Chapter Five Confidentiality and Access To Records

I.
I
II.
Chapter Five
CONFIDENTIALITY AND ACCESS
TO RECORDS
Table of Sections
Protectio!I of Privacy and Confidentiality.
A. Medical/Psychotherapy Privacy Law Development.
B. Federal Pr?tectwn of Health Care Privacy.
1. Overview of HIP AA Legislation.
C.
D.
2. Rationale for Federal Regulation of Health Care Priva
3. Regulatory Implementation of HIP AA Privacy
a. Covered Health Providers.
b. Protected Health Information.
c. Regulation of Disclosure.
d. to Authorization Requirement.
e. Miscellaneous Requirements.
f. Enforcement.
g. Relationship to State Laws.
Protection of Educational Records Under FERP A.
Legal Remedies for Breach of Confidentiality Under State Law.
1. General Remedies.
a. Actions Based on Breach of Privacy.
b. Defamation.
2. Remedies Arising From Breach of the Patient-Therapist Rela-
tionship.
Exceptions to the Duty of Confidentiality.
A. Introduction.
B. M_andatory Reporting Requirements.
C. Disclosures of Information Indicative of Mental Disorder and/ r D _
gerousness.
0
an
1. Disclosure by Entities Covered by HIP AA.
2. Disclosure by Institutions Covered by FERPA (institutions of
higher learning).
D. Judicial Proceedings and the Testimonial Privilege
1. Introduction.
a. Perspectives on the Judicial Process.
b. and_F:uncti?n of the Testimonial Privilege.
2. ConditiOns GIVmg Rise to the Privilege.
a. The Course of Treatment Requirement.
b. Scope of the Privilege: Communications Made in the Pres-
ence of Others.
3. or Implied Waiver of the Privilege.
a. CIVll Proceedings.
306
'
I
PROTECTION OF PRIVACY & CONFIDENTIALITY 307
b. The Insanity Defense Context.
4. Admissibility of Disclosures During Treatment in Criminal Prose-
cutions.
a. Treatment Information Concerning Prosecution Witnesses.
b. Defendant Disclosures During Treatment.
III. Insurance Mandated Disclosures and Patient Access Issues.
A. Communications Involving Insurers and Managed Care Entities.
B. Patient Access to Records.
I. PROTECTION OF PRIVACY
AND CONFIDENTIALITY
A. MEDICAL/PSYCHOTHERAPY PRIVACY LAW DEVELOP
MENT
The right of individuals to control the disclosure and distribution of
information contained in their medical records is closely tied to the
concept of personal privacy that first gained recognition as a legal
concept close to the end of the nineteenth century. As initially conceived
by Mr. Justice Brandeis the right of privacy as he stated it, is "[t]he
right to be left alone" .I While personal privacy as an interest deserving
of constitutional protection has not crystallized as a stand alone right,
numerous Supreme Court decisions have over time given constitutional
protection to privacy interests in the adjudication of claims under both
the First Amendment and the search and seizure clause of the Fourth
Amendment. The protection of privacy interests has also been the
bedrock or various decisions under the due process clause of the Four-
teenth Amendment recognizing freedom of choice in a variety of personal
activities including procreation and sexual expression.'
The protection of personal privacy from private actor intrusion
gained increasing recognition particularly in the_Jast half of the Twenti-
eth Century. However, this development, which was the product of
either state legislation or common law development, was very uneven
with the degree of protection given to particular privacy interests vary-
1. Brandeis and Warren, 'The Right of
Privacy', 4 Harv. L. Rev.193 (1890).
2. As noted by the Supreme Court in
Paul v. Davis, 424 U.S. 693, 96 S.Ct. 1155,
47 L.Ed.2d 405 (1976), this penumbra of
[privacy) rights has to do only with "mat-
ters relating to marriage, procreation, con-
ception, family relationship, and child
rearing and education.'' Whether medical
records are entitled to constitutional pro-
tection was an issue before the Supreme
Court in Whalen v. Roe, 429 U.S. 589, 97
S.Ct. 869, 51 L.Ed.2d 64 (1977). The
Whalen court was presented with the
question "Whether the state of New York
may record in a centralized computer file,
the names and addresses of all persons
who have obtained, pursuant to a doctor's
prescription, certain drugs for which there
is both a lawful and an unlawful market."
While the court in an opinion by Mr. Jus-
tice Stevens upheld the statute, the court
announced that "in some circumstances,"
[the State may be under a constitutional
duty to avoid] "unwarranted disclosures".
These words have led one commentator to
conclude that the Whalen decision "creat-
ed a framework by which future courts
would develop the right to privacy in med-
ical records." J. Grover & E. Toll, 'The
Right to Privacy and Medical Records,'
2002 Denver University Law Review 540
(2002).
I
308 CONFIDENTIALITY & ACCESS TO RECORDS Ch. 5
ing from state to state .. For instance, the tort of public disclosure of a
pnvate fact was an. actiOnable tort in some states but not others. The
same IS true of medical pnvacy, which was protected to varying degrees
m some. states but not others.' In some the physician's duty to not
m:ormatwn obtamed in the course of treatment was embedded
m a statut_e. In others, a physician's duty to preserve the
confidentially of patient records was either inferred from cognate statu-
tory proVlsiO_ns such as laws giving patients the right to exclud th
doctor's testimony in civil litigation or derived from medical
statutes or professiOnal codes of conduct' g
. While medical_ privacy laws covered psychiatrists who are by defini-
tion phy_s!Clans, they did not cover psychologists or other non-
phySICian professiOnals mvolved in mental health treatment. At the same
time there was a growmg recognition that the privacy interest of
patients bemg treated for mental disorders is as compelling if not more
so than where the treatment involved general medical conditions. The
very nature of psychotherapy" requires the full and frank disclosure of
pnvate facts. As noted by the Supreme Court,
"a psychiatrist's ability to help [a patient] 'is complete! d d t
up [th t" '] . . Y epen en
on e pa Ients w1llmgness and ability to talk f 1 Th"
make 't d"ffi lt f ree y. 1s
. s I I 1cu 1 not impossible for [a psychiatrist] to function
:"1thout bemg able to assure . . . patients of confidentiality and
mdeed, pnv!leged communication. Where there may be exceptions
thiS general rule, there is wide agreement that confidentiality is sine
qua non for successful psychiatric treatment. "
6
. The critical role of confidentiality in mental health treatment led
vanous states over the past fifty years to enact special
statutes that ?arred the disclosure of records and communications be-
tween the patient and the therapist. Significantly, these laws generally
apphed not only to ?sychiatrists but also to all classes of mental health
professiOnals mcludmg psychologists and clinical social workers. Even
where a state had not enacted legislation protecting the confidentiality of
health treatment records or failed to provide remedies for private
1
Igants, courts were able in some instances to adapt established doc-
of general application such as defamation or intentional infliction
o mental d1stress to provide redress for patients whose privacy had been
compromised. The d1fferent doctrinal approaches that courts used t
a. remedy for plaintiffs whose privacy had been compromised
m sectiOn 3.b. infra (Remedies Arising from Breach of the
at1ent-Therap1st Relationship).
3. Biddle v. Wa11en General Hospital
86 Ohio St.3d 395, 715 N.E.2d 518 (1999/
4. Humphers v. First Interstate Bank of
Oregon, 298 Or. 706, 696 P.2d 527 (1985).
5;, _As used in this chapter, "psychother-
apy mcludes both biological therapies and
the range on non-biological treatments de-
scribed in Chapter 1.
6. Jaffee v. Redmond, 518 U.S. 1, 116
S.Ct. 1923, 135 L.Ed.2d 337 (1996). The
case is set out in full at pp. 363-
I
PROTECTION OF PRIVACY & CONFIDENTIALITY
309
B. FEDERAL PROTECTION OF HEALTH CARE PRIVACY
1. Overview of HIPAA Legislation
Federal protection of health care privacy derives from Congress's
enactment of the Health Insurance Portability and Accountability Act of
1996 [HIPAA].
7
The legislation's primary purpose was to enable persons
covered by group health plans to transfer their coverage when changing
employers. The health benefit portability provisions are set out in what
is known as Title I.
Primarily, in support of the benefits portability provisions, Title II
of the Act establishes a regulatory regime for what are termed
trative simplification provisions" designed to promote the replacement 6f
paper-based transactions with more efficient electronic communications.
Included within Title II are three major components: (1) transactions
and code sets, (2) privacy, and (3) security and electronic signatures. In
brief, the transactions code set provisions require that certain transac-
tions pertaining to health care when conducted electronically follow
standards prescribed by the Secretary of the Department of Health and
Human Services (DHHS).
The privacy provisions that are discussed in greater detail in subsec-
tion C infra established rules for tlre use of disclosure of personal health
information in the hands of (1) health care providers (both individuals
and institutions), (2) health plan sponsors (e.g. employer sponsored
group health plans, Medicare, etc.), and (3) health maintenance organi-
zations (HMOs) and Health Care Clearinghouses. These three categories
are termed "covered entities", which under the terms of the Act, are
under duty to prevent unwarranted disclosure, destruction or corruption
of personal health information. Title II also authorizes the Department
of Health and Human Services (hereinafter DHHS) to issue regulations
establishing enforcement mechanisms to ensure compliance with the
mandated terms of the Act.
-
In enacting Title II, Congress charged the DHHS with the task of
filling in the gaps, which given the generalized nature of the statutory
mandates, means that it is the DHHS that has established ground rules
governing the protection of privacy. Given the multiplicity of issues and
the complexity and fragmentation of the health care industry, this has
proved to be a massive undertaking. The results of this several year
effort are the rules implementing the privacy provisions that take up 367
pages in the federal register.
8
DHHS issued final standards for privacy of
individual identifiable health information ("privacy rule") on December
28, 2000.9 While the privacy rule became effective April 14, 2001, the
compliance date was delayed to April14, 2003.
10
7. Prior to HIP AA, federal law only pro-
tected medical information for specific
groups, including medicare participants and
individuals with AIDS. See Butera, "Pre-
emption Implications for Covered Entities
Under State Law, 2002," Tort & Insurance
L.J., Summer, 3 (2002).
8. 45 CFR pis. 160; 164.
9. 65 FR 82462.
10. 67 FR 53182-02. The privacy rules
are supplemented by the Security Rule,
which was issued in final form on February
20, 2003, but will not become effective for
,!
310
CONFIDENTIALITY & ACCESS TO RECORDS
Ch. 5
2. Rationale for Federal Regulation of Health Care Privacy
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary.
65 FR 82462. 45 CFR Parts 160 and 164. Thursday, December 28, 2000.
In enacting HIP AA, Congress recognized the fact that administra-
tive simplification cannot succeed if we do not also protect the privacy
and confidentiality of personal health information. The provision of high-
quality health care requires the exchange of personal, often-sensitive
information between an individual and a skilled practitioner. Vital to
that interaction is the patient's ability to trust that the information
shared will be protected and kept confidential. Yet many patients are
concerned that their information is not protected. Among the factors
adding to this concern are the growth of the number of organizations
involved in the provision of care and the processing of claims, the
growing use of electronic information technology, increased efforts to
market health care and other products to consumers, and the increasing
ability to collect highly sensitive information about a person's current
and future health status as a result of advances in scientific research.
* * *
INCREASING USE OF INTERCONNECTED ELECTRONIC
INFORMATION SYSTEMS
Until recently, health information was recorded and maintained on
paper and stored in the offices of community-based physicians, nurses,
hospitals, and other health care professionals and institutions. In some
ways, this imperfect system of record keeping created a false sense of
privacy among patients, providers, and others. Patients' health informa-
tion has never remained completely confidential. Until recently, howev-
er, a breach of confidentiality involved a physical exchange of paper
records or a verbal exchange of information. Today, however, more and
more health care providers, plans, and others are utilizing electronic
means of storing and transmitting health information. In 1996, the
health care industry invested an estimated $10 billion to $15 billion on
information technology. See National Research Council, Computer Sci-
ence and Telecommunications Board, "For the Record: Protecting Elec-
tronic Health Information," (1997). The electronic information revolu-
tion is transforming the recording of health information so that the
disclosure of information may require only a push of a button. In a
matter of seconds, a person's most profoundly private information can be
shared with hundreds, thousands, even millions of individuals and or-
ganizations at a time. While the majority of medical records still are in
paper form, information from those records is often copied and transmit-
ted through electronic means.
enforcement purposes until April 2005.
Marks, et aL, 'Analysis and Comments on
HHS's just Released HIPAA Security
Rules,' Davis Wright Tremaine, LLP Memo-
randum, February 17, 2003.
I PROTECTION OF PRIVACY & CONFIDENTIALITY 311
This ease of information collection, organization, retention, and
exchange made possible by the advances in computer and other electron-
ic technology affords many benefits to individuals and to the health care
industry. Use of electronic information has helped to speed the dehvery
of effective care and the processing of billions of dollars worth of health
care claims. Greater use of electronic data has also mcreased our ability
to identify and treat those who are at risk for disease, conduct VItal
research, detect fraud and abuse, and measure and improve the quality
of care delivered in the U.S.
At the same time, these advances have reduced or eliminated
of the financial and logistical obstacles that previously served to protect
the confidentiality of health information and the pnvacy mterests of
individuals. And they have made our information available to many more
people. The shift from paper to electronic With the accompany-
ing greater flows of sensitive health mformatwn, thus strengthens the
arguments for giving legal protection to the nght to pnvacy m health
information. In an earlier period where it was far more to
access and use medical records, the risk of harm to mdividuals was
relatively low. In the potential near future, when technology makes It
almost free to send lifetime medical, records over the Internet, the nsks
may grow rapidly. It may become cost-effective,for instance, for compa-
nies to offer services that allow purchasers to obtai': details of a person's
physical and mental treatments. In addition to legitimate possible uses
for such services, malicious or inquisitive persons may download medical
records for purposes ranging from identity theft to embarrassment to
prurient interest in the life of a celebrity or neighbor.
* * *
Moreover, electronic health data is becoming increasingly "nation-
al"; as more information becomes available form, It _can
have value far beyond the immediate commumty the patient
resides. Neither private action nor state laws proVIde a. suffiCiently
comprehensive and rigorous legal structure to allay concerns,
protect the right to privacy, and correct the market frulures .caused by
the absence of privacy protections. Hence, a natiOnal pohcy with consis-
tent rules is necessary to encourage the increased and proper use of
electronic information while also protecting the very real needs of
patients to safeguard their privacy.
* * *
THE CHANGING HEALTH CARE SYSTEM
The number of entities who are maintaining and transmitting
individually identifiable health information has increased significantly
over the last 10 years. In addition, the rapid growth of mtegrated health
care delivery systems requires greater use of integrated health mforma-
tion systems. The health care industry has been transformed .from one
that relied primarily on one-on-one interactions between patients and
i'i
,, '
I
'
'
312
Ch. 5
clinician: to a system of integrated health care delivery networks and
manage care providers. Such a system requires the processin and
collectiOn of mformation about patients and plan enrollees (for ex:m le
m clmms files or enrollment records), resulting in the creationp of
databases that ean be easily transmitted. This dramatic change in the
practice of mediCme brmgs with it important prospects for the I.
ment of th rt f mprove-
e qua I y o care and reducing the cost of that care It I
hotevert- that increasing numbers of people have access to
m orma IOn. d, as health plan functions are increasingly outsourced a
growmg number of organizations not affiliated with our ph . . '
health plans also have access to health information. ysiCmns or
to the American Health Information Management Associ-
an average of 150 people "from nursin staff t
techmcians, to billing clerks': have access to a patient's
;;;e course of a . typical hospitalization. While many of thes:
m VI u s have a legitimate need to see all or part of a atient's
no laws govern who those people are, what information are
a e o see, and what they are and are not allowed to do with that
m ormatwn once they have access to it. According to the National
I
Reshearchd C?uhncii, IndiVIdually identifiable health information frequently
ss are wit:
Consulting physicians;
Managed care organizations;
Health insurance companies;
Life insurance companies;
Self-insured employers;
Pharmacies;
Pharmacy benefit managers;
Clinical laboratories
'
Accrediting organizations;
State and Federal statistical agencies; and
Medical information bureaus.
f thMuch of this sharing of information is done without the knowledge
o e patient mvolved. While many of these functions are im
smooth functioning of the health care system there are no rufortant for
mg how that information is used by secondary' and t t' es govern-
exainple a h b . er Iary users. For
. ' p armacy enefit manager could receive information to
determme whether an insurance plan or HMO h uld .
tion but th th . s o cover a prescnp-
.' . en use e mformation to market other products to the Saine
patient. Similarly, many of us obtain health i
our em I d . . nsurance coverage though
. P oyer an ' m some mstances, the employer itself acts as the
msurer. In these cases, the employer will obtain identifiable health
mformatwn about Its employees as part of the legitimate health insur-
I
313
ance functions such as claims processing, quality improvement, and
fraud detection activities. At the saine time, there is no comprehensive
protection prohibiting the employer from using that information to make
decisions about promotions or job retention.
* * *
Congress recogiiized the importance of protecting the privacy of
health information by enacting the Health Insurance Portability and
Accountability Act of 1996. The Act called on Congress to enact a
medical privacy statute and asked the Secretary of Health and Human
Services to provide Congress with recommendations for protecting the!
confidentiality of health care information. The Congress further re<lbk-
nized the importance of such standards by providing the Secretary with
authority to promulgate regiilations on health care privacy in the event
that lawmakers were unable to act within the allotted three years.
3. Regulatory Implementation of HIPAA Privacy Provisions
The recently promulgated HIP AA privacy rules for the first time
establish national standards governing patient privacy rights in all
health treatment situations, including mental health. The length and
complexity of the privacy regiilations preclude detailed examinations of
the Privacy Regiilations that came into effect April 2001. Nevertheless,
given their impact, aii examination of at least the key provisions of the
regiilations is necessary. For one thing, the key features of the regiila-
tions set out below will serve as a backdrop for a consideration of many
of the issues treated in this chapter, which in some instances, will now
be controlled by the new rules established by HIP AA.
HIPAA's privacy protection rules extend to not only health care
providers but also to other participants in the health care industry such
as health plans and health care clearinghouses. While the privacy rules
are basically the same for the different classes; some provisions apply
only to one of the above because of its distinct functions within the
health care system. Given the focus of this and prior chapters on the
treatment function of mental health professionals, the materials which
follow will only consider the HIP AA privacy protection rules as they
pertain to health providers.
a. Covered Health Providers
HIPAA regiilations apply only to "covered entities" [hereinafter
CE]. An entity or person is deemed to be covered if it is (1) a "health
plan";11 (2) a "health care clearinghouse";
12
or (3) "a health care provid-
11. "Health plan" has been interpreted
to mean "a program that provides or pays
the cost of health care services. Types of
health plans include employer-sponsored
group health insurance, self-funded em-
ployer-sponsored health plans, and health
insurance sold to individuals, Medicare,
Medicaid, and other public protection pro-
grams." 2002 HIP AA Desk Reference-A
Physician's Guide to Understanding the
Administration Simplification Provisions,
at 3, Ingenix (2001)
12. "Health care clearinghouse" has
been interpreted to mean "A public or pri-
vate entity that does one of the following
, ..
, I
I
:'I
'
l'i
'
er [and] who transmits any health information in electronic form in
connection with a transaction covered [by HIPAA regulations]".
13
Thus,
only providers of health care that transmit health information in elec-
tronic form are subject to HIPAA's privacy protection regime.
A health care provider is defined to include any'' provider of medical
or health services ... and any other person or organization who furnish-
es, bills or is paid for health care in the normal course of business" .
14
The other operative term "health care" is broadly defined to include:
(1) Preventive, diagnostic, therapeutic, rehabilitative, mainte-
nance, or palliative care, and counseling, service, assessment, or
procedure with respect to the physical or mental condition, or
functional status, of an individual or that affects the structure or
function of the body; and
(2) Sale or dispensing of a drug, device, equipment, or other
item in accordance with a prescription.
45 C.F.R. 160.103
The breadth of the definition of "provider" means that in addition
to medical personnel, other professions who furnish or are paid for
mental health treatment services such as psychologists and clinical social
workers are included.
Since only health care providers that use electronic means to trans-
mit health information
15
are subject to HIPAA's privacy provisions, the
definition of both ''electronic means'' and ''health information'' becomes
relevant for purposes of determining coverage. While the term "electron-
ic" is not defined by the regulations, the DHHS has taken the position
that the term includes any hard wire or wireless electronic communica-
tions of health information including in particular e-mail!' However, in
general, voice telephone and paper-to-paper FAX transmissions are not
covered.
17
Also, coverage is triggered even if the electronic communica-
tion pertaining to health information is only internal. Moreover, as noted
by one commentator, "[d]espite a less-than-transparent statutory man-
date, however, HHS decided that once an organization constitutes a CE
under HIPAA, [having once used an electronic communication] all [fu-
two things: (1) processes or facilitates the
processing of information that is received in
a nonstandard format, or that contains non-
standard data content, into standard data
elements or a standard transaction; and (2)
receives a standard transaction and process-
es or facilitates the processing of informa-
tion into nonstandard format or nonstan-
dard data content for a receiving entity.
Health care clearinghouses may include
billing services, repricing companies, com-
munity health information systems, 'value-
added' networks and switches-among oth-
er things." !d. at 3.
13. 45 C.F.R. 160.102.
14. 45 C.F.R. 160.103.
15. See "Protected Health Information"
in subsection b. which follows for the defini-
tion of "health information."
16. As a result, "a nursing home that
transmits health plan participants' informa-
tion electronically to an auditor triggers
HIPAA, whereas one that submits only pa-
per copies does not." Butera, 'Preemption
Implications for Covered Entities Under
State Law, 2002', Tort & Insurance Law
Journal, 3 (2002) [hereinafter Butera].
17. "Experts Report", 8 Electronic
Commerce & Law 485 (May 21, 2000) BNA;
"Analysis & Comment on HHS's Just Re-
leased HIPPA Security Rule", Davis
Wrights & Tremaine, Feb. 17, 2003.
I
315
ture] individually identifiable health information maintained or
mitted in any medium-electronic, paper, or oral-are protected.
The result of this somewhat catch-all definition of electronic means
that any provider that seeks reimbursement for services from ,-4
or a defined health plan automatically becomes a covered ent1ty smce
HIP AA mandates that applications for reimbursement under these pro-
grams must be submitted by the use of standardized claims forms sent
electronically."
b. Protected Health Information _,:
The fundamental purpose of the privacy rule "is to enable
individual who receives health care treatment to control the manner m
which the information is used and to whom it is disclosed"'' Accordmg-
1 HIPPA establishes rules governing both d1sclosures to th1rd parties
internal use of "protected health [hereinafter PHI].
The key term "information" is broadly defined to mclude:
"[A]ny information, whether oral or recorded in any form or medi-
um, that:
(1) Is created or received-by a health care provider, health
public health authority, employer, life insurer, school or umvers1ty,
or health care clearinghouse; and
(2) Relates to the past, present, or futu;e physical or mental
health or condition of an individual; the proVlswn of health care to
an individual; or the past, present, or future payment for the
provision of health care to an individual."
45 C.F.R. 160.103
As a result, the prohibition on unauthorized disclosure covers virtu-
ally any information pertaining to past, or future health care,
including the payment for such care. Also, coverage extends to mforma-
tion in any form including electronic, written or o:al.
21
However, since
the definition of health care is restricted to that be used
to identify an individual, information that 1s de-Identified renders
the information free of restrictions. This makes 1t poss1ble for treatment
18. Butera at 3.
19 'Health Insurance Reform Stan-
for Electromc Transactwns,' 63 Fed
Reg 25272 (1998), 45 C F R Pt. 142 (1998)
In fact, as of October 16, 2003, tt wtll be a
potential civil and crim1;nal to pay
claims that do not satisfy HIPAA s
dards as specified in HIPAA's Trans1twn
Rules. Marks, 'Surviving Standard
tions A HIPAA Road Map', 8 Electromc
and Law Report, 563 (2003)
BNA.
20. '2002 HIP AA Desk Reference-A
Physician's Guide to Understanding the Ad-
ministration Simplification Provisions', at
73, Ingenix (2001) [hereinafter 2002 HIPAA
Desk Reference].
21. 45 C.F.R. 160.103. HIPAA pre-
sumably covers oral information ensure
that information retains protectwn when
discussed or read aloud from a computer
screen or a written document or when com-
municated in the course of a treatment
session.
22. The specific identifiers that must be
removed to achieve de-identification are
listed in 45 C.F.R. 164.514
providers to provide third-party aggregate or statistical data without the
consent of the patient so long as it does not identify any individual.
23
c. Regulation of Disclosure
The rules governing disclosure of PHI vary depending on (1) the
relationship of the provider to the third person or entity that is to be the
recipient of information or (2) the purpose of the disclosure. Where the
person or entity to whom disclosure is to be made is involved in
providing "indirect treatment" (i.e. providing treatment or diagnosis
serviCes at the direction of the primary provider),
24
PHI may be disclosed
to the indirect provider without the consent of the patient.
Similarly, disclosure of PHI may be made without the consent of the
patient to a "business associate," which includes among others consul-
tants, lawyers and accountants.
25
Both in the case of indirect care
providers and business associates the regulations require that the disclo-
sure be limited to the "minimum necessary" to accomplish the specific
purpose. Moreover, where the third party is a business associate the
provider must establish a "business associate contract" as a condition
for the disclosure of any PHI ... Such contract must specify (1) "the
protected health information to be disclosed and the uses that may be
made of information and, (2) impose security, inspection and report-
Ing requirements on the business associate."
26
However, since under
current law, simply being a business associate is not classified under
HIP AA as a covered entity, such entities are not directly subject to
DHHS regulation.
27
The rules governing disclosure are also relaxed where the disclosure
is to a third party covered entity and the disclosure pertains to: "treat-
ment, payment
28
or health care operations. "
29
For these purposes, the
provider has the option of disclosing PHI either with or without the
consent of the patient. In any event, the disclosure must be the "mini-
mum necessary" to accomplish the intended purpose.
30
This limitation
23. 2002 HIP AA Desk Reference at 73.
24. "An 'indirect treatment' relation-
ship arises where the individual who has a
_relationship with a health case pro-
VIder IS referred by the direct provider to
the indirect provider who typically will re-
p_ort the results of the test results of diagno-
sis to the direct provider." 2002 HIP AA
Desk Reference at 45.
25. Business associates may also include
third party administrators, data aggrega-
tors and processors, etc.
26. 2002 HIPAA Desk Reference at 56.
27. However, if the business associate is
either a health plan, health care clearing
house or health care provider, they may, on
that basis, be a covered entity.
28. Payment includes activities under-
taken by a health plan or provider to obtain
or provide reimbursement or premiums for
the provision of health care and other activ-
ities, such as determinations of eligibility or
coverage (including coordination of bene-
fits), risk adjustments, billing, claims man-
agement, collections, medical necessity re-
views, and utilization review. 45 C.F.R.
164.501.
29. Health care operations includes,
for example, conducting quality assessment,
developing clinical guidelines, evaluating
provider performance, conducting or ar-
ranging for medical review, legal services,
and auditing (including detection of fraud
and abuse), business planning or develop-
ment, resolution of internal plan grievances
and implementation of HIPAA. 45 C.F.R.
164.501.
30. 45 C.F.R. 164.502.
does not apply to disclosures made to a covered entity for the purpose of
treatment.
31
While the regulations permit disclosure in connection with
treatment, payment or health care operations treatment without the
consent or authorization of the patient, the risk of unauthorized use or
disclosure by the recipients of the PHI is minimized by the fact that the ,-4
recipient entity must be a covered entity such as an msurance company
or HMO and therefore also subject to HIPAA's privacy rules.
32
In all other cases except the above, PHI may not be disclosed to a
third party except with the express authorization" of the patient or
where the disclosure is permitted by one of the specific exceptions
discussed below. Where the patient is an un-emancipated minor <Jf!a'
person under guardianship, the individual's personal representatit-e is
with limited exceptions" authorized to act on the patient's behalf in
authorizing disclosure of PHI." The designation of a personal represen-
tative is determined by "applicable [state] law.""
The regulations draw a distinction between "authorization" and
"consent." The requirements pertaining to the former are far more
stringent and require strict adherence to a set of protocols set out by the
regulations. These include detailed information as to the identity of the
person(s) to whom PHI is to be disclosed, an expiration date for the
proposed disclosure and the right' of the patient to revoke the authoriza-
tion at any time.
37
Consent, on the other hand, has few formal require-
ments and, in general, can only be used where the disclosure of the PHI
is to another covered entity.
While for the most part, mental health treatment is subject to the
same privacy protection provisions as apply to other classes of treatment,
"psychotherapy notes" constitute a separate class of protected health
information.
38
In particular, this class of data is treated as distinct from
the rest of the individual's health record and subject to more stringent
31. Id.
32. 45 C.F.R. 164.506.
33. "Consent" and "authorization" are
different concepts under HIP AA and the
purpose of the proposed disclosure will
termine which applies. A provider has the
option but is not required to use the consent
format where the purpose of disclosure of
PHI is restricted to treatment, payment, or
health care operations. 45 C.F.R. 164.506.
Where the provider chooses to use consent
for this purpose, it can be drafted to permit
multiple disclosures for this same purpose.
For instance patient consent at the outset
of treatment will permit a health provider
to disclose PHI in connection with future
payment requests by an insurance carrier.
An authorization on the other hand refers
to a specific permission to use or disclose
PHI for any purpose other than treatment,
payment or health care operations.
over, the requirements are more stringent
in that an authorization will only be valid if
it provides the patient with detailed infor-
mation illcluding: the precise PHI to be
disclosed, the identity of the person(s) to
whom it is to be disclosed, an expiration
date for the proposed disclosure and the
right of the patient to revoke the authoriza-
tion at any time. 45 C.F.R. 164.508
34. These exceptions pertain to health
care that under state law an unemancipat-
ed minor is permitted to obtain without
their parent's of guardian's consent.
35. 45 C.F.R. 164.500(g)(2)
36. 45 C.F.R. 164.500(g)(2). Since
death of a patient does not terminate the
protection afforded by HIP AA, a personal
representative is authorized by the regula-
tions to have the power to consent to disclo-
sure a decedent's PHI. The "personal rep-
resentative" is designated in accordance
with state law. 45 C.F.R. 164.502.
37. 45 C.F.R. 164.508.
38. 45 C.F.R. 164.501.
I ,i
!
rules.
39
For instance, a health provider may not use the consent format
to disclose psychotherapy noted information, but can only do so upon
authorization by the patient except in very limited circumstances dis-
cussed infra in Exceptions to Authorization Requirement. Moreover
authorization can only be sought by a provider where the
note information is in connection with "treatment, payment or health
operations" and employed for one of the following purposes:
(A) Use by the originator of the psychotherapy notes for treat-
ment;
(B) Use or disclosure by the covered entity for its own training
programs in which students, trainees, or practitioners in mental
health learn under supervision to practice or improve their skills in
group, joint, family, or individual counseling; or
(C) Use or disclosure by the covered entity to defend itself in a
legal action or other proceeding brought by the individual.
45 C.F.R. 164.508
The above restrictions applicable to psychotherapy notes do not,
however, prevent disclosure of other information pertaining to mental
health treatment of an individual. For instance, providers may disclose
to covered entities PHI pertaining to medication prescription and moni-
toring, counseling sessions and start and stop times.
40
d. Exceptions to Authorization Requirement
The Regulations authorize the disclosure of PHI to specified persons
and entities without the patient's consent in a variety of special circum-
39. Psychotherapy notes, in contrast to
general health information, are subject to
special restrictions. These restrictions in-
clude the following: (1) except for the spe-
cial circumstances listed below they may
only be disclosed to a third party when
specifically authorized by the patient (45
CFR 164.508); (2) a patient has a right to
inspect and make copies of all his or her
health information though this right does
not extend to psychotherapy notes 45 CFR
164.524. While the patient does not have
a right to the notes, the provider may at its
discretion disclose the psychotherapy notes
to the patient.
The regulations set out a list of special
circumstance under which the provider may
disclose the psychotherapy notes without
the patient's authorization. These include:
(1) use by the originator of the note for
treatment, payment of health care opera-
tions (since treatment, payment or health
care operations can only involve covered
entities any disclosure for these purposes
would be limited to covered entities). 45
CFR 164.508(a)(2)(i)(A);
(2) use by the covered entity for train-
ing programs to improve skills in group,
joint, family or individual counseling. 45
CFR 164.508(a)(2)(i)(B);
(3) by the covered entity to defend it-
self in a legal action brought by the pa-
tient. 45 CFR 164.508(a)(2);
( 4) when disclosure is required by law
and the use or disclosure complies with
the relevant requirements of the law. 45
CFR 164.508(a)(2); 164.512 (a)(1)
(5) To a coroner or medical examiner
for the purpose of identification of the
patient or determine the cause of death.
164.508(a)(2), 164.512(G)(1).
(6) Where necessary to prevent or less-
en a serious and imminent threat to the
health of safety of a person or the public.
45 CFR 164,508, 164.512(J)(1)(i)
40. 45 C.F.R. 164.501 "Psychotherapy
notes excludes medication prescription and
monitoring, counseling session start and
stop times, the modalities and frequencies
of treatment furnished, results of clinical
tests, and any summary of the following
items: Diagnosis, functional status, the
treatment plan, symptoms, prognosis, and
progress to data."
'
1
l
l
1
stances." Among the various special circumstances permitting disclosure
are the following: (1) to public health authorities for the purpose of
controlling or preventing disease; (2) where authorized by state law to
report child abuse or neglect, or domestic violence; (3)where needed for
various law enforcement purposes including the apprehension of an r"
individual who has admitted participating in a violent crime;
42
( 4) where
necessary to prevent or lessen an immediate threat to the health and
safety of the person or the public;" (5) in any judicial or administrative
proceeding in response to an express order or subpoena or to a subpoena
discovery request" A number of these exceptions only apply where .
disclosure is specifically authorized by state law. The interplay of,the
HIP AA exception and state law authorization is taken up.
e. Miscellaneous Requirements
The regulations impose various patient privacy notification require-
ments including in particular the posting and/or distribution to all
present of prospective patients a notice that spells out the provider's
privacy policies. Such notice must include: (1) the provider's policies and
procedures concerning the use and disclosure of PHI; (2) the individual's
rights under HIPAA; and (3) the-covered entity's legal obligation under
HIP AA with respect to PHI.
45
Under the regulations, a covered entity must undertake to train all
of its workforce who have access to PHI in privacy policies and proce-
dures. As used in the regulations, "workforce" is not limited to employ-
ees, but includes independent contractors, volunteers, trainees and other
persons under the direct control of the covered entity. Further, all levels
and stages of training must be documented in a training log.
The privacy rules also provide that: "[a] covered entity must have in
place appropriate administrative, technical and physical safeguards to
protect the privacy of protected health information. "
46
These provisions that are commonly referred to as the "mini-
security rules" are embedded in HIPPA's privacy regulations. At the
same time, a separate set of regulations that expand on these provisions
is contained in the security rules that were announced in the Federal
Register on February 20, 2003 and will become effective for enforcement
purposes in April 2005." These security rules that contain a 244-page
preamble and 45 typed pages of rules are less a series of check lists and
more a description of principles to be used by covered entities and their
business associates to evaluate and apply specific security protections
41. 45 C.F.R. 160.512.
42. 45 C.F.R. 164.512 Gl(1)(ii)(A).
43. 45 C.F.R. 164.512 Gl(1)(i)(A).
44. The conditions governing disclosure
in response to a subpoena or discovery
tion are discussed infra at Section Il.D,
Judicial Proceedings and the Testimonial
Privilege infra.
45. 45 C.F.R. 164.520.
46. 45 C.F.R. 154.530.
4 7. The security rules are contained in
a new Subpart C in Part 164, Volume 45 of
the Code of Federal Regulations ("CFR").
They may be downloaded from the CMS
website at www.cms.gov.
'
'i i
'i
i:
320 _______
based on an entity's particular situation. Among its mandates is the
adoption of intensive management of processes that will enable the
covered entity to detect intrusions in its data systems and to respond
with appropriate counter measures. "
8
Finally, HIP AA grants patients a qualified right of access to their
health information and a right to seek amendment of the health infor-
mation. The scope of the right of access is discussed more fully in Section
III(b), Patient Access to Records, at pp. 417-21.
f Enforcement
Butera, "HIPAA Preemption Implications for Covered Entities
Under State Law", 2002, Tort and Insurance Law Journal,
Summer (2002)
. . . HIP AA authorizes the Secretary of HHS to conduct general
compliance reviews. CEs must cooperate with any compliance investiga-
tion, which includes providing broad access to administrative records.
This means that CEs must properly record all activities to implement,
manage, and monitor HIPAA compliance.
HIP AA contains a host of civil and criminal penalties. For example,
any CE (including employees) that unintentionally violates the privacy
provisions without exercising reasonable diligence may be liable for up to
$100 for each violation, not to exceed $25,000 per year. A civil penalty
will not be imposed, however, if a person did not know or, by exercising
reasonable diligence, would not have known that his or her action
constituted a violation. Criminal penalties are considerably more severe.
Any person who knowingly obtains or discloses individually identifiable
health information in violation of HIPAA may be fined up to $50,000
and/or imprisoned for no more than one year. If the disclosure is done
under "false pretenses," the fme increases to $100,000 and imprison-
ment of up to five years. The severest punishment applies to offenses
done with intent to "sell, transfer, or use" individually identifiable
health information for commercial advantage, personal gain, or malicious
harm. This violation demands a fine not to exceed $250,000 and/or
imprisonment of not more than ten years.
Neither HIP AA nor the Privacy Rule explicitly grants a private
cause of action, including qui tam actions. Still, CEs and business
associates fear that the plaintiffs bar, in state and federal tort actions,
will use a Privacy Rule violation as evidence that the duty of care was
ignored. Moreover, CEs have increased exposure to civil and criminal
actions because they may be liable for the privacy breaches of their
business associates. For purposes of OCR compliance, CEs are not
expected to guarantee the privacy of PHI, as HHS noted in its first
48. See 'Analysis & Comment on HHS's
Just Released HIPAA Security Rule', Davis
Wright Tremaine LLP, Feb. 17, 2003.
!

'i !
I PROTECTION OF PRIVACY & CONFIDENTMLITY 321
clarification; however, CEs must take "reasonable:' steps to protect the
confidentiality of the PHI subject to business associate use.
g. Relationship to State Laws
HIPAA's privacy provisions are intertwined with state law in two
ways. At one level there is a preemption aspect :hat displaces state laws
that conflict with the national standards established by HIP AA. At the
same time HIP AA defers to state law to the extent that state law more
restrictively limits disclosure of PHI without the consent. For
instance, as discussed previously, HIPAA privacy regulatiOns
disclosure of PHI without the patient's consent m a vanety of cirCUJ;n-
stances such as disclosures in connection with litigation or disclosures
pertaining to the dangerousness of a patient only when permitted or
required by state law. Thus, state law can in certain instances, serve to
define HIIPA's disclosure rules. [A number of the exceptions that permit
disclosure of PHI without the patient's consent when authonzed by
law are considered in section II, Exceptions to the Duty of Confidentiali-
ty at pp. 350-415.]
HIPAA's preemption aspects are express but selective. The
below summarizes the scope and operation of the preemptiOn proVIsiOns:
"Congress adopted a rule that anJ:' medical
privacy statute, standard or ImplementatiOn. specificatiOn shall su-
percede any contrary provision of State law, mcludmg a provision of
state law that requires medical or health plan records . . . to be
I
. c ,49 H n
maintained in written rather than e ectron1c 10rm. owever, co -
flict between state and federal law is not presumed, and whenever
possible, state and federal provisions should. be construed m a
manner that makes them compatible. In practice, HIP AA preemp-
tion does not represent a wholesale federal preemption of the field of
privacy law, but rather a national floor privacy protec-
tion.
Congress created three protected areas of state law, or statutory
carve-outs where federal HIP AA does not trump or override state
law by Certain portions of state public health law are
protected, with Congress stating that "[n]othing in this part shall be
construed to invalidate or limit" the authonty, power or procedures
established under any law providing for the reporting of
injury, child abuse, birth or death; public health surveillance; public
health investigation; and (public health) mtervenhon.
Certain, other, mandatory state regulatory reporting and state
licensure investigatory activities are also expressly saved by statute
from federal preemption. These include requiring a health plan_ to
report or provide access to information for
financial audits, program monitoring and evaluatiOn, facility licen-
sure or certification, or individual licensure or certlficatwn. Thus,
49. 42 USC 1320d-7(a)(l).
I I
'I
!
, 1l
!
the statute gives state health departments and licensing boards
broad access for the uninterrupted conducting of traditional state
public health licensure and programmatic financial review activities.
The HIP AA statute contains another savings provision which was
designed to go into effect only if HIP AA privacy was promulgated by
Department of Health and Human Services (DHHS) rulemaking,
rather than by Congressional passage. Since Congress itself did not
pass comprehensive medical privacy law, but instead, by inaction,
delegated it to DHHS, an uncodified statutory provision states that
the federal regulations "shall not supersede a contrary provision of
State law, if the provision of State law imposes requirements
standards, or implementation specifications that are 'more strin:
gent'" than" the comparable federal DHHS standard.
By definition, DHHS has clarified several aspects of this savings
clause. First, DHHS sets the bar quite high when it finds a conflict
defining "contrary" to mean either, 1) that an entity would find it
impossible to comply with both the state and federal provisions
("impossibility test"), or 2) that the provision of the state law stands
as an obstacle to the full purposes and objectives of HIPAA ("obsta-
cle test"). Similarly, the term "more stringent" means that the state
law restricts a disclosure permitted under HIP AA, grants greater
access to a person's own health information, more severely restricts
the scope or duration of authorized access by another, requires
g_reater record:keeping or generally provides greater privacy protec-
tiOn to the mdiVIdual who is the subject of the record."
Ryland, "Federal Health Privacy Comes to Maryland: What's the Big
Deal?'' 2003, Maryland Bar Journal, Jan./Feb. (2003).
Questions and Comments
. 1. Non-covered health providers. Mental health professionals who treat
patwnts are not nec_essarily covered by HIP AA. All mental health profession-
als, mcludmg psychiatnst, would be exempt from coverage if they do not use
electromc modes of communication to transmit health information in their
practice, for instance, billing for services. Thus, a therapist who
only has patients who themselves pay for their treatment and who are billed
by mail would not be subject to HIP AA. However, a therapist who bills a
third party private insurer or under a public insurance plan such as
Medicare or Medicaid must by law submit the billing electronically with the
result that such health provider would therefore be a covered entity and
subJect to HIP AA privacy regulations.
2. Professions covered by HIPAA. Are marriage counselors and other
((helping" professions covered by HIP AA? As indicated in the review of
50. "More stringent" has been inter-
preted to include any of the following: (1)
1mposes greater restrictions on disclosure
(2) permits greater access to
who are the subject of the PHI; (3) provides
a greater amount of health information to
individuals who are subjects of the PHI; ( 4)
narrows the scope or duration of a consent
or authorization; (5) reduces the coercive
the circumstances surrounding au-
thonzatwn and consent; (6) requires record
retention of greater duration or more de-
tailed information.
HIP AA provisions supra, a person or entity involved in providing health care
and uses electronic means of communication to transmit health information.
Health care, in turn, is sufficiently broadly defined that marriage couuselors
and similar professions would be covered persons if they billed for their
services electronically or used electronic communications for other purposes ,A
related to the provisioning of health services.
3. Disclosures authorized by state law. Numerous states also authorize
a physician or mental health professional to disclose any confidential infor-
mation when the patient's condition makes it necessary to set in motion
commitment proceedings. For instance, in Illinois records and communica-
tions may be disclosed where it is "necessary to the provision of
medical care to a recipient" or in "commitment proceedings." 111.-S.I[A.
ch. 9 1/2, 8-11 (Mental Health and Development Disability Confidentiality
Act, 1979). HIPAA does not expressly authorize disclosure in connection
with civil commitment, but does permit disclosure when "necessary to
prevent or lessen a serious imminent threat to the safety of the individual
[patient] ... " 45 C.F.R. 164.512. Presumably, the imminent threat of
suicide by a patient would thus meet the HIP AA test.
4. Continuing imparlance of state confidentiality laws. In spite of
HIP AA, state confidentiality laws that do not conflict with HIP AA retain
their vitality. Such laws may provide protections exceeding those called for
by HIP AA and moreover, may provide private rights of action to patients
whose privacy rights have been compromised in contrast to HIP AA, which
only provides for remedies and enforcement by the Department of Health
and Human Services. See Smith v. American Home Products Corp. Wyeth-
Ayers! Pharmaceutical, 372 N.J. Super. 105, 855 A.2d 608 (2003) (holding
that New Jersey law that offered broader protection of health records than
HIP AA controlled]
5. Hypothetical. Rick Rocker, a famous rock star, had come to Metro
City for a rock concert in which he was the featured performer. In the early
morning hours of January 1, 2005, friends of Rick's called 9-1-1 to report
that Rick, who was in a hotel penthouse suite, waS unconscious and turning
blue. The 9-1-1 operator immediately relayed the call to the Metro City
Emergency Response Office, which in turn dispatched an ambulance owned
and operated by the hospital. By coincidence, Brenda Star, ace reporter with
the Metro Sentinel, a local newspaper, happened to be interviewing a doctor
at the Metro City Emergency Response Office when the call came in. Having
overhead the call on a speakerphone, Brenda thought that this might make
an interesting story and decided to follow the ambulance in her own vehicle
to Rocker's hotel. A short time later, two ambulance paramedics emerged
from the hotel wheeling Rocker out on a stretcher. Just as the ambulance
was ready to leave for the hospital, Brenda asked one of the paramedics what
had caused Rocker's collapse and "Will he be okay?" In response, the
paramedic replied, "It looks like he overdid the partying bit-we gave him a
shot of Narc an to help bring him out of it". Knowing that N arcan is used to
neutralize opiates, Brenda concluded that Rocker's condition was the result
of an overdose of percocet or another opiate.
Ten days later, Rocker recovers and upon being released from Metro
City Hospital is told by his manager that the press report on his overdose

'
: II
I
324
Ch. 5
will probably hurt his career and that he has already been dropped by one
TV sponsor, who was planning to use a video he had previously made.
Unhappy at this turn of events, Rick asked his legal representative to file a
complaint with the DHHS Office of Civil Rights (OCR) based on a violation
on his HIP AA privacy rights. Is there any basis for the OCR to bring charges
agamst any of the parties involved in this case, and if so, which party?
6. Review of HIPAA constitutionality. Challenges to HIPAA regulations
privacy have withstood constitutional challenges asserting a viola-
tion of the non-delegation of legislative power doctrine. See South Carolina
Medical Association v. Thompson, 327 F.3d 346 (4th Circuit 2003), cert den.
540 U.S. 981, 124 S.Ct. 464, 157 L.Ed.2d 371 (2003).
7. Application to state facilities. While the HIPAA legislation does not
expressly purport to cover public sector entities, it has been assumed that
the regulations concerning privacy protection are not limited to the private
sector. Apparently states agencies and institutions are complying with the
HIP AA rules. However, at some point, some provisions of HIP AA could be
challenged by a state on the basis that HIP AA may not constitutionally be
applied to the states because of the Eleventh Amendment. The doctrinal
basis for a challenge to the application of HIP AA to the states and the
relevant cases that have addressed this issue are discussed in Chapter 12 at
pp. 1280-82.
C. PROTECTION OF EDUCATIONAL RECORDS UNDER FER-
PA
The Family Educational Rights and Privacy Act of 1974 (FERPA)
protects the confidentiality of school records maintained by any edu-
cational institution that accepts federal funding (which, as a practical
matter, mcludes virtually all institutions of higher learning as well as
P;'blic elementary and secondary schools). In general, FERPA bars
disclosure to any external person or agency personal or identifiable
information contained in educational records without the written con-
sent of the parent if the student is under 18, and the student if he or she
IS 18 years or older. Under FERPA, the term "educational records" is
defined as "[t]hose records, files, documents and other materials which
(i) contain information directly related to a student; and (ii) are main-
tamed by an educational agency or institution or by a person acting for
such agency or institution." 20 U.S.C. 1232g(a)(4)(A); 34 CFR 99.3.
However, FERPA excludes from the definition of educational records:
records of a student who is eighteen years of age or older, or is
attending an institution of postsecondary education, which are made
or maintained by a physician, psychiatrist, psychologist, or other
recognized professional or paraprofessional acting in his professional
or paraprofessional capacity, or assisting in that capacity, and which
are made, maintained, or used only in connection with the provision
of treatment to the student ...
20 U.S. C. 1232 (a)(4)(B)(iv); 34 CFR 99.3.
It is not clear whether HIP AA covers the latter records. Compare 45
CFR 160.103 and Memorandum, Sharing Information about Potential-
l
'
I
ly Dangerous Students, Office of the General Counsel, University of
Texas System, July 10, 2007 with U.S. Department of Education Guid-
ance Letter of Nov. 29, 2004 toM. Baise, Associated University Counsel,
University of New Mexico. In any event, even if HIPAA applies, HIPAA
regulations permit disclosure when "necessary to prevent or lessen a
serious and imminent threat to the health and safety of a person of the
public, . . . to a person or persons reasonably able to prevent or lessen
the threat, including the target of the threat." 45 C.F.R. 164.512(j).
New FERPA regulations use virtually identical language. See pp. 357-59.
As a practical matter, the generality in which the FERPA and
exceptions are phrased makes it likely that a university would have witfe
discretion to disclose information drawn from treatment records where a
university believes in good faith that a student presents a serious danger
to themselves or third persons.
Aside from the possibility that health treatment records maintained
by a university may be covered by FERPA or HIPPA Privacy Rules, state
law could come into play in determining whether non-consensual disclo-
sure may be made in a particular circumstance. The exceptions for non-
consensual disclosure under both HIPP A and FERP A do not displace
state laws that are more protective-of health record privacy. Thus, even
where disclosure is authorized by one of the HIPPA or FERPA excep-
tions, state law could prevent disclosure or at least limit disclosure to
specific persons and entities.
1. Contrasting scope of HIPAA and FERPA. Differences in the scope of
HIPAA's and HIPAA's privacy rules are summarized in the report of the
Virginia Tech Review Panel:
. . FERPA was drafted to apply to educational records, not medical
records [and therefore does not enumerate th<l.)lifferent types of disclo-
sures that are authorized]. . . FERPA also has a different scope than
HIP AA. Medical privacy laws such as HIP AA apply to all information-
written or oral-gained in the course of treatment. FERPA applies only
to information in student records. Personal observations and conversa-
tions with a student fall outside FERP A. Thus, for example, teachers or
administrators who witness students acting strangely are not restricted
by FERP A from telling anyone-school officials, law enforcement, par-
ents or any other person or organization.''
Review Panel Report, at 66.
2. Transfer of health information from medical unit to university
administration. While the treatment records of a university health facility
are not subject to FERPA, a record that originates as a university medical
record but is shared with another university official for a legitimate edu-
cational purpose becomes an education record subject to FERP A. For exam-
ple, if a medical record is provided at a student's request to a faculty
member or the dean of students in support of the student's request to be
granted a medical leave of absence, that record would become part of the
student's education record and would be subject to FERPA.
340
Ch. 5
requirement, what was the plaintiffs offer of proof in this regard in the
Hughley v. McDermott case?
2. Remedies Arising From Breach of the Patient-Therapist
Relationship
DOE v. ROE
Supreme Court, New York County, 1977.
93 Misc.2d 201, 400 N.Y.S.2d 668.
MARTIN B. STECHER, JUSTICE,
. This action for an injunction and for damages for breach of privacy
Is a matter of first impression in this State, and so far as I am able to
ascertain, a matter of first impression in the United States. It arises out
of the publication, verbatim, by a psychiatrist of a patient's disclosures
during the course of a lengthy psychoanalysis. I have made and filed
detailed findings of fact which are briefly summarized here.
Dr. Joan Roe is a physician who has practiced psychiatry for more
than fifty years. Her husband, Peter Poe, has been a psychologist for
some 25 years. The plaintiff and her late, former husband were each
patients of Dr. Roe for many years. The defendants, eight years after the
termination of treatment, published a book which reported verbatim and
extensively the patients' thoughts, feelings, and emotions, their sexual
and other fantasies and biographies, their most intimate personal rela-
tionships and the disintegration of their marriage. Interspersed among
the footnotes are Roe's diagnoses of what purport to be the illnesses
suffered by the patients and one of their children.
. The. defendants allege that the plaintiff consented to this publica-
tion. Th1s defense is without substance. Consent was sought while the
plaintiff was in therapy. It was never obtained in writing. In Dr. Roe's
own words consent "was there one day and not there another day. That
was the nature of the illness I was treating, unreliable." I need not deal
with the value of an oral waiver of confidentiality given by a patient to a
psychiatrist during the course of treatment. It is sufficient to conclude
that not only did the defendants fail to obtain the plaintiffs consent to
publication, they were well aware that they had none.
[The plaintiff contended that in the absence of a statutory provision
expressly recognizing a cause of action against a therapist who wrongful-
ly discloses confidential information, an action is impliedly authorized by
varwus state laws including sections of the New York Civil Practice Law
and Rules (Sec. 4504(a)) and provisions of the New York Licensing and
Disciplmary Statutes (Ed.L. 6509 et seq.). Following a review of the text
and history of these statutory provisions the court concluded that these
sections standing by themselves did not authorize a private cause of
action. The court next addressed the plaintiffs contention that other
theories including the right to privacy and rights flowing from the
contract between the therapist and patient grant a cause of action for
wrongful disclosure.]
* * *
As hereafter indicated there are theories on which liability may be ,-4
predicated other than violation of the CPLR [ 4504(a)], the licensing and
disciplinary statutes [Ed.L. 6509 et seq.] and what I perceiVe as this
State's public policy. In two of the _very few cases which have come t ~
grips with the issue of wrongful disclosure by physicians of patients
secrets the courts predicated their holdings on the numerous sources of
obligation which arise out of the physician-patient relationship. ,-/'
* * *
I too find that a physician, who enters into an agreement with a
patient to provide medical attention, impliedly covenants to keep i,n
confidence all disclosures made by the patient concernmg the patient s
physical or mental condition as well as all matters discovered by the
physician in the course of examination or treatment. This IS particularly
and necessarily true of the psychiatric relationship, for in the dynamics
of psychotherapy "(t)he patient is called upon to discuss in a candid and
frank manner personal material ~ the most intimate and disturbmg
nature * * * He is expected to bring up all manner of socially unaccepta-
ble instincts and urges, immature wishes, perverse sexual thoughts-in
short the unspeakable, the unthinkable, the repressed. To speak of such
things to another human being requires an atmosphere of unusual trust,
confidence and tolerance. * * * "
There can be little doubt that under the law of the State of New
York and in a proper case, the contract of private parties to retain in
confidence matter which should be kept in confidence will be enforced by
injunction and compensated in damages.
The contract between the plaintiff and Dr. Roe is such a contract.
* * *
Every patient, and particularly every patient undergoing psychoana-
lysis, has such a right of privacy [emanating from the plaintiffs contract
right to confidentiality and other state laws including the hcensmg and
disciplinary statute and the New York civil practice law]. Under what
circumstances can a person be expected to reveal sexual fantasies,
infantile memories, passions of hate and love, one's most intimate
relationship with one's spouse and others except upon the inferential
agreement that such confessions will be forever entombed in the psychia-
trist's memory, never to be revealed during the psychiatrist's lifetime or
thereafter? The very needs of the profession itself require that confiden-
tiality exist and be enforced. As pointed out in Matter of Lifschutz, 2
Cal.3d 415, 85 Cal.Rptr. 829, 467 P.2d 557 [1970] "a large segment of
the psychiatric profession concurs in Dr. Lifschutz's strongly held belief
that an absolute privilege of confidentiality is essentml to the effective
practice of psychotherapy" [cf Annotation, 20 A.L.R.3d, 1109, 1112].
I
.!
i ':
:!
Despite the fact that in no New York case has such a wrong been
remedied due, most likely, to the fact that so few physicians violate this
fundamental obligation, it is time that the obligation not only be recog-
mzed but that the nght of redress be recognized as well.
What label we affix to this wrong is unimportant [although the
category of wrong could, under certain circumstances-such as determin-
ing the applicable statute of limitations-be significant]. It is generally
accepted that "There is no necessity whatever that a tort must have a
name. New and nameless torts are being recognized constantly". [Pros-
Torts ed.), p. 3]. What is important is that there must be the
mflicti?n of mtentional harm, resulting in damage, without legal excuses
or JUstification.
* * *
. . defendants contend that the physician's obligation of confiden-
tiality IS not absolute and must give way to the general public interest.
The mterest, as they see it in this case, is the scientific value of the
publication.
. . It is not disputed that under our public policy the right of confiden-
tiality IS less than absolute. * * *
Despite duty of confidentiality courts have recognized the duty
of a psychiatrrst to grve warnmg where a patient clearly presents a
danger to others to disclose the existence of a contagious disease to
report the use of "controlled substances" in certain situations and to
report gunshot and other wounds.
In no case, however, has the curiosity or education of the medical
professron superseded the duty of confidentiality. I do not reach the
question of a psychiatrist's right to publish case histories where the
Identities are fully concealed for that is not our problem here, nor do I
find It necessary to reach the issue of whether or not an important
scientific discovery would take precedence over a patient's privilege of
non I do not consider myself qualified to determine the
contrrbutron which this book may have made to the science or art of
psychiatry. I do conclude, however, that if such contribution was the
defendants' defense they have utterly failed in their proof that this
volume represented a major contribution to scientific knowledge. The
evrdence IS to the contrary and this defense must necessarily fail.
. Nor is the argument available that by enjoining the further distribu-
tiOn of this book the court will be engaging in a "prior restraint" on
publication.
* * *
There is no prior restraint in the case at bar. The book has been
published and it does. offend against the plaintiff's right of privacy,
contractual and otherwise, not to have her innermost thoughts offered to
"
!
all for the price of this book. There is no prior restraint and, therefore,
no censorship within constitutional meaning.
* * *
The liability of Dr. Roe to respond in damages is clear, and Mr. Poe's
liability is equally clear. True, he and the plaintiff were not involved in a
physician-patient relationship and he certainly had no contractual rela-
tionship to her. But, the conclusion is unassailable that Poe, like anyone
else with access to the book, knew that its source was the patient's
production in psychoanalysis. He knew as well as, and perhaps better
than Roe, of the absence of consent, of the failure to disguise. If anyone..
was the actor in seeing to it that the work was written, that it
manufactured, advertised and circulated, it was Poe. He is a co-author
and a willing, indeed avid, co-violator of the patient's rights and is
therefore equally liable.
The plaintiff seeks punitive damages and suggests that a proper
measure of those damages, in addition to compensatory damage, is
approximately $50,000, the sum plaintiff has thus far expended on and
incurred for attorneys' fees.
* * *
In order to warrant an award of punitive damages, it must have
been affirmatively demonstrated that the wrong committed was willful
and malicious, that the act complained of was "morally culpable or * * *
actuated by evil and reprehensible motives, not only to punish the
defendant but to deter him, as well as others * * * "
Where the act complained of is willful, malicious and wanton,
punitive damages are sometimes available to "express indignation at the
defendants' wrong rather than a value set on plaintiff's loss." Certainly,
the acts of the defendants here are such as to warrant an expression of
indignation and punishment for the purpose of Q,eterring similar acts by
these defendants or others. The difficulty, however, is that the defen-
dants' acts were not willful, malicious or wanton-they were merely
stupid. I have no doubt that the defendants were of the opinion that they
had sufficiently concealed the identity of the plaintiff and her family. I
have no doubt that in addition to the commercial success they hoped to
have, they believed that they were rendering a public service in publish-
ing what they considered an in-depth description of the plaintiff's family.
But there was no motive to harm. Under these circumstances, punitive
damages are not available.
* * *
The plaintiff has suffered damage as a consequence of this publica-
tion. She suffered acute embarrassment on learning the extent to which
friends, colleagues, employer, students and others, had read or read of
the book. Her livelihood, as indicated in the findings, was threatened;
but fortunately, the actual cash loss was only some $1,500. Medical
attention, principally treatment with Dr. Lowenfeld, cost an additional
i.:
$1,400. But beyond these sums the plaintiff suffered in health. She had
insomnia and nightmares. She became reclusive as a consequence of the
shame and humiliation induced by the book's publication and her well-
being and emotional health were significantly impaired for three years.
In my opinion the fair and reasonable value of the injury she sustained-
to the extent it can be compensated in damages-is $20,000.
Damages, of course, do not provide an adequate remedy; for should
the book circulate further, beyond the 220 copies already sold, the
damage must accrue anew. The plaintiff is entitled to a judgment
permanently enjoining the defendants, their heirs, successors and as-
signs from further violating the plaintiffs right to privacy whether by
circulating this book or by otherwise disclosing any of the matters
revealed by the plaintiff to Dr. Roe in the course of psychotherapy.
1. Health evaluations at the request of third parties. Insurance compa-
nies frequently require an applicant to supply their medical background and,
in that connection, may request that applicants undergo a physical or other
health examination. Similarly, employers may sometimes require a current
or prospective employee to undergo a medical or mental status evaluation.
Frequently, these evaluations are arranged and paid for by the third party.
Under the laws of some states, a health provider's duty of confidentiality
does not arise were the treatment was at the request of a third party.
However, under HIP AA, patients retain their privacy rights even where the
evaluation was performed at the request of a third party. However, a third
party such as an employer or insurer may gain access to the evaluation, or
PHI in general, by obtaining the individual's authorization prior to the
referral for diagnosis.
2. HIPAA and disclosure of PHI in research context. A researcher or
research institution is only subject to HIP AA privacy rules if she or it is a
covered entity. However, if the research facility is also involved in treatment
and meets HIPAA's covered entity criteria it must comply with the privacy
rules. This means that it can transfer personal health information (PHI) to
another covered entity without the patient's authorization. On the other
hand, transfer of PHI to a non-covered entity requires the research subject's
authorization. However, as a practical matter such authorization will gener-
ally have been obtained before an individual is admitted into the research
program. Such pre-admission authorization is permitted by HIP AA privacy
rules. 45 CFR 164.508(b)(4)(i).
3. Confidentiality rights following the death of the patient. May a
therapist disclose confidential information following the death of the patient?
This issue has arisen in the context of several celebrated cases where the
therapist, following the death of the patient, either wrote a book concerning
the patient or made public disclosures on television or to other media of
information obtained from the patient in the course of providing treatment.
Anne Sexton, a noted poet who committed suicide in 1974, had been
treated for a number of years by Dr. Martin T. Orne, a psychiatrist. In 1991,
Dr. Orne, with co-author Diane Wood Middlebrook, published a biography of
Anne Sexton. That book relied in part on material taken from Ms. Sexton's
private therapy sessions and covered her revelations which chronicled ''har-
rowing detail [of] Sexton's madness, alcoholism and sexual abuse of her
daughter, along with her many extramarital affairs, including one with a
woman and another with the second of her many therapists". N.Y. Times,
Jul. 15, 1991, at 1.
More recently, following the 1994 murder of Nicole Simpson, the ex-wife
of O.J. Simpson, Susan Forward (a licensed clinical social worker) disclosed
to the media in various interviews that she had counseled Nicole Simpson on
two occasions and that Ms. Simpson told her that she had been battered and
threatened by O.J. Simpson. L.A. Times, June 16, 1994, at A13.
What are the legal rights, if any, of the next of kin or heirs of a deceased! ..
patient to prevent disclosure of information obtained by a therapist in i ~
course of treatment? Leading legal commentators have in the past sub-
scribed to the view that the patient's rights of privacy terminate at death
and that the heirs or next of kin do not have any cause of action for
unauthorized disclosures. Harper & James, The Law of Torts, 9.6 at 645
(2d ed. 1986). The Supreme Court, in a different context, held that the
attorney-client privilege does not survive the death of the client. Swidler &
Berlin v. United States, 524 U.S. 399, 118 S.Ct. 2081, 141 L.Ed.2d 379
(1998).
4. Post mortem privacy of P.fil under HIPAA. Unlike many state
health privacy laws, under HIP AA personal Health information (PHI) in the
hands of a covered entity retains its protection and disclosure to non covered
third parties may not be made without the authorization of the decedents
personal representative (see supra note 36). The designation of a personal
representative is a matter of state law . . What factors justify protecting
health information post mortem when other privacy interests are not gener-
ally protected under the law of most states? Also, an action for defamation
cannot be brought where the alleged defamation occurred after the death of
the defamed party. Is there not, in some instances, a public interest in the
disclosure of health information of an individual after their death? For
instance, does the public have a right to know if a_o;enior government official
such as a president was suffering from various disorders and taking heavy
doses of medication during his term as president? Presumably health provid-
ers would not be permitted to disclose such information after the death of
the senior official without the authorization of the individual's personal
representative who, if a family member, might well prefer to not have such
information disclosed. What public interest might be served in the post
mortem disclosure of health information of this kind?
MacDONALD v. CLINGER
Supreme Court, Appellate Division, Fourth Department, 1982.
84 A.D.2d 482. 446 N.Y.S.2d 801.
DENMAN. JUSTICE.
We here consider whether a psychiatrist must respond in damages
to his former patient for disclosure of personal information learned
during the course of treatment and, if he must, on what theory of
recovery the action may be maintained. We hold that such wrongful
i
patient may consent to allow a therapist to disclose to the patient's prospec
tive employer that he has received therapy. Would such consent authorize
disclosure of the nature of the patient's problem? The nature or length of
treatment? Specific facts about the patient relating to his suitability for
employment?
II. EXCEPTIONS TO THE DUTY
OF CONFIDENTIALITY
A. INTRODUCTION
. The preceding materials have explored doctrines that protect pa-
tients from unauthorized disclosures by professionals with whom they
have entered into a patient-therapist relationship. The patient's rights of
pnvacy, however, are not absolute, and in some circumstances a thera-
pist may be under a legal duty to make disclosures to either agencies of
the state or private citizens.
There are three principal situations where disclosure of information
by the therapist may be required. One situation is created by compulsory
reportmg statutes, which cover such matters as child abuse or narcotics
addiction. The second category is the duty of a therapist in some
JUriSdiCtiOns to communicate to endangered parties the known danger-
ous propensities of the patient.
A third category of compelled disclosure is the duty to give testimo-
ny ina judicial proceeding. However, this duty is not applied universally,
and In fact the legal system has carved out special exceptions for
professiOnals, including physicians and psychotherapists. These excep-
tions fall within the ambit of what is known as the testimonial privilege,
are_ fa.Irly techmcal m nature, and do not apply with equal force in all
JUriSdiCtiOns. While any comprehensive treatment of the testimonial
privilege is beyond the purview of these materials, subsection D below
seeks to set forth the general legal framework governing the application
of the privilege.
Significantly, in all of the situations noted above, HIP AA regulations
defer to state law where such law authorizes disclosure without the
patient's consent.
B. MANDATORY REPORTING REQUIREMENTS
Nearly all states have enacted laws which require physicians and
mental health professionals to disclose to designated authorities certain
types of patient information, even if the information would otherwise be
confidential. Most states, for instance, require reporting to health au-
thorities the fact that a patient is suffering from certain communicable
diseases .. Hammonds v. Aetna Casualty & Surety Co., 243 F.Supp. 793
(N.D.Ohw 1965). Nearly all states also impose a duty on physicians or
hospital administrators to report to police authorities any case where a
patient appears for treatment of gunshot injuries. Jon R. Waltz & Fred
E. Inbau, Medical Jurisprudence at 364 (1971). Some states also require
i
.
II
EXCEPTIONS TO DUTY OF CONFIDENTIALITY
351
attending or consulting physicians to report the name of any person
known to be a "habitual user of a narcotic drug." Id. at 365. Finally
most states require any physician or mental health professional who has
reasonable cause to suspect an incidence of child abuse to report such
fact to a designated agency. Id. at 320-322. In some jurisdictions psychia-
trists are covered by these provisions whereas other mental health
professionals are not. There is an interplay between these reporting
statutes and the testimonial privilege. It has been argued that mandato-
ry reporting statutes destroy the privilege of confidentiality granted by
testimonial privilege statutes. The case set forth below addresses the
question of whether the legislature, by requiring reporting, also
to abrogate confidentiality rights. ,-,
DAYMUDE v. STATE
Court of Appeals of Indiana, First District, 1989.
540 N.E.2d 1263.
BAKER, JunGE.
STATEMENT OF THE FACTS
The Greene County Division of the Indiana State Department of
Public Welfare (Department) filed a-petition in the Greene Circuit Court,
Juvenile Docket, alleging that Daymude's 13-year-old daughter was a
"child in need of services" as defined by IND.CODE 31-6-4-3. As
provided by the CHINS statute, the Department, pursuant to court
order, provided services to the child and her family. The daughter was
admitted as an in-patient at Charter Hospital of Terre Haute (the
hospital). In addition, the juvenile court ordered Daymude, the alleged
victim, and her mother to undergo family counseling.
The hospital's clinical director referred the daughter's case to James
Walker (Walker), a certified clinical mental health counselor working as
an independent contractor for the hospital. Wmker worked under the
supervision of Dr. Mary Anne Johnson, the hospital's chief psychiatrist
for the child and adolescent division. Walker developed and scheduled a
treatment program in which the alleged victim and her family were to
participate in a series of individual and group therapy sessions. During
the course of a counseling session, Daymude disclosed information relat-
ing to alleged instances of sexual abuse.
On July 8, 1989, the State fonnally charged Daymude with child
molesting and criminal deviate conduct in violation of IND.CODE 35-
42-4-2 and 35-42-4-3, and with the offense of incest in violation of
IND.CODE 35-26-1-3. Thereafter, the State sought to depose Walker
regarding the content of communications between Walker and Daymude
disclosed in the course of the family therapy. Daymude objected to the
State's inquiry, insofar as it related to privileged and confidential com-
munications between himself and Walker or any other member of the
hospital's treatment team. The question was certified to the trial court
and on January 31, 1989, the trial court overruled the defendant's
I
I
I
!I
352
Ch. 5
objection and ordered Walker to answer such questions as were asked by
the State pertammg to. his communication with Daymude during the
course of counselmg. It IS from this order that the instant interlocutory
appeal is taken.
IssuE
. Whether the trial. court err.ed in finding that Daymude's right to
privileged cornmumcatwn With his health care provider was abrogated by
IND.CODE 31-6-11-8 when that communication was undertaken subse-
quent to the State's involvement in allegations of child sexual abuse
agamst Daymude, and when that communication was undertaken in the
course treatment and rehabilitation recommended by the State
through Its Department of Public Welfare.
DISCUSSION AND DECISION
between a physician and a patient, of a confidential
are priVIleged and may not be disclosed by the physician without
a .of privilege by the patient. * * * This physician-patient
prmlege IS codified in IND.CODE 34-1-14-5 which provides, in perti-
nent part:
The following persons shall not be competent witnesses:
4th: as to matter communicated to them, as such, by
patients, m the course of their professional business, or advice given
m such cases, except as provided in IND.CODE 9--4-4.5-7.
The privilege applies to those communications undertaken in the
course of, and necessary to treatment.
However, in Indiana "any individual who has reason to believe
that a child is a victim of child abuse or neglect shall make a report"
as reqmred by statute (emphasis added). IND.CODE 31-6-11-3.
Thus, this language and the physician-patient privilege place con-
fliCting duties upon a physician who learns of child abuse during the
course of a physician-patient relationship. Consequently, the Indiana
legislature IND.CODE 31-6-11-8 which abrogates the phy-
SICian-patient privilege when reporting child abuse. The abrogation
statute states:
The privileged communication between a husband and wife
between a health care provider and that health care
patient, or between a school counselor and a student is not a
ground for:
. (1) excluding evidence in any judicial proceeding re-
sultmg from a report of a child who may be a victim of child
abuse or neglect, or relating to the subject matter of such a
report; or (2) failing to report as required by this chapter.
a. !ND.CODE 9-11-4-6, formerly 9-4-
4.5- for the abrogation of the
physiCian-patient privilege in certain cases
involving chemical tests for purposes of Ti-
tle 9, Criminal Investigations.
II EXCEPTIONS TO DUTY OF CONFIDENTIALITY 353
I d.
Daymude acknowledges that Walker, as a mental health professional
had a duty under IND.CODE 31-6--11-3 to report suspected or known
instances of child abuse or neglect even though such information is
received in the course of confidential communications. See IND.CODF)..f
31-6-11-3 (Duty to Report); IND.CODE 34-1-14-5 (Physician-Patient
Privilege); IND.CODE 31-6--11-8 (Abrogation of Privilege). However,
Daymude argues that the privilege is abrogated only in reporting child
abuse, and that the abrogation does not extend to communications made
during counseling ordered by the court as a result of CHINS proc}.ed-
ings. _.:;<''
Because of the special circumstances of this case, this appeal pres-
ents an issue of first impression for this court. However, we believe that
the purpose of the reporting statutes and decisions from courts facing
similar issues clearly support Daymude's contentions here.
The purpose of the Indiana reporting statute is:
[T]o encourage effective reporting of suspected or known inci-
dents of child abuse or neglect, to provide in each county an effective
child protection service to quickly investigate reports of child abuse
or neglect, to provide protection for such a child from further abuse
or neglect, and to provide rehabilitative services for such a child and
his parent, guardian, or custodian.
IND.CODE 31-6-11-1. Thus, the reporting statute attempts to promote
the reporting of child abuse cases, and thereafter, to provide a mecha-
nism for the investigation of the abuse in order to protect the child and
provide rehabilitative services for the child and parents, guardian, or
custodian. The abrogation statute as set forth in IND.CODE 31-6-11-8
must be read in light of the purpose of the entire act.
Clearly, confidential communications between a health care provider
and his patient are abrogated to the extent that the health care provider
must report all suspected or known instances of child abuse. However, to
extend the abrogation statute to information disclosed during Daymude's
court ordered counseling goes beyond the purpose of the statute. The
statute makes no mention of prosecuting alleged abusers, and instead
only discusses means to facilitate the identification of the children who
need the immediate attention of child welfare professionals.
* * *
In the present case, the reporting of child abuse is not an issue. The
alleged abuse was reported long before Daymude made confidential
statements to Walker. In fact the confidential communications arose
only after the CHINS proceedings during which the court ordered
Daymude to attend and participate in individual and family counseling
sessions. Thus, because the alleged abuse already had been reported, the
reporting statute's purpose had been served and the physician-patient
privilege need not be abrogated further.
I
I I
,I
I
, I
I
, I
,I
I,
"
I'!
i
I'!
'II
; I
354
Ch. 5
d
There is no question that the family therapy sessions are an integral
an necessary part of th t t' d'
h
. . . . . e pa Ien s Iagnosis and treatment. If the
p ysiCian-patient pnvi!ege IS denied to those family memb . I d .
CHINS ]' th ers mvo ve m
counse mg, en the alleged child abusers will be discoura ed
from openly and honestly communicating with their counselors
open and honest communications between the physician and th il
members, the rehabilitative process will fail. Consequently t:
whom the statute is designed to help and protect is d . d , e c I . ,
ty
for 1 t h b'l' , eme an opportiim-
comp e e re a I Itation. AB the Andring court stated:
I d.
Once the abuse is discovered, however, the statute should not be
nor can the legislature have intended it to be co t d
to pennit total elimination of this important privilege Th ns j
purpose of the child abuse reporting statute is the r:f
children, not punishment of those who mistreat them.
* * *
resui; the physician-patient privilege arose as a direct
. . erapy ered by the court during a CHINS proceedin The
commumcations were made long after the report of th:child
a use. mce the abuse already had been re orted th
reporting statute had . been fulfilled. To arfow the
pnvileged commumcatwn under these specific facts goes beyond th
of the statute. because of the specific facts of the presen;
, ;e hold that t.he physiCian-patient privilege is not abrogated with
regar . to confidential communications disclosed by a defendant while
participatmg m counseling sessions ordered by a trial court pur t t
a report of child molesting. suan o
For the above reasons, we reverse the trial court's ruling.
Judgment reversed.
RATLIFF, C.J., and RoBERTSON, J., concur.
Comments
1. Constitutional limits on state disclosure requirements Re
suggest that there are constitutional limits on the power of t casets
Impose medical report . o ... a ures o
justices of the a majority of the
notification of the parents of minors seeki . aw requirements for
ally defective. Bellotti v. Baird, 443 U.S.

(1979). But see H L v M th
45
, d.2d 797
388 (1981). , . . . a eson, 0 U.S. 398, 101 S.Ct. 1164, 67 L.Ed.2d
In the h' t
t t I psye Ia nc context a California appellate court has held th t
required institutions to notify a "responsible
violated th: pa Ien; to the administration of ECT or psychosurgery
129 to pnvacy. Aden v. Younger, 57 Cal.App.3d 662,
2. Rule for covered entities under HIPAA. HIPAA authorizes disclosure
of PHI without the patient's authorization when mandated by state law or
regulation when it relates to child abuse or neglect where the covered entity
believes the individual is the victim of domestic violence. Additionally, disclo-
sure may be made in a number of other situations including the following:
(1) where necessary to prevent serious harm to the individual or other
potential victims; (2) when requested by a public health authority for the
purpose of preventing or controlling disease; and (3) in the case of the death
of a patient, reports to a relevant agency to determine the cause of death or
whether the death occurred as a result of criminal conduct by a third party;
( 4) where disclosure is needed for the protective services for the
and other senior government officials; (5) to federal officials in connectfuh
with lawful intelligence activities; (6) to military authorities when necessary
to ensure proper execution of the military mission; and (7) at the request of
law enforcement agencies for the purpose of deterring a crime involving a
serious risk of injury to an individual or the public. 45 C.F.R. 164.512.
3. Duty to report versus statutory confidentiality rules. The potential
conflict between confidentiality rules and reporting statutes was addressed
by the Vermont Supreme Court in Peck v. Counseling Service of Addison
County:
Defendant also argues thaCthe therapist could not lawfully have
warned the plaintiffs * * * because of the physician-patient privilege
against disclosure of confidential information. 12 V.S.A. 1612(a). * * *
Defendant points out that the legislature has specified certain "public
policy" exceptions to the physician-patient privilege, see, e.g., 33 V.S.A.
683-684 (Supp.1984) (report of child abuse), 13 V.S.A. 4012 (disclo-
sure of gunshot wounds), 18 V.S.A. 1152-1153 (report of abuse of the
elderly), aod that a therapist's duty to disclose the risk of hann posed by
his or her patient to a foreseeable victim is not a recognized legislative
exception. Given this, defendant argues that this Court is preempted
from finding a duty-to-warn exception to the g!)ysician-patient privilege.
The statutory exceptions to the physician-patient privilege indicate to
this Court, however, that the privilege is not sacrosanct and can proper-
ly be waived in the interest of public policy under appropriate circum-
stances. A mental patient's threat of serious harm to an identified victim
is an appropriate circumstance under which the physician-patient privi-
lege may be waived.
146 Vt. 61, 499 A.2d 422, 426 (1985).
4. Disclosure of past crimes. May a therapist disclose information as to
the patient's past commission of a crime? While such disclosure may consti-
tute a breach of confidentiality, the violation cannot be asserted as a defense
in a criminal proceeding. State v. Beatty, 770 S.W.2d 387 (Mo.App.1989)
(holding that a therapist's report that the patient had been involved in a
robbery could not be raised as a defense in a criminal proceeding). The court
however, suggested that the patient might have a private cause of action
against the therapist for a breach of confidentiality. What would be the
extent of damages she could obtain? Should the term of imprisonment that
resulted from the conviction be compensable?
,,
I
'I
I'
, (I
II
I'
356
Ch. 5
What is the scope of permitted disclosure of past crimes under HIP AA?
Unfortunately, the relevant section, 164.512 (D(6)(i), which covers disclo-
sure of crimes, is extraordinarily opaque even by HIP AA standards. The
section reads as follows:
(i) A covered health care provider providing emergency health care
in response to a medical emergency, other than such emergency on the
premises of the covered health care provider, may disclose protected
health information to a law enforcement official if such disclosure
appears necessary to alert law enforcement to:
and
(A)
(B)
The commission and nature of a crime;
The location of such crime or of the victim(s) of such crime;
(C) The identity, description and location of the perpetrator of
such crime."
See also discussion of the Menendez v. Superior Court pp. 414-16.
C. DISCLOSURES OF INFORMATION INDICATIVE OF MEN-
TAL DISORDER AND/OR DANGEROUSNESS
1. Disclosure by Entities Covered by HIPAA
As outlined on p. 325, HIP AA regulations permit disclosure "neces-
sary to prevent or lessen a serious and imminent threat to the health or
safety of a person or the public . . . to a person or persons reasonably
able to prevent or lessen the threat, including the target of the threat."
45 C.F.R. 164.512. HIPAA does not provide any further guidance as to
who may qualify as a "person or persons" reasonably able to prevent or
lessen the threat. In any event, where there is an imminent threat to the
health and safety of the person or the public, HIP AA gives health
provider significant leeway to disclose that information to appropriate
third parties.
Moreover, in most states, state law provides a similar exception. The
primary difference among state laws pertains to the authorized scope of
disclosure. In some states, the disclosure of imminent harm may be
made not only to other mental health care providers and law enforce-
ment personnel but also to identifiable third persons who are at risk.
Such a rule is sometimes the result of judicial interpretation rather than
an explicit legislative mandate. For instance, as noted above, in Peck v.
Counseling Service of Addison County, 146 Vt. 61, 499 A.2d 422, 426
(1985), the Vermont Supreme Court held that even though legislation
only authorized disclosure of protected medical information in the case
of child abuse or gun shot wounds, public policy requires that where
there is a threat of serious harm to an identifiable victim, disclosure may
be made to the potential victim. Other states, such as Texas, only
authorize the disclosure of the imminent dangerous propensities of a
person under treatment to law enforcement personnel or other health
providers. Thus, in states that follow the Texas model, disclosure of
I
t
!
I

t
l
I I
. I
covered health information cannot be made to persons at risk of immi-
nent harm.
2. Disclosure by Institutions Covered by FERPA (institutions
of higher learning) ,.-t
As noted in Chapter 3 (pp. 232-39), a series of recent incidents
involving either student suicides or mass shootings on campuses have
focused attention on the responsibility of universities to detect mental
problems of students and to take preventive action where a student
poses a significant threat to self or others. The capacity of institutions of
higher learning to detect student mental illness requires of
information between relevant units of the university. Such exchanges
might involve faculty, administrators, residence hall advisors, university
health center personnel, campus law enforcement units and special
university units with responsibility to assess threats. As detailed below,
the disclosure of student records or information between university staff
are subject to both federal and state law, the most significant of which is
the Federal Educational Rights and Privacy Act (FERPA). In some
instances, these laws may serve to prevent the aggregation of relevant
information that is needed if a university is to have the capacity to
identify students with serious-'mental problems who are potentially
dangerous to self or others. As noted in the report on the Virginia Tech
shootings, involving the murder of 32 students and staff on campus:
Information privacy laws governing mental health, law enforcement,
and educational records and information revealed widespread lack of
understand, conflicting practice and laws that were poorly designed
to accomplish their goals. Information privacy laws are intended to
strike a balance between protecting privacy and allowing informa-
tion sharing that is necessary or desirable. Because of this difficult
balance, the laws are often complex and hard to understand."
"Mass Shootings at Virginia Tech," Report ofthe Review Panel (August
2007), at 58, available at http://www.vtreviewpanel.org/report/index.
html) [hereinafter Review Panel Report]
Noted earlier in this chapter is the possibility that HIP AA privacy
rules exempt from coverage the records of health maintenance entities
operated by institutions of higher learning and the fact that FERPA
exempts from its coverage "[r]ecords made or maintained by a university
mental health care provider in the course of providing a student with
medical or psychological care." See p. 324. Thus, the records of a
university operated health treatment facility may not be subject to either
HIPPA or FERPA privacy rules and their disclosure may only be
governed by state law. In some states, mental health treatment records
are subject to the same rules as general medical records. In other states,
records associated with mental health treatment are subject to special
and more restricted disclosure rules. Under Virginia in effect at the time
of the Virginia Tech shootings, disclosure of health information held by
health providers was only authorized under the following circumstances:
,,1
' :
I . :
'I
I,
I
I I I
I
i:'l
,I
I
.!
! I
i
358
Ch. 5
(1) with the consent of the patient; (2) to other health providers where
the sharing of information is necessary for treatment; and (3) in selected
situations including where a person "presents an imminent threat to the
health or safety of individuals and the public." Review Panel Report, at
65. Similar laws have been adopted by other states. Also, there are
variations among state laws governing the class of persons to whom
information about dangerousness can be communicated. Under Texas
law, for instance, disclosures of the imminent danger of an individual
under treatment may only be disclosed to law enforcement offices and
other health providers and not to university officials. Memorandum
"Sharing Information about Potentially Dangerous Students." Office of
General Counsel, University of Texas System (July 10, 2007), at.4
[hereinafter Memo, University of Texas General Counsel]
FERP A does govern the disclosure of student "educational records."
While these records do not encompass university records maintained by
university health units, they do include most other records kept by the
university, and also apply to communications between and among cam-
pus personnel as well as disclosures to persons outside of the community.
Within the university, student records covered by FERPA may only be
disclosed to anyone "who has a legitimate educational interest in these
records." 34 CFR 99.31(a)(1)). Disclosure of student record informa-
tion to external persons or agencies is in general limited to disclosures
that are consented to by the student. However, FERPA permits noncon-
sensual disclosure in some limited circumstances. A recent analysis of
the FERPA exceptions reached the following conclusion:
If the university determines that individuals outside of the universi-
ty should be informed about student conduct, other FERPA excep-
tions permit student education records to be shared with third
parties. Notably, disclosure of information in education records is
always permitted in connection with a health or safety emergency
under certain conditions. FERPA permits disclosure to appropriate
parties in connection with an emergency if knowledge of the infor-
mation is necessary to protect the health or safety of the student or
other individuals. This exception allows university officials to act
quickly in emergencies to contact outside parties such as law en-
forcement or health authorities for assistance in arresting or detain-
ing a student without regard to whether the information about the
student is contained in the student's education record.
Release under the health or safety emergency exception must be
limited to "appropriate parties." FERPA does not define "appropri-
ate parties," and thus it would be a matter for the university to
determine who is an "appropriate party" based on the particular
circumstances. So, for example, the emergency exception would
permit university officials to share necessary information with local
broadcast media as needed to alert the public to a threat posed by a
student during an emergency situation, but it would not justify the
university's sharing of information from a student's education rec-
ord with a reporter for a news feature about the incident. In
i
l
addition, once the threat of harm has dissipated, the exception is no
longer available to the university. Even in the absence of an emer-
gency, FERPA permits an institution to contact its own law enforce-
ment unit to investigate possible violations of and to enforce any
local, state, or federal law." .....
Memo, University of Texas General Counsel, at 3.
1. Scope of FERPA and HIPAA exemptions. Assume that a university
establishes a unit to assess campus safety aod security. The unit is not part
of a university's mental health treatment center. The unit gathers
tion from residence dorm advisors and academic units about student behav-
ior that is indicative of mental illness and potential dangerousness either to
self or others. Assuming that no student has violated any law, what course of
action is open to a university to deal with such findings? For instance, could
a university require an at risk student to undergo treatment as a condition
for continued enrollment? In the event that a student declines to voluntarily
undergo treatment aod is suspended, should anyone be contacted or can the
university assume that the suspension has removed the threat?
2. FERPA regulations amendment. Largely in response to the Virginia
Tech shootings, the United Department of Education issued a propos-
al to amend the regulations governing federal educational rights and privacy
under FERPA. Under the proposed rule where there is "an articulable and
significant threat to the health or safety of a student or other individuals"
disclosure may be made to "any person whose knowledge of the InformatiOn
is necessary to protect against the threat." 34 CFR Pact 99, 73 Fed.
Reg.1558 (March 24, 2008). Moreover, "to provide appropriate flexibility and
deference [to an institution's decision] the Secretary has determmed that 1f,
based on the information available at the time of the determination, there is
a rational basis for the determination, the Department will not substitute its
judgment for that of the educational agency or institution in evaluating the
circumstance and making its determination.:' Assuming this change In
regulations becomes final, would a covered" educational institution that
makes ao appropriate finding as to dangerousness be authorized to notify
the parents of a student who is deemed to present a danger to self or others?
Would the rule also authorize an institution to also notify a student's dorm
mates?
3. Disclosures by university health care facilities. Obviously, where a
student has received treatment in a university operated health facility, the
facility would be a good source of information concerning the mental health
and propensities of the student. Yet the law of some states, such as Texas,
restricts the disclosure of health information by mental health treatment to
law enforcement agencies and other health providers. At the same time,
universities can be liable for failing to take appropriate action to avert
student suicides. How might the rules governing communications between a
university health center and the administration be modified to provide
reasonable protection to student privacy while also providing the university
with sufficient information to determine whether the student needs to be
suspended academically so that he or she may be moved into a different
environment?
,!,,,
'li
4. Disclosing limits of confidentiality to patients. The normal rules
pertaining to confidentiality are, of course, partially waived in those jurisdic-
tions that adhere to Tarasoff, since therapists in such jurisdictions have not
only a duty but also a legal right to warn third persons of the dangerous
propensities of their patients. In those jurisdictions where Tarasoff applies,
should a therapist have an obligation to inform potential patients that
confidentiality might be broken if the therapist later perceives the patient to
be a threat to a third person? One commentator has suggested that failing to
inform patients of the risk that their confidential communications will be
disclosed could constitute a breach of the informed consent doctrine. See
Note, "The Doctrine of Informed Consent Applied to Psychotherapy," 72
Geo.L.J. 1637 (1984).
5. Problem. Dr. I is a noted psychiatrist and a clinical professor at New
York Medical College. He is also President of the Academy of Psychoanalysis
and editor of the American Journal of Psychoanalysis. As part of his faculty
duties, he acts as a teaching analyst for psychiatric residents who plan to
specialize in psychoanalysis (full membership in a psychoanalytic institute,
the qualifYing emblem of a psychoanalyst, requires a period of specialized
training including personal analysis by a training analyst).
Dr. Dis a third-year resident in psychiatry at New York Medical College.
As part of his psychoanalytic training, he is being analyzed by Dr. I. In the
course of an analytic session, he tells Dr. I that he had recently gone to
South America to see the night sky in the southern hemisphere. He also
confesses that another reason for his trip was to "meet a nice child."
Following the disclosure, Dr. I continues his regular bi-weekly analysis of Dr.
D. Concluding that Dr. D is both intelligent and very professionally focused
and is therefore able to control his impulses, Dr. I does nothing to have him
removed from the residency program. He also concludes that his completion
of the analysis is likely either to reorient Dr. D's sexual preferences or, at a
minimum, to enhance his impulse controls. Four months after his confession
during analysis, Dr. D, who at the time was working as a psychiatric resident
at Danbury Hospital in Connecticut, is charged with molesting a ten-year-old
boy, who was a patient in the hospital. The boy and his family subsequently
filed a lawsuit against Dr. I and New York Medical College alleging that he
should have taken steps to prevent Dr. D from working with children.
(Additional details concerning the case, which was filed in the Federal
District Court in Connecticut in the spring of 1998, are reported in Frank
Bruni, 'A Child Psychiatrist and Pedophile; His Therapist Knew But Didn't
Tell Victim,' N.Y. Times, April19, 1998 at Sec. 1, 35).
Would HIPAA have permitted the disclosure of the information pertain-
ing to Dr. D's pederast inclinations?
D. JUDICIAL PROCEEDINGS AND THE TESTIMONIAL PRIV-
ILEGE
1. Introduction
a. Perspectives on the Judicial Process
In many situations society, through an arm of government, needs
information known only to a few. In these situations, according to an old
maxim, the public has a right to every man's evidence. That is, each
person has a duty to disclose information of vital importance to soc1ety.
The duty to disclose arises when society's need to ascertam the truth
outweighs the individual's interest in concealing the information. The
public, through the coercive forces of government, may then compel ,-4
disclosure. The usual contexts in which the need for mformat10n ar1ses
include civil and criminal trials and hearings and investigations by
legislatures and administrative agencies. In each of these contexts,
ascertaining the truth is essential to promote an rmportant societal
interest.
The potential tension between a governmental interest in t';,gllh
ascertainment in the legal process and the protection of pnvacy of health
records (PHI) is made evident by the cases that follow where the
contours of the testimonial privilege are sometimes defined dependmg on
how the balance is struck. Whatever rule governing the scope of the
testimonial privilege emerges as a result of a legislative or judicial
decision, its application is not impeded by HIPAA. As noted
HIPAA's privacy rules do not protect a patient's health records
those pertaining to mental health treatment when they are obtamed m
response to an order or subpoena by a either a state or court or
administrative tribunal." Moreov.er, in discovery proceedings the PHI
must be disclosed to either the court or an opposing party even in the
absence of a court issued subpoena so long as the individual about whom
health information is being sought is provided with adequate notice and
has a reasonable opportunity to challenge the subpoena or discovery
request.
* * *
b. Role and Function of the Testimonial Privilege
Governmental authority to compel disclosure is not unlimited. It
extends only as far as necessary to achieve the-governmental purpose at
hand. Thus, no witness may be compelled to testify concerning matters
irrelevant to the case before the court or other tribunal.
Governmental authority is also limited when mandatory disclosure
conflicts with rights or interests, which are highly valued in a free
society. To preserve important rights and interests, courts and other
tribunals may recognize a "privilege" on the part of a Witness to dedme
to answer certain questions. For example, no person may be eompelled to
make statements which might incriminate him. The pnv1lege agamst
self-incrimination is inherent in the American concept of liberty. Long
recognized under the English common law, the privilege was incorporat-
ed in the Fifth Amendment to the federal Constitution and is made
applicable to the states through the Fourteenth Amendment. Similarly,
under the First Amendment guarantees of free speech and rehgwn, no
person may be compelled to state his political or religious beliefs under
a. 45 C.F.R 164.512 (e) (l)(ii), See
generally, Singhai, et al., 'Recent Develop-
ments in Medicine and Law,' 2002 Insur-
ance Tort Journall (2002).

'' :I '
'.
i
''

Chapter Five Confidentiality and Access To Records

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter Five Confidentiality and Access To Records

Uploaded by

Copyright:

Available Formats

I.

You might also like