Providers and payers alike are increasingly exploring ways to treat the “whole person” by integrating behavioral health care with physical medicine. This integration is critical to helping achieve better outcomes and increasing quality of care. Achieving full integration has proven to be quite challenging, including navigating the legal and compliance requirements when designing and implementing a behavioral health and primary care integration model (“Integrated Model”). For organizations that are in the process of developing and/or expanding an integration program for behavioral health and primary care, it is imperative that they take into consideration state and federal privacy laws.
The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”), Confidentiality of Substance Use Disorder Patient Records at Title 42 of the Code of Federal Regulations, Part 2 (“Part 2”) and state privacy and confidentiality laws all govern how health information can be used and shared within an Integrated Model. Failure to comply with these privacy laws can result in state or federal enforcement action including fines.
HIPAA and HITECH
Providers must take into consideration how the Integrated Model will impact existing privacy, security and breach Notification policies and procedures. For example, changes may need to be made to the notice of privacy practices, patient rights policies and procedures, business associate agreements, authorization to release information, procedures to adequately protect psychotherapy notes, access to electronic protected health information, security risk analysis and other areas of HIPAA and HITECH impacted by the Integrated Model. Applicable policies and procedures should be reviewed and revised as needed to reflect the changes of the integration process.
Additionally, if the Integrated Model involves a partnership with multiple covered entities, the arrangement should clearly define the roles and responsibilities with respect to HIPAA and HITECH obligations, especially regarding the Breach Notification Rule.
42 CFR Part 2
Part 2 regulations are more stringent than HIPAA with respect to the use and disclosure of substance use patient records. Unlike HIPAA, there is no treatment, payment and health care operations exception. A patient’s written consent is required for disclosures that would identify the patient as having a substance use disorder with few exceptions. In January 2017, the updated final Part 2 regulations were issued. Part 2 will continue to apply to a program that is federally assisted and holds itself out as providing substance use disorder diagnosis, treatment or referral for treatment. The Substance Abuse and Mental Health Services Administration has indicated that while the phrase “holds itself out” is not defined in the regulations, it is viewed more broadly than whether or not the services are formally advertised by an entity. Part 2 will also continue to apply to such a program that is part of a general medical facility. Integrated Models should analyze the program to determine what components are subject to Part 2 restrictions and ensure there are processes and procedures in place to comply with the more stringent requirements, including making certain qualified service organization agreements are in place when required. For Integrated Models, revisions to the Part 2 consent form and other Part 2 policies and procedures are likely required. Compliance with HIPAA only is not sufficient for programs that are subject to Part 2.
State Privacy and Confidentiality Laws
Generally, states have confidentiality provisions that impose certain requirements on psychologist, psychotherapist, behavioral health professionals, mental health providers and health care entities related to confidential relations and communications between a behavioral health patient and the provider. Additionally, state laws often impose stricter privacy considerations on the use and disclosure of mental health records which are usually defined under state law differently from general medical records. Integrated Models should evaluate the types of communications and relations that are protected under state confidentiality laws and determine which records are considered mental health records to ensure compliance with the laws. State duty to warn laws should also be evaluated to allow the Integrated Model to put in place processes and procedures to comply with the warn requirements in an integrated setting.
Sharing patient information within an Integrated Model and with outside providers can prove to be challenging. Depending on the type of information being used and shared and the recipient of the information, valid authorizations or consents maybe required. Integrated Models must develop procedures to ensure that each provider has access to the necessary information to treat the patient and at the same time ensure that privacy and confidentiality laws are followed. Electronic medical records must also include the appropriate security measures to ensure patient information is not inappropriately accessed. For Integrated Models that participate in a Health Information Exchange (“HIE”), a careful analysis of how behavioral health information can be included should be performed to ensure compliance with HIPAA, Part 2 and state laws. The re-disclosure prohibition on Part 2 disclosures and the appropriate method for completing the consent form for HIE should be a part of the analysis.
To ensure Integrated Models are compliant with state and federal privacy and confidentiality laws, including how information can be shared, health care entities should incorporate a privacy analysis into the implementation process to include the following:
- Perform a HIPAA audit to ensure no privacy or security gaps exist as a result of the Integrated Model implementation;
- Perform an analysis of Part 2 applicability to the Integrated Model and ensure that consent forms and processes and procedures have been updated to incorporate changes from the Part 2 final rule; and
- Evaluate state laws to confirm required privacy and confidentiality restrictions are in place.