The deadline has come and gone for compliance with the requirements of the Standards for Privacy of Individually Identified Health Information set forth by the Health Insurance Portability and Accountability Act (HIPAA), yet it seems that both consumers and healthcare providers continue to be baffled by the regulations. Clinicians are confounded by both the logistic and ethical aspects of compliance and are unclear about the nature of the rights that the new rules confer upon consumers. Clinical social workers and other providers may meet the minimum standards dictated by the regulations, commonly referred to as “the privacy rule,” or may be fully compliant and still lack an understanding of the legislation’s potential impact upon the practice of therapy.

WHY HIPAA?
HIPAA was enacted in response to the impact of technology upon the practice and business of healthcare. The disparate means and methods by which information necessary for reimbursement was processed had become unwieldy. The rise of electronic healthcare transactions was accompanied by a call for administrative simplification provisions that addressed standards for these new methods of transmitting and protecting health information. As Health and Human Services (HHS) labored over the creation of these national standards, Congress recognized and addressed the potential of electronic technology to efface the privacy of health information. As part of HIPAA, it ultimately mandated the development and adoption of federal protections for individually identifiable health information, whether or not those data were electronically collected, stored, and transmitted. Information technology has become ubiquitous, and most clinicians use a computer to write reports or letters for their clients.

Developed by the HHS but administered by the United States Office for Civil Rights, the privacy rule was published in final form on December 28, 2000, and after modifications, was adopted in August 2002. It sets forth standards for the use, transmission, and storage of health information by health plans, healthcare clearinghouses, and healthcare providers, as well as detailed stringent civil or criminal penalties for failure to comply. These three types of “covered entities” were required to comply with the new regulation by April 14, 2003, with the exception of small health plans, which were given an additional year to develop compliance strategies. Any provider who accepts third-party payment is subject to these HIPAA regulations. The privacy regulations apply to all medical information, even private pay.

To a great extent, the means by which the regulations can be met are open to interpretation, and the law leaves a great deal to the discretion of the individual entity. The line that separates compliance from noncompliance is difficult to see, and thus is easy to cross. Providers in many regards can determine the degree to which they will change the way they practice with respect to HIPAA. As far as the privacy rule, however, providers, at the very least, must prepare a “notice of privacy practices” and distribute it to all clients, train any employees about the new policies, and designate a privacy officer to address concerns of clients who believe that their rights have been violated.

At the heart of the new rules is the notice of privacy practice. The privacy rule doesn’t replace but rather adds another form to the pile. The traditional consent is still required. As mandated by HIPAA, the notice of privacy practice that must be provided to all patients and clients spells out the ways in which their health information may be used or distributed.

SIGN ON THE DOTTED LINE
As providers have scrambled to determine the steps that they must take to satisfy the standards, many have failed to look below the murky surface of the rule’s dense language and glean its actual meaning. Similarly, healthcare patients and psychotherapy clients, who believed that their health information was private even in the days before HIPAA, often sign the HIPAA-mandated notices without reading or understanding the contents.

The crux of the confusion, perhaps, can be found in the language with which the HHS explains the purpose of the legislation. In its overview, the agency states, “The privacy rule establishes for the first time a foundation of federal protections for the privacy of protected health information.” What’s often overlooked is the fact that it refers not to all health information but merely to “protected” health information. And the problem for clients and providers is that it would seem to take an army of lawyers to clarify what is meant by protected.

According to the HHS, “These new federal health privacy regulations set a national floor of privacy protections that will reassure patients that their medical records are kept confidential.” Furthermore, says the agency, “consumers will benefit from these new limits in the way their personal medical records may be used or disclosed by those entrusted with this sensitive information. The new protections give patients greater access to their own medical records and more control over how their personal information is used by their health plans and healthcare providers.”

But do they really? Many clients are comforted by the mere existence of a notice of privacy practice that at first glance appears to affirm their right to privacy, and some are simply convinced by the new emphasis on privacy that their health information is free from prying eyes. But is it? Everyone is talking about HIPAA, but does anyone really understand it? It’s well-known that it promises to protect patient confidentiality, but does it live up to its promises? Or, with its obfuscating language, has the privacy rule thrown up a smoke screen that deflects attention away from the fine print and discourages reading the lines, let alone reading between the lines?

PRIVACY AT RISK
Clients who actually read the notices of privacy practices might be shocked to find out through how many loopholes their “private” health information may fall and just how limited their right to privacy is. Many would be dumfounded to learn that the government, specifically the HHS, in order to monitor compliance with privacy regulations, has complete access to their medical records, and that law enforcement agencies as well as an array of “business associates” may claim the right to review records.

Equally confounding is the fact that the privacy rules guarantee consumers the right to see and copy their health records and request corrections of mistakes that may be contained in those records. However, says Michael Freeny, LCSW, a consultant and therapist who’s been studying the legislation almost since its inception and has been facilitating HIPAA training for about a year, providers are obligated by HIPAA to inform clients that they are not bound to fulfill such requests.

Furthermore, individuals undergoing psychotherapy may be more than a little disconcerted to find that although they must provide specific authorization for the release of psychotherapy notes, this protection does not pertain to the bulk of the contents of those notes, in particular psychiatric symptoms and diagnoses, treatment plans, and session summaries. Under certain circumstances, psychotherapy notes can be released without authorization. Freeny asked attorneys at the American Psychological Association (APA) and the National Association of Social Workers (NASW) who worked on HIPAA plans programs and documents if, knowing this, they would be seeing a therapist in the near future. “‘Not on a bet,’ they said. ‘Absolutely never, nor would I let anyone in my family do so,’” was the reply.

According to Freeny, the privacy regulation was written like many other governmental regulations: “purposefully to obscure.” Having conducted teleconferences on the subject, presented the issues to the NASW, and interviewed the major players that have had a hand in HIPAA—including staff attorneys at the APA and the NASW—Freeny claims to know more about the act “than any sane person should.” A partner in clinicalCE.com, an education resource that produces an educational CD-ROM on HIPAA compliance, Freeny’s vast reserve of HIPAA-related facts and his articulation of the finer points of the privacy rule supports that claim. He became deeply acquainted with HIPAA while doing research for his novel Terminal Consent, which has the distinction of being APA-approved for continuing education. “The book was my effort to try to get clinicians to understand information systems—where they are, how we use them, how they are invisible to us, and how many of our words are captured and stored and never go away.” Early on, while the regulations were still in their formative stage, Freeny realized that “they were the biggest thing that has ever come down the pike regarding the future of psychotherapy and our presumption of privacy. If we fumble privacy,” he recalls suggesting in articles and debate, “I would imagine that when a lot of people realize that, they will stop coming to psychotherapists.”

READY OR NOT
Prior to the implementation of the HIPAA standards on April 14, 2003, says Freeny, there were roughly two groups of clinicians in the world. “There were those who realized this was a big step, and they needed to get prepared for it and understand it, so they took classes. And, there was the greater majority of clinicians who just said, ‘I’ll wait until it bites me. I don’t need to know about this. It’s too complicated, so I’ll just grab a privacy document from somebody and throw it up as mine, and that will be sufficient and compliant.’” At this point in the evolution of the regulation, he says, that’s fine because the HHS is underfunded and unable to aggressively enforce any but the biggest offenders. But, the clinician-client relationship has the potential to be tarnished, even if the threat of punitive action is unlikely. To understand the ethical underpinnings of the regulations and effectively advise and protect their clients, social workers and other providers need to delve more deeply into the privacy rule and the ways in which they are attempting to comply.

Clinicians, Freeny says, have failed to grasp the fundamentals and looked for the absolute easiest way to comply, which is to give the client a piece of paper—the notice of privacy practices—and get on with therapy. The reason they’ll be able to skate by at such a level of effort, he says, is client complacency. People simply don’t read the ubiquitous notices. Average citizens in psychotherapy, he suggests, don’t want anyone, particularly their employers, to know what goes on in therapy or, often, even that they’re in therapy. And, they presume that the law is consistent with that assumption. “They believe that if the Patriot Act is about being a patriot,” he laughs, “the privacy act is about privacy.” What clients are going to do when confronted with the notice of privacy practice, he says, “is look into the kind, caring, empathetic faces of the their therapists and ask, ‘Is this OK?’ and the therapists will say, ‘It’s OK to sign that. This will be private.’ And, this has a calming effect and instills some confidence, but it’s totally false, and it’ll come back to bite everyone in ways that no one really anticipates,” insists Freeny.

UNLIMITED ACCESS
For many, the hardest bite of HIPAA to swallow, Freeny observes, is that “for the first time in the history of America, the federal government has a right to every medical record.” It never had such blanket rights before, he says, noting that the government was entitled to Medicare or Social Security disability records because those agencies were the payors. “But, now it [the HHS] has elected itself as the enforcer of privacy, and the only way it can know if privacy has been violated is if it goes to look at what’s private and see if it’s been violated.”

The government, Freeny maintains, is the ultimate arbiter of private things. “It trumps everything,” he says. The regulations, he notes, suggest that patients have the right to restrict the distribution and transmission of their medical information. “It’s not true because the next sentence says that the provider is under no obligation to give you that information. And, it goes even deeper than that.” Even if the provider were to honor the patient’s requests to restrict information, there are a set of requesters to whom they cannot say no, including the federal government, police, and public health agencies. According to the rules, observes Freeny, “patients have a right to know where their information has been disclosed in such nonroutine disclosures. There is no right to know where your information has been disclosed in what are called routine disclosures, which involve treatment and payment for healthcare operation. There is no requirement that therapists write down where clients’ information has gone, nor, if the clients ask, that the therapists tell them with whom that information has been shared. The therapists only have to tell them where it may have gone.”

Providers and consumers alike, says Freeny, fail to appreciate the ramifications of the law “because it’s dense, convoluted, and, to some extent, kind of unbelievable.” What HIPAA does, he claims, “is list a whole selection of compromises and opportunities to use medical information for multiple purposes, and it does it in a way and with language that completely obscures that fact.” In private and public conversations with HHS personnel, Freeny has asked for clarification. “What you’re telling us,” he asked them, “is that you’ve created a holy trinity of insurers, providers, and claims clearinghouses, and those entities can talk freely to each other about any medical information they deem necessary to complete their task, and there is absolutely no requirement for patient consent? And they say yes.” When Freeny then asked whether or not that includes employers who operate under the Employee Retirement Income Security Act as insurers for their employees, government representatives countered that those employers, although they could obtain that information, would not be able to use those data in any business decision regarding their employees. What, Freeny wondered, would be the consequences if an employer, with information about an employee’s DNA, cardiac condition, or history of depression, violated that rule? “They’re not supposed to,” was the government’s reply. “We providers can face up to a quarter-million-dollar fine for violations,” he observes, but employers face no such penalties.

NO ENFORCEMENT AUTHORITY
Another provision of the privacy rules with enormous potential for abuse involves the right of so-called business associates—such as medical transcribers and billing companies—to receive clients’ medical records. Providers are required by the law to have a business associate agreement with such entities, which affirms that they understand how important the private medical data are and that they are not to be sent by the associate to a secondary source. However, explains Freeny, “HHS will be the first to tell you that it has absolutely no enforcement authority over business associates. As soon as patient information goes outside of the holy trinity, it’s unprotected. So, if a transcriptionist starts shoveling data into marketers coffers, HHS will tell you that it has nothing to do with that and can only regulate you. Furthermore, it would say that if the provider has a business associate agreement, you’re covered.” Abuse at this level, says Freeny, is about gaining access to what he calls one of the most valuable treasure troves of data ever. To bolster his argument, he points to the recent case in which the University of California San Francisco (UCSF) Medical Center contracted with a transcription service, which in turn subcontracted the work to another service, which also subcontracted its services. The job, ultimately, was performed in Pakistan by a woman who, when not paid by the subcontractor, threatened UCSF that she would post patient records to the Internet if she was not immediately paid.

If this weren’t enough to give providers and clients alike pause, Freeny points to the Medical Information Bureau (MIB), a central depository of health information that for 80 years has been run by the insurance industry yet is off the radar screen of most health professionals. The MIB (see www.mib.com), he explains, is a private database run by hundreds of member insurance companies. “When you fill out an application for health, life, or disability insurance and you dutifully noted that you had your tonsils out when you were 16 or you may not have disclosed that you had a sexually transmitted disease, they take that application and send it to the MIB, whose stated purpose is to look for people who may not have adequately completed their forms or who sought to deceive the insurance companies.” Not every claim goes there, Freeny is quick to point out, but those that involve major health disorders such as heart disease, cancer, diabetes, and mental health issues do. “One of the things that the federal government is happy to tell you,” he says, “is that HIPAA does not create a government database of medical information. Well, it doesn’t have to. It’s already got one. You’ve just got to have access to it.”

KNOW MORE, THINK MORE, DO MORE
Clinicians, says Freeny, need to understand that there are many stakeholders and participants in the transaction of psychotherapy who believe that they have rights to health data. “The great thing about HIPAA is that it is requiring clinicians to fully realize what its limitations are, who is interested in these data, and how to seriously embark upon protecting patient data.” He advises that they turn to their professional associations for guidance, study the finer points of the legislation, and go beyond the minimum requirements when preparing notices of privacy practices. “The single greatest symbol of HIPAA and the privacy rules is that it’s supposed to be composed of four things: HIPAA mandated language, HIPAA optional language, state law, and your own privacy practices. It’s your contract with the client about what you will or will not do with their data, and that the life cycle of their data will be in your hands. It should address when data are created, when they are transmitted, how they are stored, and when they are destroyed.” Therefore, he suggests, “it would be a good thing for clinicians to sit down and think through what they might do with the information that comes into their offices or into their possession, what they do with it, where and under what conditions they might send it, where they’re going to store it, where they’re going to archive it, and, ultimately, to tell the patient when and how it would be disposed of.”

Freeny suggests that the privacy rule raises an interesting ethical issue. “The purpose of this aspect of HIPAA is for you to adequately inform your client about the limits of privacy. But, if you did adequately inform them, they probably would leave. So that’s why they came up with the notice of privacy practices that is so long and dense that nobody reads it.” He’s aware that his comments may sound alarmist. But, the erosion of privacy, he concedes, should be alarming. Still, a more common reaction to these charges among providers is denial, total disbelief. “They’re overwhelmed and say, ‘I don’t want to know. Give me the forms so I can be compliant, and I’ll just forget about this and continue doing what I’ve been doing.’ But, we’re not going to escape the issue as clinicians and advocates for our clients if we just stick our fingers in our ears and say, ‘I don’t want to hear, I don’t want to know.’”

Yet, Freeny is hopeful that as mental health professionals become familiar with the regulations, they’ll call upon their professional associations to help regain control of patient privacy.

— Kate Jackson is a staff writer for Social Work Today.