Possible HIPAA Changes Could Compromise Privacy of Substance Use and Mental Health Information (RFI Part 2)
This post will address Part 2 the Office for Civil Rights’ (OCR) request for information (RFI) on possible changes to the Health Information Portability and Accountability Act (HIPAA). Part 2 discusses possible loosening of privacy rights to allow family, friends, and caregivers to get access to a patient’s health information – specifically substance use and mental health information.
I originally tweeted my analyses here, but have put the tweets together in this post (with edits) for easier reading. The RFI can be found here. And introduction to the RFI as well as an analysis of the first part can be found here.
In this second portion, “Promoting parental and caregiver involvement and addressing the opioid crisis and serious mental illness,” the OCR states it is looking for feedback on
Encouraging covered entities, particularly providers, to share treatment information with parents, loved ones, and caregivers of adults facing health emergencies, with a particular focus on the opioid crisis.
The OCR, further states:
…anecdotal evidence suggests that some covered entities are reluctant to inform and involve the loved ones of individuals facing such health crises for fear of violating HIPAA. This reluctance may hinder effective coordination of care and case management involving caregivers, including family members and friends.
However, this portion isn’t just about those with substance use issues, but about “serious mental illness” (an undefined term) as well. And the questions within the RFI are disconcerting. More so, the idea that reluctance to share information is a problem is frightening. As I’ll discuss below, there are reasons this information is protected.
Before diving into the questions, it’s important to note how the rhetoric of the “opioid crisis” is hurting patients. As a result of bad policy making and misinformation, patients are losing access to critical treatment with opioids to address their pain. The idea that the “opioid crisis” is now being used as a possible excuse to take away protections on patients’ protected health information (PHI) disturbs me. The HIPAA Privacy Rule already has provisions for sharing PHI – specifically for treatment and with personal representatives (which can be family, friends, caregivers, or other folks with a medical power of attorney).
Further, extra protections have been placed on issues like substance use and mental illness for very good reasons. Stigma is rampant with both of these issues and the release of information to others, especially family, can be incredibly detrimental.
What sharing exceptions are in place? There are exceptions for emergencies found at 45 CFR 164.510(b)(3). In an emergency, if you are able to make your wishes known or have done so previously, doctors have to follow your requests. But if you are incapacitated, they can disclose any or all of your information based on what they think is in your best interest.
I discussed yesterday the issues with “best interest” standards in the previous post, saying:
Most patients know doctors who decide something is in their best interest when, in fact, the patient does not want or need what the doctor suggests. Allowing providers to make decisions for patients and without patients is something we’ve fought to move away from for decades.
As to other ways providers can share your information with family, HIPAA allows for disclosures if someone one is your personal representative (e.g. you have a healthcare power of attorney), you ask a provider to, or if a provider tells you they might and you don’t object. For more general information on sharing health information with family/friends/etc, you can go here.
Certain types of sensitive health information often have more protections including, mental health, substance use, genetic information, and HIV/AIDS information has a higher level of protection (each of these may have even stricter privacy standards in different states). Providers should be asking consent before sharing it with anyone, but in general they can share it with other providers as needed for treatment.
But even beyond treatment, this sensitive information can be shared with others outside a treatment team. The OCR directly addresses issues of sharing mental health information, like when a patient stops taking mental health medications. They have further guidance on sharing mental health and substance use, including care coordination here. In other words, they do allow doctors to share with family/friends this very private information.
The idea behind sharing mental health information is ostensibly for safety – specifically if the patient may be a harm to themselves or others. This is a policy area that is already fraught with complications and the limitations on sharing interpreted broadly (i.e., generally they are more likely to allow sharing than not). That said, even though there are already provisions to share information, the OCR is considering expanding HIPAA to allow family, friends, and others to have more access to health information – not just any information, but sensitive mental health and substance use information.
The OCR begins by asking about information sharing to address the “opioid epidemic” (Note: they called it a crisis earlier. The use of “epidemic” is also a misnomer as epidemics relate to infectious conditions):
22) What changes can be made to the Privacy Rule to help address the opioid epidemic? What risks are associated with these changes? For example, is there concern that encouraging more sharing of PHI in these circumstances may discourage individuals from seeking needed health care services? Also is there concern that encouraging more sharing of PHI may interfere with individuals’ ability to direct and manage their own care? How should OCR balance the risk and the benefit?
I believe this is in part a knee-jerk reaction to the “opioid crisis.” However, in health policy, reactions like this to any “crisis” or “epidemic” are rarely helpful and have long-lasting effects (not too long ago, one might remember the “obesity epidemic” which led to a spate of bad rules that hurt type 1 diabetics). By proposing to change HIPAA in response to the “opioid crisis” that does not exist, we are risking future privacy concerns for all with substance use and mental health issues.
Many individuals do not seek treatment because they are afraid of stigma. the idea that information about their substance use or mental illness could be shared more broadly will discourage folks from seeking care. We’ve already seen it and it’s part of why we protect this information.
Further, as the questions suggest, sharing information may very well interfere with an individual’s ability to direct their own care. Relationships with family, friends, and caregivers are complicated, if they have sensitive information, they may interfere with care. Individuals should maintain the right to decide who is involved in their own care, which includes who to exclude from their care. There are enough exceptions within the law to share information for emergency circumstances, no more need be made.
The OCR isn’t just concerned with substance use but mental health. They ask:
23) How can OCR amend the HIPAA Rules to address serious mental illness [SMI]? For example, are there changes that would facilitate treatment and care coordination for individuals with SMI, or ensure that family members and other caregivers can be involved in an individual’s care? What are the perceived barriers to facilitating this treatment and care coordination? Would encouraging more sharing in the context of SMI create concerns similar to any concerns raised in relation to the previous question on the opioid epidemic? If so, how could such concerns be mitigated?
The OCR is putting mental illness here because of broad comorbidities between substance use disorders and mental illnesses. However, it does conflate the issues and perhaps perpetuates more stigma for both. It also does not define SMI. This could be interpreted broadly (anyone deemed as having “severe depression” or perhaps circumscribed to illnesses already deeply stigmatized and misunderstood, like borderline personality disorder.)
This question asks how family and other caregivers can be involved, which assumes that they can’t be involved. As above, those individuals have every opportunity to be involved IF the patient wants. It’s disturbing to think that the OCR thinks family and caregivers should have more rights to be involved in care. They should not. There are many reasons they should not have more rights.
The most relevant example is for folks who have abusive family or caregivers. A lot of people with substance use issues or mental illness have suffered from abuse. Many have worked hard to escape it or in the very least, place boundaries around people who remain in their life who were or are abusive. They do not want these abusive individuals to have anything to do with their care.
A personal example: I attempted suicide 3 years ago. Somehow my abuser found out where I was and called the hospital. They told me they didn’t share information, but they passed along his. It set me into a terrifying panic attack.
Under current HIPAA rules, the doctors could have given him every bit of information about my status at that time because it was technically an “emergency” (though the true emergency had passed). I’m glad they didn’t. If HIPAA rules are changed to allow family and other more rights to be involved in my care, he could have insisted.
Can you imagine if you’re coming out of a suicide attempt, partly a ramification of trauma from abuse, to learn that your abuser knows everything about your status and where you are? That they could insert themselves into your care?
Not to mention, while providers need to make “good faith” efforts to ensure the person calling is who they say they are, there are quite a few providers who do not make much of an effort at all. An abuser could call in claiming to be family and get information and insert themselves in your care… This is not okay.
Patients need to have control over who gets information of their substance use and mental illness information. This extends beyond abuse. It protects people from legally compromising situations (custody battles and divorce, for instance).
And if information is shared, it can fundamentally disrupt the trust in a doctor-patient relationship. It could even lead some patients to discontinue treatment they need. HIPAA was made to ensure trust, to ensure privacy. It is anathema to the intent of the law to open it up to sharing so broadly.
Sharing information about adults with substance use issues or mental health illness is one thing, sharing about adults is another. The OCR asks:
24) Are there circumstances in which parents have been unable to gain access to their minor child’s health information, especially where the child has substance use disorder (such as opioid use disorder) or mental health issues, because of HIPAA? Please specify, if known, how the inability to access a minor child’s information was due to HIPAA, and not state or other law.
Sharing information of minor children is an interesting issue and I believe has similar considerations when we think about minor females who become pregnant and want an abortion.
But before talking about reproductive care similarities, it’s important to understand what HIPAA currently allows. Under HIPAA right now, parents can have access to minor children’s health information, including mental health information. The OCR gives guidance here.
However, we realized decades ago that as children age, they may have good reason for wanting privacy with their healthcare. Specifically, we realized that females who become pregnant at a young age may need privacy to get the healthcare they need. We saw that parents were either forcing teens to get abortions or forcing them to keep pregnancies. We saw that parents were keeping teens from getting reproductive education and care including contraceptives and STD testing. Those same concerns persist. Nina Martinez shared information from the CDC that found in 2016:
About 7% of persons aged 15–25 would not seek sexual or reproductive health care because of concerns that their parents might find out about it.
For females aged 15–17 and 18–25, those who had confidentiality concerns were less likely to receive sexual and reproductive health services in the past year compared with those without these concerns.
Less than one-half of teenagers aged 15–17 (38.1%) spent some time alone in the past year during a visit with a doctor or other health care provider without a parent, relative, or guardian in the room.
Teenagers aged 15–17 who spent some time alone during a visit with a health care provider were more likely to have received sexual or reproductive health services in the past year compared with those who had not.
I can do an entire thread on the public policy, seminal lawsuits, and ethics discussions around privacy rights and reproductive health for minors. But the importance is that many of the same issues apply to all of healthcare, including substance use and mental illness. And confidentiality laws around healthcare greatly impact care for minors. Martinez also shared this important study which found that confidentiality laws are lacking for minors though:
Confidentiality can be a factor when individuals are seeking a broad range of health care services, including substance abuse treatment, mental health care or services related to intimate partner violence.
Confidentiality matters. As Hollis (@viaholiday) points out:
It’s also something that is an issue for trans kids (and to a lesser extent LGB+ kids too) who could be outed to transphobic/homophobic parents which could put them in danger, in addition to them not able to seek medical care they need.
While we’d like to believe that families are supportive and want the best for their kids, not all families are or do. And even if some families could be supportive, some young folks may fear their family won’t be. As a result, fear, whether based “justified” or not, many young adults may not seek care because they don’t their family will find out.
Again, information can already be shared with few exceptions. Perhaps instead of looking at expanding information sharing, we should consider the rights and autonomy of minors who may need privacy so they can get the care they need.
My last few tweets really speak to this next question.
25) Could changes to the Privacy Rule help ensure that parents are able to obtain the treatment information of their minor children, especially where the child has substance use disorder (including opioid use disorder) or mental health issues, or are existing permissions adequate? If the Privacy Rule is modified, what limitations on parental access should apply to respect any privacy interests of the minor child?
To recap, in my opinion, existing permissions are adequate and we do need to think about limitations to protect kids as they age so they can feel and be safe when seeking care.
The first sub-question dives deeper into who gets minors’ information.
a) Currently, the Privacy Rule generally defers to state law with respect to whether a parent or guardian is the personal representative of an unemancipated minor child and, thus, whether such parent or guardian could obtain PHI about the child as his/her personal representative; if someone other than the parent or guardian can or does provide consent for particular health care services, the parent or guardian is generally not the child’s personal representative with respect to such health care services.21 Should these standards be reconsidered generally, or specifically where the child has substance use disorder or mental health issues?
Not all parents are personal representatives for their kids. Sometimes the representative is a person acting “in loco parentis” (a term that essentially means someone acting in the parents’ stead, often someone appointed by the state to care for a child). These are often very fraught legal cases. State laws vary on who represents a kid. While there may be reasons to make one standard for this, I doubt that the OCR can do it with the nuance that states have undertaken these policy issues over decades.
Privacy rights change when someone turns 18. The OCR wants to know if parents should have rights then:
b) Should any changes be made to specifically allow parents or spouses greater access to the treatment information of their children or spouses who have reached the age of majority? If the Privacy Rule is changed to encourage parental and spousal involvement, what limitations should apply to respect the privacy interests of the individual receiving treatment?
It’s already troubling that parents can have information of older teens who should have some autonomy in their care, but expanding it to when that kid turns 18 is scary. The same issues around older teens persist is it safe for the parents to know? Will it help or hurt the patient? Or, as with opening up protections for substance use issues and mental health, will it allow parents to detrimentally intervene in care?
While ostensibly the OCR is saying they want to increase family involvement, not all family involvement is positive. Same with spousal involvement. The patient should have control over who has their information. Expanding access takes control away.
The next question makes me think that this isn’t about coordinating care at all.
c) Should changes be made to allow adult children to access the treatment records of their parents in certain circumstances, even where an adult child is not the parent’s personal representative? Or are existing permissions sufficient? For instance, should a child be able to access basic information about the condition of a parent who is being treated for early-onset dementia or inheritable diseases? If so, what limitations should apply to respect the privacy interests of a parent?
It’s interesting to see this question presented in a discussion that started out as being about the “opioid crisis.” More so because this isn’t about facilitating care for an adult parent as a patient but for their adult children.
I can see why folks would want to know about inheritable diseases and early-onset dementia, but there are very good reasons a parent may not want their kids to know. And knowing this information is not going to necessarily help the person with the diseases. It becomes about others and not the person with these illnesses. Again, the privacy rights of the patient should not be trumped by what another person wants to know.
It’s even more interesting that this information is coming up at a time when we’re expanding our knowledge of the human genome but where so much is still not understood. How will ‘inheritable diseases” be defined? We know a lot of genetic markers for diseases and that these genes are inheritable, but those markers aren’t necessarily a sure bet that you’ll develop an illness. Breast cancer is a popular example of variations in inheritability.
We do know that there are genetic markers that predispose people for substance use illnesses and for mental health illnesses. For instance, we know there’s a high likelihood of alcoholism to run in families or for schizophrenia to run in families. Would knowing certain markers or certain diagnoses fall under “inheritable diseases”? And should anyone but the patient have a right to know?
Genetic policy is transforming right now, privacy rights should absolutely be addressed, including how HIPAA affects policy. But I am not sure, based on this question, that the patient is at the center of this discussion.
Finally for this section, We return to essentially the same question above on how personal representative should be defined. However, with adults there are more issues to consider.
26) The Privacy Rule currently defers to state or other applicable law to determine the authority of a person, such as a parent or spouse, to act as a personal representative of an individual in making decisions related to their health care. How should OCR reconcile any changes to a personal representative’s authority under HIPAA with state laws that define the scope of parental or spousal authority for state law purposes?
Personal representatives for adults can be someone with a healthcare power of attorney, someone appointed by the court, or others. HIPAA discusses how personal representatives work and their rights here.
I think the more important question than how we define personal representative is helping patients know their rights in selecting a personal representative, preparing advance directives, and letting family, friends, caregivers, and providers know their wishes.
Selecting someone to be a personal representative is an something we don’t often talk about until someone is close to death or showing signs of Alzheimers or dementia. Once a personal representative is selected, they have fairly broad rights, which is why it’s important to have that discussion much sooner. When you have time and space to talk about your future and your wishes can make a huge difference in your care.
If the OCR wants to facilitate coordination of care and including family/friends in care, they should be promoting discussions around these advance directive issues and how to involve others in your care. This allows patients to be at the center of care and work with those who will improve and help facilitate their care.
To wrap up this analysis, I’d say there are a lot of other issues to discuss in terms of improving mental health and substance use care, but the questions asked by the OCR in this RFI do not address issues that really might help patients. In fact, many of the questions make it clear that they want to compromise the privacy protections of those with substance use issues and mental health illnesses. Sharing more information is not going to address the “opioid crisis” but it could very well lead to family and friends becoming involved in care to the detriment of patients – whether by including abusive family or increasing stigma. Conflating mental health and substance use will likely only increase stigma. And throwing in questions about “inheritable diseases” does nothing to improve care for the actual patient. And lastly, the questions around minors and minors who turn 18 seem to ignore the significant history and statistics we have about how young people facing barriers to get care and what autonomy they should be afforded in their own care.
Of all the sections of this RFI, this section concerns me the most and it should concern you too.
I’d love to hear stories from patients about how their information has/has not been shared and how they think expanding access to substance use and mental health information might affect you.
This ends the second section of the RFI. I’ll be working on posting threads on Accounting of Disclosures (section three) and Notice of Privacy Practices (section 4) soon.