The Health Insurance Portability and Accountability Act (“HIPAA”) imposes a wide array of confidentiality and security obligations on healthcare providers with respect to protecting patient information. Often times state law is more stringent than HIPAA, placing additional burdens on providers for confidentiality and security of all or part of a patient’s health record. Indiana law, for example, generally requires more “stringent” protection than HIPAA when it comes to mental health records. One exception where HIPAA dictates specific, greater protections is in regard to “psychotherapy notes.” There has been longstanding confusion among providers regarding the creation and maintenance of “psychotherapy notes,” and how best to address the special requirements imposed by HIPAA on those records.
HIPAA defines “psychotherapy notes” as:
“… notes recorded (in any medium) by a healthcare provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session, and that are separated from the rest of the individual’s medical record. Psychotherapy notes excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.”
A few key features of this definition should be highlighted. First, the term extends to any variety of “conversation,” which is well beyond the normal, common understanding of “psychotherapy.” Second, the definition includes notes recorded in any medium. Most importantly, the definition identifies notes that are maintained separately from the consumer’s medical record.
“Psychotherapy notes” are granted special protection due, at least in part, to the likelihood that they contain especially sensitive information that is intended to be the personal notes of the treating therapist. As a result, they are treated under HIPAA as separate and distinct from the general health record for that consumer, deserving special protections and requiring secure specific authorizations for disclosure.
The most important takeaway, however, is that HIPAA does not mandate that behavioral health providers generate or maintain “psychotherapy notes.” Further, there are no licensure, accreditation or reimbursement standards that dictate the generation of documents defined by HIPAA as “psychotherapy notes.” Even though a provider may generate documents that fit the broad definition of “psychotherapy notes,” HIPAA does not require that those documents be maintained separately from the general health records for that consumer. As a result, a behavioral health provider may arrange for all therapy notes to be incorporated into the general health records, in which case no “psychotherapy notes,” as defined by HIPAA, have been created for the consumer.
There are important risk management and HIPAA compliance concerns relating to the maintenance, security and production of “psychotherapy notes.” Nevertheless, a behavioral health provider may decide that it is important to generate and maintain “psychotherapy notes” (e.g., to assist the therapist in recalling therapy discussions or to assure additional privacy protections for minor clients). If such notes are generated and maintained separately from the general medical records, then the provider must adhere to HIPAA’s privacy and security requirements associated with “psychotherapy notes.”
The decision to generate and maintain “psychotherapy notes” as defined under HIPAA is important, and it presents special clinical and record keeping requirements for the behavioral healthcare organization. If, on the other hand, the organization chooses to avoid the additional requirements for “psychotherapy notes,” it should develop policies that justify and assure compliance with that decision. The definition of a “psychotherapy note” may not be complicated, but the decision about whether or not to have them in an organization’s clinical records raises important compliance considerations.
Additional information about Plews Shadley Racher & Braun LLP and its health care practice is available at www.psrb.com.