HIPAA- Health Insurance Portability and Accountability Act Interview with David Schoolcraft, JD and Laura Groshong, LICSW Transcript 10/11/2006
by Dr. John Riolo
This is an edited transcript of the highlights of the 53-minute discussion between David Schoolcraft, Laura Groshong and John Riolo conducted on October 11, 2006. It is not intended to be a verbatim but it captures the essence to the three-way discussion. Listen to the full interview here.
Hello, this is John Riolo, Welcome to the Insider Internet Radio Show where we look at mental treatment from the viewpoint of both consumers and practitioners. We currently have a number of websites so mentioning all would take too much time but all are linked to each other therefore let me mention my latest The Insider’s Guide to Law and Ethics in Mental Health That’s HTTP://WWW.INSIDERLAWETHICS.COM/
We have two guests today.
Laura Groshong, L.I.C.S.W. a private practitioner in Seattle –Director of Government Relations Clinical Social Work Association. Laura has been my guest previously and she returns with a colleague, David Schoolcraft. We will talk about HIPAA Health Insurance Portability and Accountability Act.
David Schoolcraft is a member of Miller Nash law firm in Seattle with a practice focusing on health care, corporate representation, technology, and data privacy. Mr. Schoolcraft also advises clients regarding e-health issues (health care related matters impacted by technology and the Internet), data protection and privacy including HIPAA, and other federal and state privacy laws. He has experience in representing nonprofit hospital, physicians, physician groups, and health care related businesses.
Welcome!
Disclaimer: The information contained in pages found at www.millernash.com are publications of Miller Nash LLP for general purposes only and should not be construed as legal advice or legal opinion on any specific facts or circumstances. If you have specific legal questions, you are urged to consult your own lawyer concerning your own situation. And this applies to this discussion as well.
Riolo: We are going to talk about HIPAA. My guess is that among clinicians there are few things are talked about more among practitioners and understood less. Let’s begin by asking who is a covered entity under HIPAA?
Schoolcraft: Well John, it is a confusing issue probably unnecessarily so but the regulations or scope of authority that congress granted to the agency is limited. There are three classes of covered entities. We will focus on one. However to list them all, would include: Health plans, Health plan clearing houses, and health care providers. The definition of health care provider under HIPAA is only a covered entity if they transmit any health care information in electronic form. HIPAA did not have authority to cover any and all health care providers. They had to tie the definition back to specific transaction they were regulating. As for what it means there are two schools of thought. Some of my clients when HIPAA went into effect wanted to parse this out. Some clinicians said I don’t want to comply with this rule and do I have to? In looking at it very closely on behalf of a number of clients, I determined that there are classes of health care providers who don’t engage in any of these transactions in electronic from and might not be covered. An example would be clinician who has a cash only practice. That’s because the mean transaction is a payment transaction so if you have a clinician that has only a cash only practice technically you could argue they are not a covered entity. But, in looking at that issue, even if you are not a covered entity the question is whether HIPAA has become the standard of care with respect to handling information. So the analysis would go like this. You choose not to comply with HIPAA because you have a cash only practice but there are a number of HIPAA standards which are good practice. Let say you choose not to follow them, the risk is that if patients want to make an issue the court would apply HIPAA as the standards of care. So more often than not even if you can argue that you are not a covered entity you need to think long and hard about why you don’t want to employ some of these practices.
Groshong: I just want to add that when David and I started talking about this, the issue of why you would not want to comply it was raised. We discussed that it will take case law to determine how HIPAA becomes incorporated in general. For example there are now 16,000 complaints that have been filed with OEC for people who have had their information revealed without permission so we don’t really know how the courts are going to look at this. So to be prudent, it is wise for all clinicians to first know HIPAA standards and follow them to be covered.
Riolo: Another attorney who Laura knows Brandt Caudill wrote an article on malpractice tips. He said whether the clinician likes or believes in the medical model, it doesn’t matter. The medical model will be imposed on you whether you like it believe in it or not. Would it be fair to say that whether we like believe in HIPAA or not HIPAA will be imposed on us anyway?
Schoolcraft: Correct. Now the thing to keep in mind is that while there has been a lot of focus on HIPAA since 2003, there are similar laws by states. Some states are more restrictive and have more requirements. So when clients say, should I be doing all this in terms of HIPAA, I say you should be doing most of this already, since state laws have these provisions and some have more requirements than HIPAA. At this point outside of the “country doc” and even for the country doc in many cases, HIPAA will be applied to us whether we like it or not.
Groshong: Regarding the history, the HIPAA privacy rule (April 2003) went into effect that covers privacy, which is different from security. Security that covers actual office sites and what you do with the information went into effect in 2004. The privacy rule was far more extensive. It was created by DHHS (Department of Health and Human Services) after much kicking back and forth. There was a specific clause that was inserted that if states had stronger privacy provisions, state law would apply.
Riolo: This is important. Ordinarily federal law would trump state but this is an exception. Correct?
Schoolcraft: To add to Laura’s point when she says stronger, stronger means from the prospective of greater protections for protecting the patient’s privacy and confidentiality. And yes, the laws specifically state that it is not the intent to take place of state law.
Riolo: That leads to my next question regarding the ownership of records. Laura, you and I have discussed this and in theory there is no disagreement but how does this work in practice? I have always practiced and worked in states that in essence supported the patient’s ownership of records. I was merely the custodian as I saw it. Therefore even before HIPAA my patients had the right to see, copy, and amend their records. HIPAA makes some refinements on this concept does it not?
Groshong: You and I are pretty much in agreement that the patient had the right to see their record. However in the field of mental health records are a little different from medical records where there may be more concrete information. Mental health records may contain information that is the opinion of the clinician, which may not be exactly how they discuss that situation with the patient. So the question is how to keep accurate records and discuss them with the patient in a way that would be supportive to them. It’s created a lot of turmoil within the mental health treatment community.
Another issue is there used to be a line of thinking that, particularly among psychoanalytic clinicians, you should not keep records at all. It was believed that it was an interference between the therapist and patient. Most people I have talked to about this see this as outdated.
There is another part of HIPAA that is an exemption for “psychotherapy notes” which some call process notes. These are intended to be helpful to the clinician and not to be shared with the patient. So HIPAA does give this very unique option for clinicians who want to have part of records that are not shared with the patient.
Schoolcraft: That is a special carve out for psychotherapy notes but it important to look at the black letter of the regulations and look at the definition. However, regarding HIPAA and ownership, HIPAA really does not answer that question. HIPAA does not say who owns the records, but HIPAA definitely provides patients with a clear set of rights. You can almost think of it as the provider has responsibility and rights and HIPAA grants as not so much ownership as a right of the patient to access, copy, view and amend. The regs are couched not in owner ship but rights, a subtle but important distinction.
Riolo: That is an important distinction. With regard to psychotherapy notes, I think the term is unfortunate in that it can be confusing. We are not talking about progress notes or what most of us would think of progress notes correct?
Groshong: Correct. I use the word process as different from progress notes. It is a record of the session (s) that is intended to be helpful to the clinician and NOT intended to be shared with the patient.
Riolo: Let me put myself in the position of a consumer. I have a strong desire to know exactly what is in my health records. This is true of medical and mental health. I know for example under HIPAA that I have a right to see or view my official record, have copies at reasonable costs, and to amend if I felt there was something that was inaccurate.
Schoolcraft: That’s correct but we have to look at the definition of psychotherapy notes, because they are treated differently both as your right to view them as a interested consumer and amend them, etc. What I like to do is to tale a very close look at the definition of psychotherapy notes.
See Section 164.501 "Psychotherapy Notes” are notes recorded in any medium by a health care provider who is a mental health care professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session
(The next part is VERY Important) and that are separated from the rest of the individual's medical record."
So when I have client (clinician) say they want to have personal notes, they have to keep these separate.
However there is a big exception to this. Psychotherapy notes excludes: medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date".
So when you take these two things together, the laws states that you can keep notes just for you but you MUST keep them separate from other parts of the medical record that patients may want other clinicians may need. By rights, you can’t put those in this category. It is only going to be protected if you structurally keep them that way. If you lump everything in the record and the patient says I want to see it, my opinion as a lawyer is you can’t stop the patient from viewing them.
So there is a very small part that you have a right to treat this way and you have to treat that part separate from the rest of the record.
Riolo: My next question. Suppose a litigation come up which could be anything from a fender-bender on up. I remember from my practice that a big danger to patient confidentiality was not just the high tech stuff but the old fashioned pressure on the client to sign a release for their records. Now suppose it is known that I keep these process notes separately. How safe are they?
Schoolcraft: They are safer. In Washington, for example, to get those notes you are going to have to go before a judge and get a court order.
Riolo: You have answered my question. I have had colleagues tell me these process notes are absolutely safe and I was not quite that sure.
Schoolcraft: It’s not going to be easy. The difficulty is that you may have to go to court and the other side will also so it’s expensive for both sides. It is unlikely in my experience that an attorney will go to that expense in most cases simply to get records that may or may not be useful in a most type of litigations that usually involve medical records such as personal injury.
Riolo: My last question on this issue is using myself and my natural curiosity about whatever anyone would write about me. If I am determined enough and willing to spend enough can get them?
Schoolcraft: Well you would be in the realm of a court order. Anything is possible. That would be the trump card.
Riolo: The next logical question some colleagues talked about the many situation where other entities can retrieve information with the patient‘s consent can you address parts of HIPAA where information can be shared with or without the patient’s consent or knowledge?
Schoolcraft: Yes, if we are talking about HIPAA, it sets up a framework that allows for the flow of information without consent. There is an open channel of communication concerning treatment. Similarly there is operational flow, i.e., billing and payment as an example.
The basic framework, if treated like informed consent, might be too restrictive. It gives the defaults. And it is up to the patient to demand additional restriction and they have some rights.
But basically treatment and payments are the defaults. But they have “minimum necessary” standards and is on the need to know basis
Riolo: Most consumers recognize that their insurer will get some information. I think providers have more difficult with that than consumers. But we hear about stories where their MCO might sell, give away make access to their information to other entities such as drug companies looking to see who might benefit or be solicited for medications or something like that.
Schoolcraft: They are violating the law. The default rules do not permit that. That would be a clear violation.
Riolo: Where does HIPAA stand on issues of the government access our records? In the era of heightened security and terrorism can the government get access to my records and does HIPAA support that or comment on that one way or another?
Schoolcraft: Yes. The default rules also include (See Section 164.512 Exceptions). These are a series of disclosures a health care provide may disclose things like mandated reporting and law enforcement. Privacy notices should make reference to these. And clinicians must account for that disclosure. So there is some trade off.
However I advise to err on the side of protecting the patients. You may have to turn over some information but let a court decide. One needs to read not only Section 164.512 but all the laws that are referenced. We need to advise clinicians that it is very important not just to comply. There are times when the government thinks they have these powers and don’t. My point is it really is case by case situation.
Riolo: Yes, that is consistent with one of out other attorneys in the series that you may need to resist subpoenas and make sure there is a court order. (See Subpoenas and Court Orders in Regard to Mental Health Records- An interview with Wendy J. Murphy )
With the remaining time left, let me throw it open. What have I forgot to ask about HIPAA?
Groshong: This is not a question but having spent a lot of time studying these rules I think they have implications for clinicians in terms of the way we think about our work. We all were trained in school to hold records confidential and protect the privacy of the patient but in a general way. I don’t think many of us went into the kind of detail that HIPAA goes into and I think it is a good learning experience for all clinicians to think about the clinical implications of all that HIPAA requires. So I encourage my colleague to educate themselves about the rules and how to apply them in a thoughtful way.
David and I have developed a manual in conjunction with the Clinical Social Work Federation now the /association. If any one is interested in having the Manual, they can more information at http://www.cswf.org/
Riolo: Well that sure is consistent with where I have been going in the last few years. I believe we can not practice as effective clinicians without a good working knowledge of the laws and standards that impact on our practice.
David you have been immensely helpful. Any last words?
Schoolcraft: Well thank you and it is always helpful to have this dialogue. I will only add that it is important when you get a question to get appropriate advice sooner rather than later.
This is the Insider till next time. Comments for this presentation can be left at (214) 615-6044--- 8460. Long distance rates may apply. Or at johnr@psychjourney.com .
Comments may be left at (214) 615-6044--- 8460 Long distance rates may apply. Or at johnr@psychoourney.com
About Our Guests
Attorney David Schoolcraft
Dr. John Riolo, "The Insider" interviews Attorney David Schoolcraft a member of the Miller Nash Law Firm in Seattle with a practice focusing on health care, corporate representation, technology, and data privacy.
Professional Experience
David Schoolcraft is a member of the business department with a practice focusing on corporate representation, technology, health care and data privacy. His corporate practice involves representing companies in mergers, acquisitions, distribution arrangements and general corporate matters. In the technology area, he structures and negotiates e-commerce transactions, and drafts and negotiates software licensing agreements, joint ventures and distribution agreements for Internet-based applications. Mr. Schoolcraft also represents companies seeking to comply with US and international data privacy laws. In the health care area, he assists traditional health care organizations and health information technology companies in complying with state and federal health care regulations and implementing technology initiatives. He has experience representing a wide range of for profit and non-profit entities including Internet infrastructure and software companies, hospitals, physicians and medical related businesses.
Professional Activities
Mr. Schoolcraft is licensed to practice in Washington and is a member of the King County and Washington State Bar Associations and the Washington State Society of Healthcare Attorneys and the American Health Lawyers. He is also a member and serves on the Leadership Counsel for the Pacific West HIPAA Congress. He has been named a Rising Star (Washington Law & Politics) by his peers in 2002 and 2003.
Education
Mr. Schoolcraft received his bachelor’s degree, magna cum laude, from the University of Washington. He received his law degree, cum laude, from Seattle University, where he was an associate editor of the Law Review.
Laura Groshong, LICSW
Laura Groshong, LICSW is the Director of Goverment Relations for the Clinical Social Work Association, July, 2006 to present; Registered Lobbyist since 1996 for 8 mental health groups in Washington state; passed 6 bills in Washington state, including Mental Health Parity law, prevented passage of many more; national Government Relations Chair for Clinical Social Work Federation from 2001-2006; Chair, WA-PACE, 1998-2006; Chair MH-PAC, 2002-present; appointed member, several state mental health work groups and task forces. Visit the Association websites http://www.cswf.org/ and http://www.clinicalsocialworkassociation.org
Ms Groshong has made several presentations on clinical work based on self-psychology principles, creativity, and the effect of self-esteem problems on Oedipal development; co-author of “Manual on Application of HIPAA for Mental Health Clinicians” (2004); author of presentation at 2004 NMCOP Conference on “Comparison of Psychoanalytic Views on Privacy and Confidentiality and HIPAA”; author of several social work licensure laws and rules; co-author and coordinator of 15-hour Course on Approved Supervision.
