HIPAA guidelines outline the responsibilities of treating clinicians in handling protected health information (PHI), regarding the disclosure, storage, and transmission of PHI. With the ubiquity of virtual care, the startup costs of a private mental health practice are low, making this a goal within reach for many. Although many practices may have just a few staff, every practice is still required by law to follow the same HIPAA guidelines as large hospitals. This means that some of the requirements can be more resource intensive for the smaller practice.
Psychiatric practices differ from medical practices in a few ways that would be pertinent to HIPAA:
The HIPAA privacy rule does not require patient access to psychotherapy records. The laws may vary from state to state, but generally the provider may restrict access to them. Psychotherapy notes contain very personal information, jargon, key judgements, and reminders of a particular time period that may be triggering to the patient to read. Therefore, there are additional protections for psychotherapy notes to remain confidential, including the provider’s impressions about the client or session. The psychotherapy notes must be designated as a separate section from the remainder of the record. When documenting a release of information, the informed consent must state whether psychotherapy notes are to be included.
A valid consent form granting permission for a release of information must contain several elements:
Each of the above requirements should be checked every time the release of information is referenced to avoid a HIPAA violation. In addition, the patient consent form and/or privacy policy should include details on what constitutes a psychiatric emergency in case a crisis contact needs to be contacted without the patient’s consent in the event of an emergency.
Mental health providers are more consistently practicing virtually, and it’s inevitable that a patient may voice suicidal ideation or thoughts of self-harm while in virtual session. The provider must determine if the patient is at imminent risk of self-harm, in which case it would be necessary to contact local law enforcement or a mental health crisis team to evaluate the patient for involuntary admission. The gathering of law enforcement around the individual’s home would draw the attention of concerned neighbors or roommates. There have been instances where individuals in close physical proximity to the patient would learn of the situation whereas if the patient were in the office there would be more robust privacy protections. The patient may appreciate an additional forewarning about the disruption to privacy and may consider travelling voluntarily to the hospital.
Most commercially available email services are not HIPAA compliant by default. If you have not signed a Business Associate’s Agreement (BAA) with the email service, then the service is not HIPAA compliant. A BAA is a required legal agreement in which the company promises to uphold all the rules and regulations of HIPAA when managing the data. Even with the BAA, there are instances in which emailed data may not be secure, for example, when a patient composes a new email from their own email system. As the treating physician, you must provide secure methods of communicating with the patient. Using a secure message portal is one option. The system should also be secured with a strong password and two-factor authentication for added security.