Deborah Warner, PhD
Psychologists consider multiple ways to keep records safe and protect patient’s privacy. This involves more than following HIPAA final rule 2013 (the Health Insurance Portability and Accountability Act) requirements. Psychologists see beyond the document concerning disclosures. Our work in New Hampshire looked behind the request for information and it resulted in legal activism which spanned three years and brought forth positive changes in the New Hampshire laws. As we examine the scope of this issue, we see the parallels for psychology’s vigilance concerning patient privacy in other states and nationally.
How do we protect our patients’ privacy?
What are our responsibilities?
These questions launched a quest that spanned three years and resulted in reforms in the law to better protect patient privacy rights. After the author “blew the whistle” on the NH Attorney General’s practice of taking patients’ records without their knowledge or consent, a long process ensued. We employed steps that the legal system provides to right such wrongs: the licensing board, rule-making, legislative resolutions, executive oversight, and corrective legislation. It was not a rapid solution, but each step of the way was orderly and fair.
Some Concepts to Consider in the Process of Handling Clinical Records
We ran into confusion immediately in the debate to protect patient records. Our opposition argued that because the patient records had not been leaked to the public that privacy had been maintained. Not so; several definitions are needed.
Confidentiality describes the process of keeping information secure. We have procedures to keep files locked, lips zipped, sounds limited, and messages confined. We have detailed methods of releasing information, using signed forms and secure mail or faxes. We know what HIPAA requires that we adhere to those procedures. We think that if we follow these safeguards we ensure patient’s privacy.
Security entails the physical protection of the information, such as locks, passwords, encryption, and procedures that limit exposure of the information. Security is part of ensuring confidentiality in an office.
But this is not the whole picture concerning patient privacy. There are related concepts to consider.
Privilege –Who owns this private information? Usually the patient owns it. In some states a child holds the privilege. Privilege is defined in state statutes and thus may vary. Usually the psychologist’s work with a patient is privileged with access controlled by the owner of privilege - the patient.
Privacy is a concept that has personal meaning but in this context privacy is derived from the U.S. Constitution, especially the Fourth Amendment:
Amendment IV - The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures,shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
Thus, privacy is a concept of personal sovereignty, and privilege is a legal term concerning who has such rights, and confidentiality involves procedures to safeguard those rights. Often these terms are confused in argument.
The Psychologist’s Office Work
HIPAA regulations require healthcare professional to provide a written description to patients of their rights regarding personal health information and it is secured or released under various circumstances. Often these forms are many pages long and have disclaimers pertaining to the potential government’s intrusion into their privilege and how the office handles this. The way these are written is lengthy and so abstract that it is difficult to extrapolate the extent of circumstances that would be involved. So, risk of harm to self or others, and child and elder abuse are important caveats to confidentiality. But the HIPAA notice often has disclaimers like, “…as required by law.” But what does this phrase mean? And what should we do when the government submits to our offices requests for patient information?
First we asked the following questions: Are all government requests valid? What is an improper request? How do we correct such a request? Or – should we just comply? This author determined that some government requests are improper, as there are inconsistencies in the law, rules and procedures and within our ethical code.
On a more fundamental level, how does the government correct itself? This author found that government action can be initiated by fiat, or rules and statute, some of which may be clearly wrong professionally, but which is kept in balance by an effective counter response. If not, the system will continue to interpret their authority in the same way. (It is dissimilar to science that corrects itself based upon new theory or data.) The system of laws has no overarching monitor, no supervisor; it is corrected instead on a case by case basis. It is not an accident that the law-making system works this way; it is by design that checks by those affected allow redress.
We also need to understand that the government system is not designed ideally but is constantly subject to feedback from the informed and affected. In the area of our practice, we are the informed. And on occasion we may be the ones affected, if we notice.
This is not to advocate reckless disregard of government requests. A challenge to the patient’s privacy should be evaluated in light of therapeutic standards, and also patient’s rights beyond therapy. If there is any doubt about the validity of the outside request, the psychologist should seek consultation from legal counsel to discuss the wider implications and what options are available to preserve the patient’s rights.
What happened here in New Hampshire? This author was appointed to the omnibus mental health licensing board and was tasked to deal with the psychologists’ objections to the proposed rules for the board. Parties testified at the rule review hearing that in a divorce, the ex-spouse might harass the partner by submitting a board complaint naming the partner’s therapist in order to secure records. One could argue that the taking of those records was a personal intrusion into the therapy, whether or not the patient knew of the investigation. Did the state have a right to access patients’ information without their knowledge or consent?
The psychologists were concerned that patients would feel that they were never actually secure in their privileged conversations if they knew that the state could examine and keep their records without their even knowing it, with no chance to object. Psychologists were also concerned if the accused therapist sent records on a non-complaining patient, would the therapy be disrupted, even if the patient did not know. What kind of shift would happen in the therapy relationship?
Further these records, after the disciplinary matter was concluded, would be stored in state archives for eight, or 20 years, or longer depending on the destruction schedule. The legislature was concerned that the Attorney General could access these records without a time limit. The legislature argued against the intrusion into privileged papers, and for the confidential keeping of that information and security of the files over time.
Another important concern arose when the Attorney General’s office asserted that they could compel an unwilling third party patient to testify in a public hearing exposing records and personal details. The psychologists were highly distressed that this would be a state-sponsored defilement of the patient’s privacy and a trauma for the patient. This concern was also shared by the legislature.
The problem that precipitated the Attorney General to compel testimony involved a social worker who had a couple in marital therapy and coerced an affair with the wife. That therapist had allegedly obtained drugs from another patient and used them with the victim-wife, had sex with her, and engaged in a high speed chase with the wife while a gun was in the car, outracing the husband, going 100 miles per hour through the toll booths, and ending with the husband crashing his vehicle. Clearly the public needed protection. Yet even in this extreme case, the hearing was successfully conducted using the investigator as a witness who conveyed the wife’s testimony without disclosing her identity. Thus, the state was able to police the profession while honoring privacy and due process provided under the U.S. Constitution.
The fight for patient privacy protection took several years with great resistance from the Attorney General’s office. Yet the legislature, and also the Governor & Council were sympathetic to the public’s sensitivity to unnecessary intrusion. When the Board of Mental Health Practice did not change their rules or procedures as a result of testimony in the rule hearings, the legislative body that oversees their rules filed formal objections, signed by the Governor. When the Board continued to follow the same procedures, legislation was initiated to legally restrain these privacy intrusions, and solve these problems jointly. Representative Neal Kurk, Chairman of Finance Committee II (Health & Human Services) and this author repeatedly testified in committees and subcommittees. This author met with the Assistant Attorneys General and Professional Conduct Investigators to ascertain what methods would serve their purposes while safeguarding third party patient information. After three years of struggle and debate, in January of 2013, New Hampshire law provided that the state could not take third party patient records without the patient’s knowledge or consent.
Compelling frameworks may collide rather than coincide, namely clinical needs, regulatory compliance, legal intent, and constitutional rights. An ethical dilemma occurs when the options are in conflict and there is not one obvious correct path to take. Typically, there are several good options. The clinician must weigh the good for the patient against the demands of professional practice and the legal system. However, any decision occurs within the psychologist’s own value framework. When there are many right answers, the one chosen may vary from one taken by another psychologist, and may have different consequences. It is within this ethical tension that our story unfolded.
Ethical Intersection: Privacy of the Health Record
The APA Ethics Code, since 1953, has underscored the necessity for keeping confidential patient information arising from the therapeutic relationship; this imperative pre-dates the HIPAA regulations. The HIPAA regulations reinforce this principle as part of good professional practice.
Yet on occasion HIPAA may allow an exception that could present a conflict for the psychologist. This was the case in New Hampshire when the HIPAA regulation was interpreted to allow access to records without the patients’ knowledge or consent. The Attorney General’s office argued that medical records were accessible in an investigation. However, the mental health profession’s privilege statute was quite robust, stating that, “nothing in this chapter shall be construed to require any such privileged communications to be disclosed, unless such disclosure is required by a court order.” While the HIPAA regulation allows state licensing boards to access records in a lawful manner, the state statute did not provide such access, so their record taking arguably was not considered “lawful“ under New Hampshire statutes.
So in the situation described above, if an estranged spouse complains to the licensing board that the partner’s therapist broke up the marriage, the licensing board would want to see that record to investigate. Does the board ask for permission from the patient to see the record? Or does the state have the authority to override the consent requirement? What if the ex-spouse is harassing the patient within a controlling or abusive relationship? The intersection of the psychologist’s ethical mandate to protect the patient, requiring patient consent, along with the statute that upholds the patient’s privilege, is in conflict with the subpoena from the Attorney General’s office which claims (debatably in error in NH) that the request is in accordance with HIPAA regulations.
Whose rights are at stake here?
The Attorney General’s office continued to argue that the rights of the psychologist were the matter of concern and once licensed, psychologists gave up various rights for that privilege. That assertion was objectionable, and indeed the state Supreme Court upheld due process for any licensed professional, yet that was not the prime concern argued on this matter. The patients’ rights were the center of the debate. Could the state take patients’ medical records without their knowledge or consent? The matter grew even deeper when the state also asserted that it could compel an unwilling witness to testify at a public hearing about their psychotherapy and reveal the contents of the records? The well-being of a vulnerable patient concerned the legislature, who ultimately defended that citizen’s right to privacy.
Resolution - The matter was debated for three years; at the board level, then before the legislative rules committee, then into resolutions before the legislature and governor, and finally through both houses to a change in statute that defined the limits of the state’s reach into medical records, which were to be obtained in redacted form. Although a simple idea, the mechanics for redaction and de-identification of the record were complex. For instance, how would the board would deal with recusals if it does not know who the patient is? The final solution upheld patients’ privacy in shielding them from mandatory public hearings in the bipartisan law that passed unanimously in the House and Senate.
Lesson for the Psychologist - Simple compliance with legal mandates may impact your patients. The responsible psychologist will reflect on the implications of unusual requests and consider the well-being and rights of the patient, as well as the professional standards and legal mandates, and seek consultation, conduct background research on the request, and pursue legal advice before taking action. The American Psychological Association (2002) ethical code reinforces the complexity of our position in these dilemmas:
1.02 Conflicts Between Ethics and Law, Regulations, or Other Governing Legal Authority: If psychologists’ ethical responsibilities conflict with law, regulations or other governing legal authority, psychologists clarify the nature of the conflict, make known their commitment to the Ethics Code and take reasonable steps to resolve the conflict consistent with the General Principles and Ethical Standards of the Ethics Code. Under no circumstances may this standard be used to justify or defend violating human rights.
Potential Privacy Challenges in Statute and Regulations
How does the New Hampshire experience relate to other states or the national scene? We are facing volumes of federal regulations under the Patient Protection and Affordable Care Act (PPACA), also commonly referred to as Affordable Care Act (ACA). The new rules are not yet completed on this new federal health care program. How these regulations are developed, and whether they are harmonious with our professional standards and our state statutes, will depend on who is writing them and what they are aware of, in their urgency to complete the system in time for implementation. It remains to the psychological profession to be ever vigilant in our concern for protection of the public as these regulations unfold over the coming years.
At your desk
As we work to protect our clients, this author has a few practical suggestions:
- It is advisable to validate requests for information with the patient to allow him/her to object before such release. If in doubt, seek legal counsel.
- For requests that are “required by law” research the underlying validity of the order, the statute, and seek peer and/or legal counsel.
- Assist your professional organizations at state and national levels to be sure that clinical security for your patients’ information is a priority in legislative and regulatory efforts.
At this time, our profession is facing challenges regarding confidentiality that will be refined as we navigate the new age of greater government involvement in healthcare and potential pressures upon the security of the medical record. Prior to this time, the infrequent exceptions to confidentiality have generally been case-specific risks of danger to self and others, or competency issues for which we could clinically understand the particular implications regarding our patient. Yet the changes ahead could be much broader and might change the level of privacy one might expect in our offices and impact our outreach for effective patient care. The result will impact the security a patient feels to disclose personal issues in a relationship of trust. If we are aware of the issues behind newly developing demands on information and we remain in touch with our peers to assert our professional values together for patient well-being, we can have a voice in defining downstream access and use of patient psychological information and in underscoring the importance of privacy to effective psychotherapy.
Dr. Warner received her doctorate in Clinical Psychology at Bowling Green State University in Ohio, and interned at the University of Rochester Medical School in New York. After years of clinical practice, she combined her passion for building projects with her family therapy background to create Renovation Psychology, which applies psychological concepts to strengthen relationships and teamwork for improved domestic harmony. Dr. Warner also maintains a clinical practice in Littleton, NH. Dr. Warner has been credentialed by the National Register since 1990.
American Psychological Association. (2002). Ethical Principles of Psychologists and Code of Conduct, (p. 5). Washington, DC: APA
Federal Register, Vol. 78, No. 17, Part II, CFR 45.160 and CFR 45.164 (January 25, 2013).
New Hampshire House Bill 554, Title: relative to mental health records (2012).
New Hampshire House Bill 1508, Title: relative to procedures of the board of mental health practice (2012).
New Hampshire Revised Statutes Annotated, RSA 330-A:32 Privileged Communications (1998).
Additional helpful links:
Federal Register summary of changes to HIPAA:
HIPAA Regulation Final Rule, official:
US HHS Office of Civil Rights HIPAA information website:
US HHS model Notice of Privacy Practices:
US HHS model Business Associate Agreement:
US Supreme Court upholds psychotherapy privileged information:
Jaffee v. Redmond, 518 U.S.1, 116 S. Ct 1923 (1996)