Q&A: HIPAA protections on psychotherapy notes
Q: What are the HIPAA protections for psychotherapy notes, and how do these differ from other forms of protected health information?
A: The HIPAA Privacy Rule defines psychotherapy notes as follows: Notes recorded (in any medium) by a healthcare provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separate from the rest of the individual’s medical record.
Psychotherapy notes exclude medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, treatment plan, symptoms, prognosis, and progress to date.
HIPAA requires patient authorization for use and release of psychotherapy notes (even for treatment by another provider in the same facility) other than routine use by the originating therapist.
Do not make the common mistake of thinking that psychiatric medical record documentation has special protection under the HIPAA Privacy Rule. On the contrary, HIPAA treats this documentation the same as any other PHI. Only the separate psychotherapy notes, as defined previously, have heightened protection. Note that other state and federal laws may provide greater protection. Ensure that you know the laws to which your facility is subject or ask your privacy officer.
Consider the following scenario:
A consulting physician at your facility asks to see the private notes you are keeping for one of your patients (outside the patient’s record). You provide the notes without first obtaining authorization from the patient.
Have you done anything wrong?
Yes. These notes are subject to the psychotherapy notes provision under HIPAA. This is a HIPAA violation that must be reported promptly to your privacy officer to determine whether it constitutes a breach.
Editor’s Note: The answer to this question originally appeared in a column in the December issue of Briefings on HIPAA.