TCR: Dr. Brendel, thanks for agreeing to educate us about HIPAA, which remains a pretty mysterious and intimidating entity for most psychiatrists! How did you get to be such a HIPAA expert?
Dr. Brendel: Well, I’ve been interested in the interplay between law and psychiatry for a long time. I received my medical degree as part of a joint M.D./J.D. program at University of Chicago, and then I came to the psychiatry department at Mass General, where I’m now doing a fellowship in forensic psychiatry. Back in April of 2003, when HIPAA privacy regulations went into effect, there was a lot of concern about what these would mean for physicians, and since I was a lawyer, my colleagues would frequently ask me questions about HIPAA. So I sat down and collaborated with Eileen Bryan, CHP (the MGH HIPAA Compliance Specialist) and we put together a number of talks and also an article answering the practical kinds of questions that psychiatrists had about what HIPAA would mean for their practice.

TCR: What is the reference for that article?.
Dr. Brendel: It is in the Harvard Review of Psychiatry in the June 2004 issue.

TCR: I look forward to reading it. But please give us a quick version!
Dr. Brendel: HIPAA stands for Health Insurance Portability and Accountability Act, and it was passed by Congress in 1996 with the goal of improving health insurance coverage and portability. The act is huge, and it covers a lot of legislative territory, but the parts that most concern practicing psychiatrists are elements designed to improve efficiency of the health care system, to detect fraud and abuse, and to facilitate access to medical information.

TCR: Facilitate access? HIPAA has the opposite reputation!
Dr. Brendel: It’s true that most people, because of the privacy policies, believe that HIPAA is privacy legislation. But if there is one thing to remember about HIPAA, it’s that the “P” in HIPAA is not for privacy; it actually facilitates circumstances in which medical information can be shared without consent.

“If there is one thing to remember about HIPAA, it’s that the ‘P’ in HIPAA is not for ‘privacy;’ it actually facilitates circumstances in which medical information can be shared without consent.”
– Rebecca W. Brendel, M.D., J.D.

TCR: How does it do that?
Dr. Brendel: Before HIPAA, the rule was that information patients gave to you would be held confidential unless you had their consent to release it. Under HIPAA, patients initially sign a privacy policy, but that privacy policy says that consent is not required for disclosure of information for treatment, payment and health care operations. So that means that if a patient’s primary care physician calls a psychiatrist whose practice is covered by HIPAA, that psychiatrist can release information to the primary care physician without the patient’s consent, as long as the patient already signed your global privacy policy.

TCR: And whose practices are covered by HIPAA? All psychiatrists?
Dr. Brendel: No, only those psychiatrists who perform certain electronic transactions, including electronic billing.

TCR: On a practical level, what does the typical office-based psychiatrist need to put into place to become HIPAA-compliant?
Dr. Brendel: The first requirement is to have a privacy policy informing patients that there are certain circumstances when their health care information might be released without their consent. (Ed. Note: see accompanying article for information about how and where to obtain free templates of all the documentation discussed in this interview.)

TCR: So under HIPAA, we no longer have to ask our patients to sign a special consent form each time we want to discuss their case with another health care practitioner or with an insurance company?
Dr. Brendel: Correct. HIPAA allows disclosure of health information for treatment, payment and health care operation purposes. So if it falls under the rubric of any of these, it could be released.

TCR: Now, what about releasing information to a patient’s family member?
Dr. Brendel: That would depend on the circumstances, but HIPAA applies mainly to the coordination of treatment between providers, and so usually giving out information to family members requires specific consent from the patient. And this example brings up another point, which is that even under HIPAA, physicians still have their usual responsibility to their patients to do no harm. And so there may be circumstances where it would be harmful to release information and there may also be circumstances where individual practitioners would choose to adopt standards of practice that are more in line with the old days of specific consent rather than just adopting HIPAA’s practices. Also, some state laws may impose a higher standard of protection than HIPAA, so it’s critical to be aware of the laws in your state.

TCR: What about sharing the medical record with patients?
Dr. Brendel: Patients under HIPAA are actually entitled to a copy of their record and also have an explicit right under the law to request that incorrect or incomplete information in the record be changed. That being said, HIPAA does acknowledge that sometimes release of this information to the patient could be harmful. And so under a very narrow set of circumstances such as danger to the life or physical safety of the patient or another person, physicians do have the right to deny patients access to their records, including either the psychotherapy notes or the medical record.

TCR: Aside from having patients sign a privacy policy, are there any other things we psychiatrists need to do under HIPAA?
Dr. Brendel: Yes, HIPAA requires that you take measures to ensure that medical information not be seen by people outside the “circle of knowing.” So, for example, you should not keep patient information sitting on your desk where somebody else could see it, and you should not allow free access to your computer if it has patient information on it. And probably it makes sense to put a password, for example, on a palm pilot if you keep clinical information in that, in case it got lost or stolen.

TCR: Now what about all that legalistic language that everyone adds at the bottom of faxes and emails? Is that triggered by HIPAA as well?
Dr. Brendel: Yes it is. It is meant to protect the patient information contained in the faxes from going to the wrong place or being read by the wrong person. Faxes must have a cover sheet containing a confidentiality notice and emails must contain such a notice as well.

TCR: And exactly what type of information does this notice have to contain?
Dr. Brendel: It has to say that the information is confidential, that is intended for a particular recipient, that the information should be destroyed if it went to the wrong recipient, and it must include some way to contact the sender if privacy was breached.

TCR: What else do psychiatrists need to know?
Dr. Brendel: There’s a special provision about psychotherapy notes. In the past, there has often been confusion about whether patients have rights to their psychotherapy notes because those notes might contain process notes or other information that perhaps the therapist would not want the patient to see. And HIPAA does recognize that some information in the course of psychiatric treatment, like psychotherapy notes, should always be private.

TCR: So if there are notes that are very personal notations about therapy, these are not necessarily something that we would have to give to patients?
Dr. Brendel: That is right. But the thing to be aware of is that the psychotherapy note exception under HIPAA is extremely narrow. Psychotherapy notes are defined as clinician notes that 1) document or analyze contents of conversation; 2) are about something that happened during a private counseling session or during group or family counseling sessions; and 3) must be kept separate from the rest of the individual’s records.

TCR: Can we just create a separate section for them in our chart or do these notes actually have to be in a different chart?
Dr. Brendel: They actually have to be in a different chart, but simply keeping them in a separate chart doesn’t necessarily make them psychotherapy notes. So even if it is called a “psychotherapy” note, if it includes information that under HIPAA is properly considered part of the general medical record, what you have titled the psychotherapy note will not be protected. That information includes things such as the medications prescribed, test results, treatment plans, diagnosis, prognosis, and progress to date. So really, psychotherapy notes under HIPAA are traditional process notes.

TCR: So process notes are absolutely private?
Dr. Brendel: No, not absolutely. They can still be released to an outside party with the patient’s specific consent, and they still could be subpoenaed if there were a lawsuit.

TCR: What about deadlines? Have the deadlines passed us already, we members of Procrastinators Club?
Dr. Brendel: The deadline for implementation of HIPAA privacy regulations was April of 2003.

TCR: What might happen to those of us who don’t get our HIPAA act together?
Dr. Brendel: Not only are there potential fines, but there is actually the possibility of jail time for willful violations of HIPAA.

TCR: Now you’re really sounding like an attorney! But your point is well taken, and I’m sure many our readers will use this opportunity to get quickly up-to-date on their HIPAA responsibilities. I know I will. Thanks very much for your help.
Dr. Brendel: My pleasure. And if any of your readers have any further questions, they can feel free to contact me personally at rbrendel@partners.org.