to prevent harm or a support system that so and so is struggling in this scenario.

Brian: Yeah, I think that’s a great scene too. The other one that I was thinking about, I wanted to seek your opinion on, is in the scenario where we have a patient who is managing pain through an opioid prescription. They’re not necessarily using them as an illegal substance, but it’s prescribed. Would it be appropriate for that mental health provider or another provider to alert a family member if they start to notice abuse or signs of abuse of those prescription opioids?

CJ: Yeah, again, I think it will be fact-specific, but I believe in what I’ve read there is that allowance and that leeway for professional judgment. A good example is, I don’t know in your state, but I live in Utah right now, and there is a lot of problems in this area and what the public is doing, what public health programs are doing, is they’re giving the anecdote this NARCAN that you can take that’s an antidote to opioid overdose. They give free vials out at the library if you request them. Because it’s not a drug, unless somebody has a known allergic reaction to it, it's a very low-risk type of drug but they give out these tiny vials with little needles and instructions to people, no questions asked. So to try to remove the stigma and there are posters all over the place that say if you use opioids therapeutically or whatever, they’re not trying to say you’re abusing it but tell your spouse, tell your significant other, tell your brother, tell your sister that you’re taking those drugs and this little packet here if they ever find you lying on the floor unconscious to give you this. So they’re trying to address the issue because people are dying, and there’s a simple, saving remedy here.

Brian: Well, I think, to your point, most people who have been afflicted by the opioid epidemic or crisis–we certainly have criminals in the United States–but most people who are in that opioid crisis they started off with an ailment, and they started off with a legitimate prescription to help manage their pain and as time goes on and the science varies from human to human but their tolerance levels, or the way their body chemistry responds to the opioid, sometimes they need to take more in order to alleviate pain and what happens is they start to build that chemical dependency, and it’s not the individual's fault. They had an injury or ailment of some sort. They started with a legitimate prescription, and now that individual is struggling to manage their pain, and what developed into a dependency and seeking help for those, we should never put a negative stigma on that. What I really enjoy about OCR and this information is they’re encouraging us as HIPAA professionals and providers to share the information we need in order to solicit help for those people.

CJ: Yeah, exactly. I think that might be a scenario where I’m a provider, and OCR gives this example. If a patient comes in to see you for substance abuse, they invite their parents or brother in with them. So they’re in this session where you’re discussing it. They’re identifying the individual by the mere fact of letting them come into treatment with them as somebody who is part of the support system, and so OCR talks about that as an example of someone you might be able to reach out to unless they change their mind later and say never contact this person about XY and Z which people rarely do, but it might happen. Generally, the flow is going to be this person is here to support you, that might be somebody I can contact, it might be somebody like this anecdote I was talking about, it might be somebody I say hey, just keep these [NARCAN] in your car or in your house. Go to your public library and pick one up.

Brian: And that’s a great point too. Circling back to by nature of the patient allowing a family member to participate in discussion with the provider, I think it’s also important that the provider identify that individual and document the name and relationship in the medical so that in the provider’s judgment we’re documenting who participated in the conversation and it becomes readily available as part of their medical record. And that becomes verbal consent, too right. You don’t always have to obtain written consent from the patient, and it’s just as important to document those things. Beyond the notices of privacy practice and the typical new patient paperwork that we issue, we document who is involved in the patient's care.

CJ: Yes, and that’s just something that we even learned in medical school twenty years ago, more than that now. When we were taught about getting an appropriate social history, part of a good  social history, and there have been so many studies, this is not even an argument anymore. People who have sound support systems do better clinically. They’re more compliant with their meds, they have better support, they get to appointments and treatments so documenting, just like you said, and this is even outside of mental health and substance abuse. Someone who is a person with diabetes or somebody who has cardiac rehab that they have to go to, documenting that that spouse “Ethel” was there and she’s good to support, and she’s willing to help Mister so and so get to his appointments. That’s such a great point, and it’s just good medical care to document social history that way.

Brian: Well, CJ, this has been so much fun. I know my time appears to be limited, and we don’t get to do this as often as I like. I hope that in 2022 this year that you and I find more time to get together like this and share our thoughts and ideas with our audience.

CJ: Agreed, this has been great, Brian, and thanks for your perspective and expertise, and thanks to everybody for listening to another episode. We will include these links in the show notes. Take a look at them. I think they’re a unique tool. You don’t have to recreate the wheel; OCR has done a lot of the work.

Brian: One final thought, if any of our audience has any questions or like to contact me or CJ, please reach out to us on our website, select the contact us button, and we’ll be happy to make a connection and help you anyway we can.

CJ: Absolutely, on the Healthicity resources page. If you go to and click on the resources page, there are so many great resources, and there are blogs, and we could have conversations online if things aren’t too sensitive, then others can benefit from those conversations. So look there, we try to respond to questions there as well. Thanks for pointing that out, Brian.

Brian: Absolutely.

CJ: And thanks to everybody for listening to another episode. Until next time, be safe.

Episode Resources:

Questions or Comments?