PrivacyPractices Notice … Requirements and Comments
MichaeleP. Dunlap, Psy.D.
Quotingfrom: pp. 82547-56 of the FederalRegister / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules andRegulations, about the requiredcontent of “covered entities’” Privacy Practices Notice:
Theheader must read, ‘‘THISNOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED ANDHOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.’’
Þ providing appointment reminders,
Þ describing or recommending treatment alternatives,
Þ providing information about health related benefits and services that maybe of interest to the individual, or
Þ soliciting funds to benefit the covered entity. If the covered entitydoes not include these statements in its notice, it is prohibited from using ordisclosing protected health information for these activities withoutauthorization.
Þ the right to request restrictions on certain uses and disclosures,including a statement that the covered entity is not required to agree to arequested restriction (ß 164.522(a));
Þ the right to receive confidential communications of protected healthinformation (ß 164.522(b));
Þ the right to inspect and copy protected health information (ß 164.524);
Þ the right to amend protected health information (ß 164.526);
Þ and the right to an accounting of disclosures of protected healthinformation (ß 164.528).
… Weadditionally require the notice to describe the right of an individual,including an individual that has agreed to receive the notice electronically, toobtain a paper copy of the notice upon request.
… … we additionally require the covered entity, if it wishes to reservethe right to change its privacy practices and apply the revised practices toprotected health information previously created or received, to make a statementto that effect and describe how it will provide individuals with a revisednotice.
… … a covered entity’s notice must inform individuals about how theycan lodge complaints with the covered entity if they believe their privacyrights have been violated.
… The notice must also state that individuals may file complaints with theSecretary.
… … we additionally requirethe notice to include a statement that the individual will not sufferretaliation for filing a complaint.
… … we also permit and encourage covered entities to include optionalelements that describe the actual, more limited, uses and disclosures theyintend to make without authorization.
… …Covered health care providers that have direct treatment relationships withindividuals must provide the notice to such individuals as of the first servicedelivery after the compliance date…
… ...Covered providers that maintain a physical service delivery site mustprominently post the notice where it is reasonable to expect individuals seekingservice from the provider to be able to read the notice.
… … a covered entity that maintains a web site describing theservices and benefits it offers must make its privacy notice prominentlyavailable through the site.
… … Section164.520(d)—Joint Notice by Separate Covered Entities …regardingthe ability of legally separate covered entities to produce a single notice.In the final rule, we allow covered entities that participate in an organizedhealth care arrangement to comply with this section by producing a single noticethat describes their combined privacy practices. See ß 164.501 and the corresponding preamble discussion regarding thedefinition of organized health care arrangement.
Areyour eyes glazed yet? I’vecondensed this, leaving out many pages of dense repetitive verbiage.
Because I am a psychotherapist, my records must now have two parts…(p. 82497) the clinical recordwhich will include: medicationprescription and monitoring, counseling session start and stop times, themodalities and frequencies of treatment; summary of diagnosis, functionalstatus, treatment plan, symptoms, prognosis and progress; and my psychotherapynotes, which must be kept separate from the clinical record. Psychotherapy notes covering the content of my conversations with myclient, any comments or analyses I makeof those conversations are not accessible to the client for inspection andcopying under HIPAA . ( I must note that in the privacy notice) Nor are the psychotherapy notes to be available for audit. (p. 82653)
Whydoes this trouble me?It all sounds so good, every client will get to read these dense, specificdocuments, will be assured that I can be reported not only to my licensing Boardif I violate the privacy of their protected health information but also to theSecretary of Health and Human Services, (HHS).
ButI am not comforted. I feel somehow that the statement (p82499) that there are only two instances that require me, the “coveredentity” to disclose protected health information: “When individuals requestaccess to information about themselves, and when disclosures are compelled bythe Secretary for compliance and enforcement purposes” (p. 82499) is theopening wedge for making my clients’ information federal property. Am I paranoid? Or is thedizzying fall down the rabbit hole a reminder that I need to be very clear withmyself and clients that my clinical record will contain minimal information,that if they use insurance or managed care the company may request my clinicalrecord as a standard practice, that the clinical record will be increasingly atrisk for review on demand. Do I create an emotional barrier with my client fromour first session when I must present this privacy notice?