Resources
Federal and State Health Care Privacy Issues Every Pennsylvania Mental Health Professional Should Know About
January 13, 2025
Most Pennsylvania mental health professionals are familiar with the basics of HIPAA. However, the law is far more nuanced in practice, leaving many providers susceptible to violations and caught off guard when one occurs. HIPAA must be interpreted in conjunction with Pennsylvania mental health privacy laws. Accordingly, knowledge of the interplay between these federal and state laws is required to maintain compliance with both. Most importantly, this knowledge allows mental health professionals to prevent privacy violations and to respond swiftly in the event of a breach.
Although OCR considers the size of a covered entity when determining whether its safeguards are "reasonable and appropriate," solo and small therapy practices must still take measures to prevent intentional or unintentional use or disclosure of protected health information (PHI) in violation of the Privacy Rule. For example, the covered entity must designate a knowledgeable Privacy Officer and train all workforce members on its privacy policies and procedures as necessary and appropriate for them to carry out their functions. Covered entities must report breaches of unsecured PHI to HHS.
Pennsylvania mental health law concerning disclosure of a minor's outpatient mental health records to a parent is more stringent than HIPAA's general rule. See Act of Jul. 23, 2020, P.L. 647, No. 65, Section 1.2 ("Release of Medical Records"). In January 2023, the Office of Mental Health and Substance Abuse Services of the Pennsylvania Department of Human Services issued a Bulletin to provide guidance on Act 65 of 2020. It reiterated that "[a] minor can provide consent to outpatient treatment, without the consent of a parent or legal guardian. When a minor consents to outpatient treatment, a parent or legal guardian cannot be notified of the initiation of treatment unless the minor consents to notification of the parent or legal guardian." See Office of Mental Health and Substance Abuse Services, OMHSAS-23-01, Act 65 of 2020: Consent to Mental Health Treatment for Minors (issued Jan. 24, 2023).
HHS recognizes certain exceptions to the general rule that parents are to be considered "personal representatives" of their minor children. A parent is not the minor's personal representative when state law does not require the consent of a parent or other person before a minor can obtain a particular health care service, and the minor consents to the health care service.
To illustrate, "if State law provides an adolescent the right to obtain mental health treatment without parental consent, and the adolescent consents to such treatment, the parent would not be the personal representative of the adolescent with respect to that mental health treatment information." See U.S. Department of Health and Human Services, Office for Civil Rights, HIPAA Privacy Rule and Sharing Information Related to Mental Health, 4 (last accessed Jan. 13, 2025).
HHS is clear that "the Privacy Rule prohibits a covered entity from disclosing a minor child's protected health information to a parent, or providing a parent with access to such information, when and to the extent it is prohibited under State or other laws (including relevant case law)." See U.S. Department of Health and Human Services, Office for Civil Rights, Personal Representatives (last reviewed Jan. 5, 2024).
If the evidence indicates that the covered entity was not in compliance with HIPAA, OCR will attempt to resolve the case with the covered entity by obtaining voluntary compliance, corrective action, and/or a resolution agreement.
Failure to comply with federal and state health care privacy laws would, by extension, result in a violation of the mental health provider's professional standards of practice, leaving one's license vulnerable to a state board investigation and possible penalties.
Mental health professionals in Pennsylvania should work closely with an attorney who understands these nuances to navigate the complex and often opaque landscape of mental health law at the state and federal level. At a minimum, this requires mental health professionals to undertake an internal HIPAA risk assessment every one to three years. Contact McCluan Law for questions regarding HIPAA Privacy Rule and Pennsylvania mental health law compliance.
HIPAA Enforcement
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing HIPAA by conducting its own compliance reviews and responding to complaints. If OCR accepts a complaint for investigation, OCR will notify the person who filed the complaint and the covered entity named within it. The complainant and the covered entity will then be asked to present information about the problem described in the complaint. OCR may request additional information throughout the investigation. Covered entities are required by law to cooperate with complaint investigations. It is therefore critical to work with your attorney when responding to OCR in a timely manner.Although OCR considers the size of a covered entity when determining whether its safeguards are "reasonable and appropriate," solo and small therapy practices must still take measures to prevent intentional or unintentional use or disclosure of protected health information (PHI) in violation of the Privacy Rule. For example, the covered entity must designate a knowledgeable Privacy Officer and train all workforce members on its privacy policies and procedures as necessary and appropriate for them to carry out their functions. Covered entities must report breaches of unsecured PHI to HHS.
HIPAA and Pennsylvania Mental Health Law
HIPAA compliance can be more challenging than one might expect because mental health practitioners are often faced with thorny disclosure issues. For example, parents frequently request information about their child's mental health treatment. Generally, the HIPAA Privacy Rule "allows a parent to have access to the medical records about his or her child, as his or her minor child's personal representative when such access is not inconsistent with State or other law." See U.S. Department of Health and Human Services, Office for Civil Rights, FAQ 227, Does the HIPAA Privacy Rule allow parents to see their children's medical records? (last reviewed Dec. 28, 2022).Pennsylvania mental health law concerning disclosure of a minor's outpatient mental health records to a parent is more stringent than HIPAA's general rule. See Act of Jul. 23, 2020, P.L. 647, No. 65, Section 1.2 ("Release of Medical Records"). In January 2023, the Office of Mental Health and Substance Abuse Services of the Pennsylvania Department of Human Services issued a Bulletin to provide guidance on Act 65 of 2020. It reiterated that "[a] minor can provide consent to outpatient treatment, without the consent of a parent or legal guardian. When a minor consents to outpatient treatment, a parent or legal guardian cannot be notified of the initiation of treatment unless the minor consents to notification of the parent or legal guardian." See Office of Mental Health and Substance Abuse Services, OMHSAS-23-01, Act 65 of 2020: Consent to Mental Health Treatment for Minors (issued Jan. 24, 2023).
HHS recognizes certain exceptions to the general rule that parents are to be considered "personal representatives" of their minor children. A parent is not the minor's personal representative when state law does not require the consent of a parent or other person before a minor can obtain a particular health care service, and the minor consents to the health care service.
To illustrate, "if State law provides an adolescent the right to obtain mental health treatment without parental consent, and the adolescent consents to such treatment, the parent would not be the personal representative of the adolescent with respect to that mental health treatment information." See U.S. Department of Health and Human Services, Office for Civil Rights, HIPAA Privacy Rule and Sharing Information Related to Mental Health, 4 (last accessed Jan. 13, 2025).
HHS is clear that "the Privacy Rule prohibits a covered entity from disclosing a minor child's protected health information to a parent, or providing a parent with access to such information, when and to the extent it is prohibited under State or other laws (including relevant case law)." See U.S. Department of Health and Human Services, Office for Civil Rights, Personal Representatives (last reviewed Jan. 5, 2024).
If the evidence indicates that the covered entity was not in compliance with HIPAA, OCR will attempt to resolve the case with the covered entity by obtaining voluntary compliance, corrective action, and/or a resolution agreement.
Failure to comply with federal and state health care privacy laws would, by extension, result in a violation of the mental health provider's professional standards of practice, leaving one's license vulnerable to a state board investigation and possible penalties.
Mental health professionals in Pennsylvania should work closely with an attorney who understands these nuances to navigate the complex and often opaque landscape of mental health law at the state and federal level. At a minimum, this requires mental health professionals to undertake an internal HIPAA risk assessment every one to three years. Contact McCluan Law for questions regarding HIPAA Privacy Rule and Pennsylvania mental health law compliance.
