Stimulus Bill Includes Important Privacy Provisions That Affect Psychiatrists

June 2, 2009

Psychiatrists failed to get privacy protection for an expanded version of their psychotherapy notes in the stimulus bill Congress passed last February. But the American Recovery and Reinvestment Act (ARRA) did authorize a study on the issue and made other pro-privacy improvements to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Psychiatrists failed to get privacy protection for an expanded version of their psychotherapy notes in the stimulus bill Congress passed last February. But the American Recovery and Reinvestment Act (ARRA) did authorize a study on the issue and made other pro-privacy improvements to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The stimulus provision on psycho­therapy notes mandates a study by the Department of Health and Human Services (HHS) on whether the HIPAA protection of those notes should be expanded beyond the psychiatrist’s written notes on a patient session to “test data that is related to direct responses, scores, items, forms, protocols, manuals, or other materials that are part of a mental health evaluation.” Under current law, which the stimulus bill does not change, psychiatrists and other physicians need to obtain a patient’s authorization before they can pass on the patient’s records to a third party for purposes of treatment, payment, and health care operation (“TPO”). Psychiatrists need a separate patient authorization for handing over psychotherapy notes.

Matthew Sturm, associate director, government relations, American Psychiatric Association, said the APA and several other major mental health groups had asked that psychotherapy testing data, which may be meaningless or even harmful to the patient, be given the same enhanced protection that psychotherapy notes have. The outright protections were in an early draft version of the stimulus bill, but the final bill contained language for the secretary of HHS to study on the matter. “We feel this is an acceptable first step toward greater privacy for this special data that is not useful or appropriate to have in an electronic medical record,” Sturm stated.

The ARRA expansion of HIPPA- beyond the potential widening of the definition of psychotherapy notes-is equally significant for psychiatrists, particularly given their handling of sensitive protected health information (PHI), whether in paper or electronic form. One provision requires physicians to provide an accounting to both the patient and conceivably others when they disclose PHI for TPO. This is not required currently. This provision becomes effective no earlier than January 1, 2011.

The ARRA also has a new requirement that physicians notify individuals of data breaches that involve “unsecured” PHI, which goes into effect on February 17, 2010. Patient information is “unsecured” if it is not encrypted. The HHS issued a guidance regarding “encryption” on April 17. If there is a breach, psychiatrists must notify patients within 60 days. “APA has lobbied for the comprehensive breach notification that was included in the stimulus bill that also included a ‘good faith clause’ for unintentional or accidental access of information,” said Sturm.

Susan Gindin, counsel to the Denver law firm of Isaacson Rosenbaum P. C., pointed out that to the extent psychiatrists keep only handwritten psychotherapy notes, it will be hard to meet any encryption standard. The draft HHS guidance gives physicians 2 choices for meeting the standard:

• Data encryption consistent with National Institute of Standards and Technology Special Publication 800-111 or Federal Information Processing Standards 140-2
• PHI in either paper or electronic form is destroyed Of course, this second choice may not work for handwritten psychotherapy notes because a psychiatrist is likely to keep them for a long time.

The ARRA also makes a number of significant changes to civil penalties for HIPAA violations, which go into effect immediately. These include a new tiered civil monetary pen­alty structure. Fines currently range from $100 per violation with an annual cap of $25,000. Under the ARRA, they soar to $50,000 per violation with an annual cap of $1,500,000.

“APA has felt that HIPAA enforcement has been woefully inadequate,” Sturm said. “We feel this will have a real impact on preventing largeand small-scale malicious breaches of private data.” But he noted that the penalties are on a tiered system with the instruction for the secretary of HHS to assign penalties based on “the nature and extent of the violation and the nature and extent of the harm resulting from such violation.” The lowest tier is for those who inadvertently violate HIPAA. “This is where the vast majority of covered individual physicians who make a HIPAA error would fall into,” Sturm said.