Balancing HIPAA With New Rule on Patients’ Information Accessibility

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced in March 2020 that, during the COVID-19 national public health emergency, it would exercise enforcement discretion and not impose penalties for noncompliance with rules under the Health Insurance Portability and Accountability Act (HIPAA) related to the good faith provision of telehealth while using non-public-facing audio or video communications platforms. The OCR will issue a public notice when this enforcement discretion expires.

It is important that psychiatrists anticipate this change and understand that pre-COVID HIPAA requirements will return. This means taking action to ensure you are utilizing a HIPAA-compliant telehealth platform and have a Business Associate Agreement (BAA) with your vendor. Further information about these requirements can be found on the HHS.gov website.

OCR Investigation of Potential HIPAA Violations

After conducting investigations, the OCR has recently been fining practices that violate a patient’s Right to Access their medical record. For example, in November 2020, the OCR cited a psychiatric group and fined it $25,000 when the group failed to provide a copy of the medical record and psychotherapy notes in response to several requests by a patient and failed to provide the patient with a written explanation for denial of the record release. The resolution agreement included a corrective action plan and monitoring by the OCR for two years.

While the HIPAA rules do not require the production of psychotherapy notes, they do require covered entities to provide requestors with a written explanation when denying any records request and to provide individuals access to medical records other than psychotherapy notes.

Psychotherapy Notes: Balancing Cures Act Against HIPAA Privacy Rules

The 21st Century Cures Act (Cures Act) Final Rule went into effect in April. The law includes significant new requirements for psychiatrists regarding the access, exchange, and use of electronic health information. The rule builds on HIPAA and encompasses provisions aimed at providing patients with greater access and control of their health information. It is important to understand the law’s right-of-access requirements and how they intersect with the HIPAA privacy rules.

Under the Cures Act, electronic medical records must be made available to patients within a certain timeframe and with certain exceptions for privacy or potential harm. The open records requirements under the Cures Act include “clinical notes.” Psychotherapy notes maintained “separate from the rest of the patient’s medical record” in accordance with the Privacy Rule will continue to receive special protections.

Psychotherapy notes should be maintained separately in a designated “psychotherapy notes” section of the electronic health record or physically separated from the rest of the medical record when using paper records. Consult your electronic health record vendor to assist you with options to help you comply with the new final rule. You can find information about the Cures Act Final Rule on the websites of the Office of the National Coordinator (ONC) for Health Information Technology and APA. ■

This information is provided as a risk management resource for Allied World policyholders and should not be construed as legal or clinical advice. This material may not be reproduced or distributed without the express, written permission of Allied World Assurance Company Holdings Ltd., a Fairfax company (“Allied World”). Risk management services are provided by or arranged through AWAC Services Company, a member company of Allied World. © 2021 Allied World Assurance Company Holdings, Ltd. All Rights Reserved.