Skip main navigation
Close Drawer MenuOpen Drawer Menu
APA Publishing Logo

The American Psychiatric Association (APA) has updated its Privacy Policy and Terms of Use, including with new information specifically addressed to individuals in the European Economic Area. As described in the Privacy Policy and Terms of Use, this website utilizes cookies, including for the purpose of offering an optimal online experience and services tailored to your preferences.

Please read the entire Privacy Policy and Terms of Use. By closing this message, browsing this website, continuing the navigation, or otherwise continuing to use the APA's websites, you confirm that you understand and accept the terms of the Privacy Policy and Terms of Use, including the utilization of cookies.

×
Back to table of contents
At Your ServiceFull Access

How to Avoid HIPAA Pitfalls and Other Risk Management Dangers

Published Online:7 Jan 2005https://doi.org/10.1176/pn.40.1.00400012

Q. I am a covered provider under HIPAA's privacy rule and have done my best to comply with the requirements. What are some of the potential pitfalls associated with the privacy rule to be aware of and avoid?

A. Unfortunately, the Office of Civil Rights (OCR), which enforces the privacy rule, provides only limited details regarding complaints. Thus, the conclusions we can draw are not as detailed and comprehensive as we would like. However, there are some definite pitfalls to be aware of and avoid:

Failing to take patient complaints about confidentiality seriously: OCR reports that as of August 31, 2004, it had received 8,096 privacy-rule complaints. The most frequent complaints include impermissible disclosure of protected health information, lack of safeguards, failure to provide access to protected health information, and disclosure of more information than is minimally necessary.

Physician practices are the entities most frequently complained about, followed by hospitals, pharmacies, outpatient facilities, and health plans.

Fifty-seven percent of the complaints have been closed. The top reasons for case closure are lack of OCR jurisdiction (for example, the complaint involved a non-covered provider), there was no HIPAA violation, or the complaint was resolved through the entity's voluntary compliance.

Finally, 125 cases have been referred to the Department of Justice for possible criminal prosecution.

Refusing to release any records to the patient: The privacy rule grants patients the right to inspect and obtain a copy of their record. Disclosure of protected health information to patients is one of the two mandatory disclosures under the privacy rule. The other mandatory disclosure is to the Department of Health and Human Services for enforcement of the privacy rule.

The privacy rule preempts (or takes precedence over) any contrary state law, unless the state law is “more stringent.” In terms of patient access, more stringent is defined to include granting the patient greater rights of access. So the privacy rule's standards (mandatory patient access) are to be followed, unless a state law grants patients greater rights of access.

If access is denied, the patient's notification of denial must be accompanied by information on how to have the denial reviewed (if denied for reviewable grounds) and how to complain to the covered provider and HHS. It is important to remember that to the extent possible, access must be given to the remaining protected health information, after excluding the denied information. Also keep in mind that the patient can authorize the release of the entire record to a third party, such as an attorney.

Participants in the Psychiatrists' Program can access more information about the privacy rule, as well as comprehensive information about risk management topics, in the “For Participants Only” section of<www.psychprogram.com>.

Q. I want to change to a new medical malpractice insurance carrier and have been researching options. Several colleagues have recommended the Psychiatrists' Program. One benefit they have cited is the psychiatric-specific risk management services, especially the online services. Could you tell me more more about these resources?

A.The Psychiatrists' Program's risk management department provides a wide range of services and is staffed by experienced professionals with legal and clinical backgrounds. This combination provides psychiatrists with assistance from staff who have a thorough understanding of both the clinical situation and the legal issues and their implications. The Program identifies and implements sound risk management services to help you avoid potential incidents and lawsuits.

The Program includes access to online risk management resources featuring more than 100 risk management articles, multimedia presentations, and the Rx for Risk newsletter archive dating back to 1998. There are also a number of risk management presentations in the Online Education Center, such as “Six Things You Can Do NOW to Avoid Being Sued Successfully LATER.”

The Program's Web site will soon feature the newly released Risk Management Resource for Psychiatric Practice: A Comprehensive Manual for Psychiatrists and Mental Health Professionals, developed by the Program's risk management department. The manual helps psychiatrists develop and refine a risk management approach that works specifically for their individual practices.

Participants in the Psychiatrists' Program can access these risk management resources by logging into the “For Participants Only” section at<www.psychprogram.com>. Those who are not Program participants may call (800) 245-3333, ext. 389, or send an e-mail to to request a complimentary CD-ROM that includes a sampling of risk management articles and multimedia presentations.

This column is provided by PRMS, manager of the Psychiatrists' Program, for the benefit of members. More information about the Program is available by visiting its Web site at<www.psychprogram.com>; calling (800) 245-3333, ext. 389; or sending an e-mail to .