Office of Compliance Programs
HIPAA and the Provision of Mental Health Services
Revised: April 19, 2017
HIPAA and Mental Health Professionals
Due to the sensitive information received, the HIPAA Privacy Rule
has additional requirements regarding the protection of health
information obtained through psychotherapy or counseling.
This presentation is a supplement to your HIPAA Privacy-High Risk
and HIPAA Privacy - Patient Protection modules and will address the
additional requirements the
Privacy Rule requires of mental health professionals.
As a practicing mental health professional, these requirements
affect your daily practice.
HIPAA Privacy Rules that affect Mental Health Professionals
- Right of Access by Patients to Mental Health Professional’s
- Exception to Patient Access --Psychotherapy Notes
- What are psychotherapy notes ?
- Exception to Patient Access -- Information Compiled in
Anticipation of Litigation
- Disclosing Records to Third Parties
- Authorization Requirement
- Separate Authorization Requirement for Psychotherapy Notes
- Re-disclosure of records and psychotherapy notes once released
to third party.
- Responding to Requests for Records
- Authorization Requirement
- Court orders/Subpoenas
- Application to Forensic Psychotherapy
- How HIPAA applies
- Independent medical evaluations
- Patient’s right to access –independent medical evaluations
Patints' Right to Access Mental Health Records
As a general rule, HIPAA provides that a patient has a right to
access and obtain a copy of his/her protected health information.
Exceptions to Right of Access
There are two exceptions to the patient’s right of access which are
relevant to the practice of psychiatry:
- Psychotherapy Notes, and,
- Information compiled in reasonable anticipation of or for the use
in, a civil, criminal, or administrative action or proceeding.
Exception for Psychotherapy Notes
Psychotherapy notes as defined by HIPAA means notes recorded (in any
medium) by a health care provider who is a mental health professional
documenting or analyzing the contents of conversation during a private
counseling session or a group, joint, or family counseling session and
that are separated from the rest of the individual's medical record.
What are not considered Psychotherapy Notes?
Psychotherapy notes excludes the following:
- Medication prescription and monitoring;
- Counseling session start and stop times;
- The modalities and frequencies of treatment
- Results of clinical tests, and,
- Any summary of the following items:
- Functional status,
- Treatment plan,
- Prognosis, and
- Progress to date.
In order to qualify as “psychotherapy notes” and be an exception to
the patient right of access requirement under HIPAA, the healthcare
- Must create a file separate from the main PHI file
- The separate file must only contain notes documenting or
analyzing the contents of conversation in counseling (sometimes called
“personal notes” or “process notes”) and;
- Should label them clearly as “psychotherapy notes”
Exception for Legal Proceedings
Any information compiled in reasonable anticipation of, or for use
in, a civil, criminal, or administrative action or proceeding is an
exception to the patient’s right of access under HIPAA.
Civil or criminal action would be a proceeding brought before a
court of law (e.g. a lawsuit.
For purposes of this exception, an administrative action or
proceeding is a hearing, inquiry, investigation, or trial before an
An Administrative Agency is a government body, usually part of the
executive branch of government that is charged with implementing
particular laws passed by the legislature or Congress.
A proceeding of the Medical Malpractice Review Panel IS an
Administrative Action or Proceeding, as defined under the HIPAA Privacy
An academic determination of fitness of a student to return to
school is a due process hearing, but NOT an administrative hearing as
defined under the HIPAA Privacy Rule.
Disclosing Records to Third Parties
In most cases, disclosure of patient records to third parties
requires a patient to sign the LSUHSC-NO HIPAA authorization
form. The patient must receive a copy of the signed authorization
Chancellor's Memorandum 53 Section T is the
university's HIPAA authorization policy and describes the patient
authorization requirements. Please note that the LSUHSC-NO HIPAA Authorization form is the ONLY
form that may be used to obtain HIPAA authorizations in such instances.
An authorization is not valid if the form signed by the subject has
any of the following defects:
- The authorization has been revoked.
- Any material information in the authorization is known by
LSUHSC-NO to be false.
- The expiration date has passed or the expiration event is know by
LSUHSC-NO to have occurred.
- For example, if the authorization states it is valid for
the duration of
the pregnancy, once the pregnancy has ended, the authorization is no
longer valid and uses and disclosures of PHI covered by the
authorization must cease unless a new
authorization has been signed by the patient.
- The authorization lacks:
- The signature of the individual and date.
- If the authorization is signed by a personal
representative of the individual, a description of such
representative’s authority to act for the individual.
- A description of each purpose of the requested use or
- A description of the information to be used or disclosed that
identifies the information in a specific and meaningful fashion.
- The name or other specific identification of the person(s),
or class of persons, to whom LSUHSC-NO may make the requested use or
- The name or other specific identification of the person(s) or
class of persons authorized to make the requested use or disclosure.
- An expiration date or expiration event that relates to the
individual or the purpose of the use or disclosure. The statement “end
of the research study”, “none” or similar language is sufficient if the
authorization is for a use or disclosure of protected health
information for research, including the creation and maintenance of a
research database or research repository.
Separate Authorization for Psychotherapy Notes Disclosure
The HIPAA Privacy Rule requires that if a mental health professional
wishes to disclose psychotherapy notes, as defined by HIPAA, to a third
party, the patient must sign a separate HIPAA authorization form, which
only authorizes the disclosure of the psychotherapy notes and is not
combined with any other authorization for use and/or disclosure of any
Instances When an Authorization is NOT Required for the Disclosure
of Psychotherapy Notes
An authorization is not required to carry out the following:
- Use by the originator of the psychotherapy notes for treatment;
- Use or disclosure by the covered entity for its own training
programs in which students, trainees, or practitioners in mental health
learn under supervision to practice or improve their skills in group,
joint, family, or individual counseling; or
- Use or disclosure by the covered entity to defend itself in a
legal action or other proceeding brought by the individual;
- A use or disclosure that is:
- Required by the Secretary of DHHS
- Required by law
- For the oversight of the originator of the psychotherapy
- For coroners or medical examiners
- To avert serious threat to health or safety
Re-disclosure of Records and Psychotherapy Notes
It is important to keep in mind that while a patient may be denied
right of access to their psychotherapy notes, a patient may authorize
the release of their psychotherapy notes to a third party, which may be
an attorney, another provider, or even a friend .
A mental health professional must comply with all authorizations and
thus, the third party may give the patient a copy of the psychotherapy
It is imperative that in the event psychotherapy notes are released
to a healthcare provider, they be labeled and direction provided to
keep them separate and apart from the main file pursuant to the HIPAA
regulations, in order to continue to fall under the exception of right
of access by the patient.
Responding to Records Requests
To determine whether a signed HIPAA authorization form is required
to disclose protected health information in response to a records
- If it is a non-court order, it must be accompanied by a HIPAA
authorization form or satisfactory assurance in writing from the entity
requesting tthe records that:
- The party requesting such information has made a good faith
attempt to provide written notice to the individual (or, if the
individual's location is unknown, to mail a notice to the individual's
last known address);
- The notice included sufficient information about the litigation
or proceeding in which the protected health information is requested to
permit the individual to raise an objection to the court or
- The time for the individual to raise objections to the court or
administrative tribunal has elapsed, and:
- No objections were filed; or
- All objections filed by the individual have been resolved
by the court or the administrative tribunal and the disclosures being
sought are consistent with such resolution.
- Or a written statement demonstrating that:
- The parties to the dispute giving rise to the request for
information have agreed to a qualified protective order and have
presented it to the court or administrative tribunal with jurisdiction
over the dispute; or
- The party seeking the protected health information has
requested a qualified protective order from such court or
- If it is a court order, then a HIPAA authorization form IS NOT
REQUIRED from the patient provided some other conditions are met.
- Contact the LSUHSC-NO Privacy Officer, who will determine if all
conditions are met for release.
Court Orders v. Non-Court Orders
Court orders: a request or order for documents issued or signed by a
judge, magistrate, clerk of court or attorneys, acting as an officer of
- Subpoena duces tecum
Non-court orders: a request by an attorney or other individual for
- Request for production of documents
- Request for release of medical records
Forensic Mental Health Evaluations
A common HIPAA myth is that HIPAA does not apply to forensic medical
examinations because there is no doctor-patient relationship. This is
HIPAA applies to covered entities regardless of the type of service
performed or the relationship between the provider and the subject of
the examination. In a
forensic evaluation, the evaluator, who is a healthcare provider (i.e. covered entity),
receives protected health information.
HIPAA provides an exception for uses and disclosures
directed by a court order. This is why the health care provider is
allowed to share the PHI with the court.
Since LSUHSC-NO is a covered entity under HIPAA, faculty must adhere
to the HIPAA privacy and security rules when conducting all forensic
Independent Medical Evaluations (IME)
IMEs can be required for many reasons including but not limited to:
- Fitness for duty
- Eligibility to enroll in school
- Disability benefits
- Worker’s compensation benefits
As is the case with forensic medical examinations, LSUHSC-NO is a
covered entity under HIPAA and all faculty and staff shall adhere to
the HIPAA privacy and security rules when conducting IMEs. Absent a
court order, a HIPAA authorization will need to be obtained
from the subject of the evaluation in order to share the results of the
evaluation with the subject's school, employer, etc. Make sure the LSUHSC-NO HIPAA Authorization form is used to
obtain the subject's authorization. NO OTHER FORM MAY BE USED TO OBTAIN
A PATIENT'S AUTHORIZATION.
An individual has the right to access any report that is created as
a result of his/her independent medical evaluation under HIPAA, as with
any other medical records, unless an exception applies.
A common instance where an individual would not be entitled to
access to the report is a court ordered evaluation.
The individual is denied access under the information compiled for
use in a civil, criminal or administrative proceeding exception,
Reporting a HIPAA Violation
If anyone suspects or knows of mishandling or misuse of patient PHI,
a complaint can be made to:
We Are Here to Help!
Office of Compliance Programs
433 Bolivar St.
New Orleans, LA 70112