The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule provides an important privacy rights and protections standard for patients with respect to their health information. HIPAA provides a uniform minimum standard, which individual state laws may supersede by mandating additional restrictions.
The American Academy of Child and Adolescent Psychiatry (AACAP) and the American Academy of Pediatrics (AAP) both support the importance of this HIPAA rule in helping to protect against the inappropriate release of private health information, as well as to optimize safe care by allowing important clinical information to be shared among the clinicians of the patient’s care team. It is considered a best practice to inform patients and parents about the critical need for care providers to communicate with each other in providing high quality care.
Unfortunately there are misperceptions about the HIPAA Privacy Rule which have developed and persisted over the past decade, which can interfere with appropriate patient care. Collaborative and integrated care systems rely on the appropriate and timely sharing of clinical information among a patient’s treatment providers. If professionals do not appropriately communicate about their shared patients under the belief that HIPAA requires a signed consent for each communication, then patient care may suffer. Therefore AAP and AACAP have created this issue brief to clarify what the HIPAA rule does and does not limit regarding clinical care information exchange among pediatricians, child psychiatrists and other physicians and mental health providers.
The following are answers to commonly asked questions:
Any pertinent clinical care information, including mental health treatment information, can be disclosed and discussed between a patient’s current treatment providers without written disclosure authorization except for the following two types of information: A) the content of written psychotherapy notes (see below), and B) substance abuse treatment records that are maintained by a licensed substance abuse program (42 USC § 290dd–2; 42 CFR 2.11). Substance abuse information obtained in other treatment settings may be communicated among a patient’s treating providers without written consent.
The HIPAA definition of a “psychotherapy note” is quite restrictive. A psychotherapy note per HIPAA can only consist of a mental health professional’s written analysis of a conversation that occurred during a private counseling session that is maintained separately from the medical record. These written analyses serve as working process notes about sessions to assist the therapist, and are not put into the medical record billing document. Anything which appears in the patient’s medical record cannot be categorized as a psychotherapy note under the HIPAA rule. Specific content that has been listed as not falling under the “psychotherapy note” protections include medication management information, counseling session start and stop times, the type and frequency of treatment delivered, the results of clinical tests, diagnosis summaries, functional status, treatment plan, symptoms, prognosis, and progress to date. 45 CFR 164.501
Yes. Treatment providers do not have to share the same employer or share the same electronic health record in order to disclose pertinent protected health information about a mutual patient without consent from the patient or parent. The key component for this HIPAA allowance is that both providers have a treatment or consultative role with that patient. Whenever PHI is transmitted electronically (eg, telephone voice response, text messaging, faxback or email, etc) it is covered by the Security Rule and must be made secure by measures such as encryption, secure platforms, or closed systems. Voicemail messages, telephone conversations, and paper-to-paper faxes are not subject to the Security Rule. All PHI (eg, in oral, electronic and written forms) fall under the Privacy Rule.
Yes, but there are additional regulations around the security standards needed for protecting electronic health records. Essentially, rules and procedures are required in the maintenance of an electronic health record to prevent their unauthorized access, alteration, deletion and transmission. These security regulations for electronic records are outlined in the HIPAA security rule of 2005, and the HITECH act of 2009.
Yes. Providers need to be aware that any state regulations that are more restrictive than the HIPAA rules will take precedence in those states, and so providers need to be aware of their own state’s information regulations. If you are unfamiliar with your state’s regulations, it will be important to specifically seek out your state department of health’s privacy rules. To obtain information on current state laws, you may also contact the AAP Division of State Government Affairs at stgov@aap.org
Disclaimer: This information is intended to be educational in nature. It is not intended to constitute financial or legal advice. A financial advisor or attorney should be consulted if financial or legal advice is desired. HIPAA has many different requirements and regulations. Practitioners need to be aware that their own state laws can be more restrictive than HIPAA.
Further information about HIPAA can be found at: