By Matt Fisher, General Counsel, Carium
Twitter: @matt_r_fisher
Twitter: @cariumcares
Host of Healthcare de Jure – #HCdeJure
The Office for Civil Rights (OCR) continues its focus on compliance with the right of access under the HIPAA Privacy Rule. The latest settlement represents the 44th instance since OCR announced the first right of access settlement in 2019. It is an important focal point for OCR given the importance of ensuring that individuals can exercise rights under HIPAA and see information about themselves.
The Latest Settlement
The latest settlement was with The Office of David Mente, MA, LPC (Mente) and was announced on May 8, 2023. The factual background provided by OCR reveals that a complaint was filed by an individual on December 22, 2017.
Commentary: As a quick aside, the fairly far away date has become a somewhat consistent theme from the more recent right of access settlements. It is unclear whether the longtime between the actions and the settlement is a reflection of OCR not having enough resources to investigate and resolve quickly or cherry-picking or specific cases to highlight particular points.
Getting back to the Mente settlement, the complaint alleged that Mente did not provide a minor’s records to the individual requesting the records. After receiving the complaint, OCR tried to provide technical guidance to Mente on January 24, 2018, which was about a month after the complaint came in.
More Commentary: If OCR provides technical advice, it is very advisable to follow that advice. The vast majority of complaints are resolved through technical advice and guidance because OCR wants to help organizations get things right.
Continuing with the settlement, as may have become obvious, Mente did not follow OCR’s guidance. The ongoing non-compliance was found through a second complaint filed on May 2, 2018. Following the second complaint, OCR commenced an investigation on August 2, 2018. The investigation found ongoing non-compliance with the right of access and resulted in a settlement payment of $15,000 (likely reflective of Mente being a small organization and not being able to afford a bigger payment).
Final Commentary: The wording of the conclusion from the investigation is interesting. The wording specifically said that Mente failed to provide timely access since April 6, 2018. Does that mean even with the long interactive process with OCR? That would certainly be a bold position to take and question whether it could lead to another settlement.
A Question
A big question raised by the settlement is what type of protected health information was being sought. When identifying the parties, the settlement agreement noted that Mente provides psychological care. That is an important note because psychotherapy records are exempt from the right of access. What are psychotherapy notes? It is actually a term specifically defined by HIPAA. Here is the definition:
Psychotherapy notes means notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session that are separated from the rest of the individual’s medical record. Psychotherapy notes excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: Diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.
45 C.F.R. 164.501
Parsing through the definition, not all information maintained by a mental health clinician will fall under the psychotherapy exception to the right of access. While not all information will be protected, it does raise the specter of uncertainty of how much information Mente could or had to provide in the instance revealed in the settlement.
How to Comply?
The first step to compliance is, as always, to take the time to read through the HIPAA regulations and actually know what is required. The biggest component of the right of access rule is that access should be given in the vast majority of circumstances. As has been stated in so many previous posts, individuals should be able to access their information and unnecessary barriers negatively impact everyone. The HIPAA regulations are quite clear when it comes to the process and the limited circumstances when access can be denied.
However, there are a couple of limited categories of information that are excluded from the right of access. As noted above, a key category is psychotherapy notes. As shown in the definition though, the psychotherapy notes are only excluded if separated from the rest of the record. If an organization provides mental health and physical health services, then it should explore how to separate the records as appropriate.
If the records are separated, then the organization should further assess the scope of information because not every component is excluded from the right of access. The nuances mean that careful attention is required to drive compliance.
All organizations can do better when it comes to complying with HIPAA requirements. It is long past time for that to occur, especially with the right of access. Expect more settlements to keep coming until unnecessary barriers are removed and the right action occurs.
This article was originally published on The Pulse blog and is republished here with permission.