November/December 2021

ROI Report: How to Deal With Sensitive Information
By Diane E. Ferry, MS, RHIA
For The Record
Vol. 33 No. 6 P. 8

Any health information, such as but not limited to date of birth, diagnoses, treatment plans, and medical test results, that can specifically identify a patient is considered protected health information (PHI) under HIPAA. The challenge for HIM professionals is knowing and abiding by federal laws and regulations, any applicable state laws and regulations, and any organizational policies regarding sensitive information while at the same time facilitating the appropriate release in order to serve the patient in a secure, timely, and accurate manner. Unclear and inconsistent requirements associated with sensitive information make the challenge even more difficult.

Release of information is frequently a difficult, confusing, and inefficient process for patients. Consider the situation of an elderly or sick patient who needs to get a copy of his or her health record to take to a specialist. In many facilities, the patient will need to park their car, for which there may be a fee, walk into the hospital, which may be a long walk, and then locate the HIM department, which is usually in the basement or attic.

After the patient finds HIM, they are issued an authorization form that can be confusing and not always easy to complete. Often, patients will not complete the form in its entirety, resulting in delays. Add possible sensitive information into the mix, and it’s no wonder patents become confused and dissatisfied.

What’s considered sensitive information? At the federal level, HIPAA provides certain guidelines and requirements. At the state level, some states are specific when it comes to releasing sensitive information, while others are not. Similarly, health care organizations may or may not have specific guidelines. In the end, the HIM team must determine the organization’s requirements at all levels and implement the proper processes.

Target Areas
In general, the following areas of sensitive information may affect release of information depending on the specific information and applicable laws, regulations, and policies:

• mental health diagnosis and treatment;
• sexually transmitted disease diagnosis and treatment;
• drug and alcohol abuse diagnosis and treatment;
• genetic testing; and
• LGBTQ+ information.

Where required, the patient or guardian must grant the health care facility specific permission to release the sensitive information. An analysis of health care authorizations from across the country reveals that HIV/AIDS and behavioral health diagnoses are the most common to be considered “sensitive.” The patient or guardian will need to check off the boxes on the authorization that specifically provides the health care facility authorization to release that information. If the boxes are not checked, the information is typically not released. If the health care facility does not include these diagnoses as sensitive, the information can be released if the patient or guardian signs the authorization or prohibits you from releasing that information.

For mental health, HIPAA states that covered entities, including health care providers, can disclose PHI for treatment purposes without patient consent. The rules define treatment to mean: “… the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.”

One exception to this general rule of permitting the sharing of treatment information without consent is that “psychotherapy notes” may be disclosed only with authorization except insofar as they are used by the originator of the notes or for a covered entity's supervised mental health education and training purposes. Psychotherapy notes are a special form of treatment information.

State laws vary widely in terms of authorizing the disclosure of mental health records without consent for treatment purposes. Many of them are, or could be interpreted as being, more restrictive than the HIPAA regulations. A few may even be more restrictive than the substance abuse confidentiality statute. These laws could in many cases stand in the way of coordinated treatment of persons with mental illness. This is an issue that Health and Human Services may consider in any revision of the HIPAA privacy regulations. State legislatures should also review their statutes to ensure that a proper balance is reached between the need for keeping mental health records confidential and the need to share information among treatment providers to ensure proper treatment.

Substance Abuse
Federal regulations governing the confidentiality of alcohol and substance abuse treatment records impose “restrictions upon the disclosure and use of alcohol and drug abuse patient records which are maintained in connection with the performance of any federally assisted alcohol and drug abuse program.”

Such a “program” might be an individual care provider, standalone facility, unit within a general medical facility, or medical staff of a larger medical facility who provide alcohol or drug abuse diagnosis, treatment, or referral for treatment. These regulations also prohibit the redisclosure of information that originated as substance abuse treatment records. In other words, the protections for these records attach to the record and not the custodian, as under HIPAA.

Federal regulations were developed to assist patients in overcoming the stigma and fear of prosecution and thereby dissuading persons with substance use disorders from seeking treatment. To add an extra layer of protection on these records, the regulations outline under what limited circumstances information about a patient’s treatment may be disclosed with and without the patient’s consent.

The regulations restrict the disclosure and use of alcohol and drug patient records that are maintained in connection with the performance of any federally assisted alcohol and drug abuse program. The restrictions apply to any information disclosed by a covered program that “would identify a patient as an alcohol or drug abuser.” This protects any information disclosed by a covered program that identifies an individual directly or indirectly as having a current or past drug or alcohol problem, or as a participant in a covered program.

When sensitive information is released, many states require a statement to accompany the information. For substance abuse records, the following statement should accompany the records:

“This information has been disclosed to you from records whose confidentiality is protected by federal law. Federal regulation 942. CFR, part 2 prohibits you from making further disclosure of the records without specific written consent of the person to whom the information pertains, or as otherwise permitted by the regulations. A general authorization for the release of health or other information is NOT sufficient for this purpose.”

Psychiatric and HIV records should have similar statements that accompany the records when released.

If the restricted PHI is disclosed to another entity or person for emergency treatment, the covered entity is required to request that the person or entity receiving the information not further use or disclose this PHI in any manner.

Ideally, the release request/authorization form is as clear as possible in informing the requestor when a specific type of sensitive information requires an explicit affirmative authorization in order to be released or when it is specifically prohibited from release. Standardizing release request/authorization forms across the nation would facilitate this process significantly. In addition, consistency among the states on what is and isn’t sensitive information would improve understanding and compliance. Furthermore, “tagging” such information in EHR systems would also ensure appropriate release.

Getting It Right
HIM professionals should work with their respective legal departments to ensure that release policies and processes are in compliance with the applicable laws and regulations while at the same time serve the best interests of patients.

Should HIM consider sexually transmitted disease, drug and alcohol abuse, genetic testing, and any LGBTQ information to be sensitive? Should there be an “other” category on the authorization form?

Should the patient be required to designate what information they do and do not want released? Should authorizations be modified to make them easier for patients to understand?

As the gatekeepers of health information, HIM must ensure that patient information is released in a secure, timely, and accurate manner.

— Diane E. Ferry, MS, RHIA, is president and CEO of Star-Med.

Do you have questions about ROI processes? How about interoperability? What are your thoughts on a universal authorization for ROI processes? Feel free to send questions and comments to edit@gvpub.com  and a Star-Med expert will answer selected inquiries in an upcoming column.