Comments on Final Rule on Standards for Privacy of Individually Identifiable Health Information
by Russ Newman, PhD, JD
March 13, 2001
Secretary Tommy G. Thompson
U.S. Department of Health and Human Services
Attention: Privacy I, Room 801
Hubert H. Humphrey Building
200 Independence Avenue, S.W.
Washington, DC 20201
Re: Final Rule on Standards for Privacy of Individually Identifiable Health Information, as published in 65 Fed. Reg. 86462, December 28, 2000.
Dear Secretary Thompson:
I submit these comments on behalf of the American Psychological Association ("APA" or "we"), the largest membership association of psychologists with more than 159,000 members and affiliates engaged in the practice, research and teaching of psychology, pursuant to your February 28, 2001 request (66 Fed. Reg. 12738-12739) for comments regarding the final rule for standards for privacy of individually identifiable health information, as published in 65 Fed. Reg. 86462 et seq., December 28, 2000. APA believes that the final rule contains many provisions that proactively protect the privacy of patient records. For this reason, APA supports the rule and urges that it be made effective on April 14, 2001, as provided in this recent comment notice.
We appreciate the efforts of the Secretary to address concerns regarding the final rule by providing for this limited, additional comment period. As the Secretary and those in the Department of Health and Human Services ("HHS") know, many of these concerns have been raised by the insurance, business, and hospital and health care facility advocates, who are legitimately concerned with the compliance burden associated with these new standards.
APA recognizes and agrees that the final rule is not ideal. Many of our member psychologists will likewise face the compliance burden associated with these rules, while the rules themselves could be even more protective of patient records. APA had offered, for example, many narrowly tailored suggestions to improve the privacy protections when the rule was proposed. We appreciate changes made in the rule to accommodate our suggestions, but since many of our suggestions were not included, we view the rule as open for further improvement perhaps now and in the future.
If Secretary Thompson does make changes to the final rule to reduce its associated compliance burden, we urge that such changes be made without sacrificing the patient records privacy protections it affords. In fact, if changes are made, we ask that the Secretary strengthen the records privacy provided by the rule and for this purpose offer narrow amendments to provisions of particular importance to psychologists and their patients.
The psychotherapy notes patient authorization requirement should be retained in the final rule and strengthened to include particularly sensitive testing data.
The APA is extremely gratified to see that the heightened protection for psychotherapy notes has been retained from the proposed rule and included in the final rule. When implemented 45 C.F.R. § 164.508(a)(2) will require a covered entity to obtain a patient's authorization for disclosure of psychotherapy notes for use beyond the treating psychologist or other psychotherapist. Such authorization is in addition to the consent the patient gives for the disclosure of his or her other patient records, including those mental health records that do not fall under the "psychotherapy notes" definition, for purposes of treatment, payment, or health care operations.
We are pleased to note that HHS agrees with our underlying rationale for the need for heightened protection for psychotherapy notes. In our comment to the proposed rule, we had suggested that patients seeking and receiving mental health treatment have different, generally greater, privacy needs than persons receiving general health services. These greater needs are manifold, many of which are rooted in societal stigmatization of mental disorders, and more intimately to the individual patient, in the fear that disclosure to loved ones, family, friends, business associates, and even acquaintances could harm these relationships, perhaps irreparably.
We believe that HHS is right to continue to afford additional protection for psychotherapy notes through its reliance on the United States Supreme Court Decision of Jaffee v. Redmond, 518 U.S. 1 (1996). The department’s significant consideration of mental health records protection in relation to the Jaffee decision in the preamble to the final rule is appreciated:
Moving beyond these facts of physical treatment, there is also significant intrusion when records reveal details about a person's mental state, such as during treatment for mental health. If, in Justice Brandeis' words, the "right to be let alone" means anything, then it likely applies to having outsiders have access to one’s intimate thoughts, words, and emotions. In the recent case of Jaffee v. Redmond . . . the Supreme Court held that statements made to a therapist during a counseling session were protected against civil discovery under the Federal Rules of Evidence . . . . In upholding the federal privilege, the Supreme Court stated that it “serves the public interest by facilitating the appropriate treatment for individuals suffering the effects of mental or emotional problems. The mental health of our citizenry, not less than its physical health, is a public good of transcendent importance.
In fact, the Supreme Court further emphasizes in the Jaffee decision the importance of protecting the privacy integral to the relationship between a patient and his or her psychotherapist by contrasting psychological treatment with treatment for physical ailments:
Treatment by a physician for physical ailments can often proceed successfully on the basis of a physical examination, objective information supplied by the patient, and the results of diagnostic tests. Effective psychotherapy, by contrast, depends upon an atmosphere of confidence and trust in which the patient is willing to make a frank and complete disclosure of facts, emotions, memories, and fears. Because of the sensitive nature of the problems for which individuals consult psychotherapists, disclosure of confidential communications made during counseling sessions may cause embarrassment or disgrace. For this reason, the mere possibility of disclosure may impede development of the confidential relationship necessary for successful treatment.
Patient authorization for release of psychotherapy notes will help secure the privacy of the relationship between the patient and treating psychologist. However, in comments to the proposed rule APA had suggested that the proposed rule's definition of "psychotherapy notes" was too narrow to fully address the records privacy needs of mental health treatment. In other words, the proposed rule’s "psychotherapy notes" definition encompassed for heightened protection a narrow range of sensitive mental health information. Narrower, for example, than that recognized by the Supreme Court in the Jaffee decision. We had asked, since HHS relied on the Jaffee decision as rationale for the psychotherapy notes authorization requirement, to fully reflect the spirit of the decision by defining "psychotherapy notes" to include other records which contain highly sensitive mental health information related to treatment.
HHS decided not to expand the "psychotherapy notes" definition in the final rule. We believe that this is an unfortunate decision. Psychologists and other mental health professionals typically create and maintain records, in addition and directly related to psychotherapy notes. The privacy of these records should also be protected to ensure effective psychotherapy and to preserve an atmosphere of confidence and trust so that a patient "is willing to make a frank and complete disclosure of facts, emotions, memories, and fears." A patient cannot feel secure in the privacy of his or her relationship with a psychologist, if a realistic perception exists that some records require specific authorization for release, while other records with similar and highly sensitive, often embarrassing, information do not.
Patients need to know that all very sensitive mental health records are secure, and this security could have been mainly accomplished through an appropriate and broad psychotherapy notes definition. APA will continue to work to improve the rule with regard to its protection of mental health records in the future, however, we here offer a very narrow improvement to the final rule regarding the psychotherapy notes authorization requirement.
In retaining the psychotherapy notes patient authorization requirement in the final rule, HHS has clarified in commentary the rationale for the requirement:
[T]he rationale for providing special protection for psychotherapy notes is not only that they contain particularly sensitive information, but also that they are the personal notes of the therapist, intended to help him or her recall the therapy discussion and are of little use or no use to others not involved in the therapy. Information in these notes is not intended to communicate to, or even be seen by, persons other than the therapist. Although all psychotherapy information may be considered sensitive, we have limited the definition of psychotherapy notes to only that information that is kept separate by the provider for his or her own purposes. It does not refer to the medical record and other sources of information that would normally be disclosed for treatment, payment, and health care operations.
We respectfully submit that test data and test materials used in psychological assessment are exactly the type of information described above that the psychotherapy notes authorization requirement is designed to protect. For this reason, we strongly urge the Secretary to amend the "psychotherapy notes" definition to include the relevant portion of psychological test data and test materials that, like psychotherapy notes, should require similar authorization for release.
To clarify terms, "test data" include test results, raw test data (generally, the test form itself, the actual answers of the patient on the test form, etc.), reports, and global scores, and "test materials" include protocols, manuals, test items, scoring keys or algorithms, and any other materials considered secure by the test developer or publisher. In this comment, we refer to both test data and test materials described above under the blanket term, "test data."
In APA’s January 20, 2000 comments to the proposed rule, we had urged that the "psychotherapy notes" definition for which patient authorization for release is required be expanded to include other appropriate sensitive mental health information, including test data. Considering the clarification provided by HHS in commentary on the "psychotherapy notes" authorization requirement, we narrow our appeal and intensify our request regarding the inclusion in such definition for certain test data related to psychological assessment.
Essentially, HHS has determined that heightened protection for psychotherapy notes is needed because such notes: (A) contain particularly sensitive information, and (B) are kept separate by the provider for his or her own purposes. HHS further elucidates on the second requirement, part (B), by indicating that such notes are of little or no use to others not involved in the therapy, are not intended to communicate to, or even be seen by, persons other than the therapist, and do not refer to the medical record and other sources that would normally be disclosed for treatment, payment, and health care operations. As with psychotherapy notes, psychologists and other therapists may include portions of test data in patient medical records, but that portion which is generally not shared should similarly fall under the patient authorization requirement for release.
A. Test data in psychological assessment contains particularly sensitive information.
Psychologists typically utilize psychological tests that require patients to divulge highly sensitive personal information, which is typically as sensitive as the information contained in psychotherapy notes. For example, the Minnesota Multiphasic Personality Inventory (MMPI-2), one of the most commonly used clinical tests, contains an item asking the respondent to indicate whether he or she has "indulged in unusual sex practices." For example, MMPI-2 asks a respondent whether he or she "has used alcohol excessively." For example, the Rorschach, again a common testing technique, asks respondents to interpret what a series of inkblots might represent. Common responses include emotional expressions, fantasies, and notations by the psychologist on the respondent’s behavior while giving the response.
Obviously, these questions themselves and the answers the patient provides contain particularly sensitive information, far more sensitive than nearly any information related to treatment for physical diagnoses. This information is more sensitive than general mental health information that may be provided to health plans for purposes of payment, treatment, and health care operations. Certainly, test data include patient emanations of highly sensitive information, which may have meaning only to the psychologist giving the test. Considering the contrast provided by the Supreme Court in the Jaffee decision, treatment for physical ailments may proceed based on information supplied by the patient, but highly sensitive mental health information, perhaps that which would cause "embarrassment or disgrace" as these test questions and answers elicit, could impede treatment if the patient perceives their "mere possibility of disclosure."
B. Highly sensitive test data are kept separate by the provider for his or her own use.
A psychologist is required by ethical standards, law, and contractual agreements to carefully determine the release of test data, to keep certain test data for his or her own purposes, and to not include such data in the medical record. Many of these standards and laws are meant to protect the patient and the privacy of the records, and contractual agreements with the test developer or publisher are primarily meant to protect the tests themselves.
According to the APA Code of Ethics, a psychologist must ". . . make reasonable efforts to maintain the integrity and security of tests and other assessment techniques consistent with law, contractual obligations, and in a manner that permits compliance with the requirements of this Ethics Code." Unless otherwise mandated by law, a psychologist must request patient consent for release of test data in order to obtain payment for services. Many states have statutes that require formal consent before records can be released or protect against disclosure of mental health records under the psychotherapist-patient relationship. Even with such consent and consent requirements, however, many psychologists release only certain test data to health plans.
For purposes of disclosing test data to health plans, such as (under this rule) for payment, treatment, and health care operations, many psychologists provide written psychological assessments in place of sensitive test data. A psychological assessment, often a standardized report, contains such information as an overall summary of diagnosis and treatment, diagnostic impressions and interpretations, and treatment recommendations. Psychologists generally keep separate and for their own use test results (other than summary results provided), raw test data, global scores, and test materials, such as protocols, manuals, test items, scoring keys, algorithms, and other related materials.
A psychologist keeps much test data for his or her own use for purposes of psychotherapy and treatment and to protect the privacy of the patient and of their psychotherapeutic relationship. When a patient provides answers during psychological assessment, these are responses of the patient, similar to responses that a patient would provide during psychotherapy. Assessment questions may require the patient to reveal highly sensitive personal information, and the psychologist will protect this information as necessary. Psychological testing then, like psychotherapy, depends upon "an atmosphere of confidence and trust in which the patient is willing to make frank and complete disclosure of facts, emotions, memories, and fears."
Psychologists are particularly careful not to release test data, other than assessment summaries, to individuals who are not qualified to use such data. Regarding assessment techniques, interventions, results, and interpretations, for example, psychologists have an ethical duty to ". . . take reasonable steps to prevent others from misusing the information these techniques provide. This includes refraining from releasing raw test results or raw data to persons, other than to patients or clients as appropriate, who are not qualified to use such information." Psychological testing standards call for responsibility for test use to be assumed by or delegated only to those individuals with the training and experience necessary to handle these responsibilities in a responsible and technically adequate manner.
Inappropriate release of test data can harm the health of the patient and the treatment relationship between the psychologist and the patient. In commentary to the proposed and final rule, HHS clearly recognizes this potential harm and has thus included a patient authorization requirement for release of psychotherapy notes. A patient, however, may be harmed in numerous other ways not directly related to treatment when sensitive test data is inappropriately disclosed.
One way that a patient can be harmed by the release of certain test data, such as raw data for example, is by its misinterpretation by individuals not trained in psychological testing, or by its use out of proper context. For example, an item on the MMPI-2 is combined with other items to determine if the respondent is being truthful. In other words, for assessment purposes several items on the MMPI-2, when viewed together, can assist a psychologist in determining whether the respondent is attempting to mislead with his or her responses. One of these items asks the question: "I do not always tell the truth." If the person answers "no" to this question, it may then be combined with other answers to indicate that the person is actually attempting to mislead the tester. However, a "yes" answer, to a person not trained in interpreting this test, may be seen as meaning that the person is an untruthful person, when in fact he or she is being truthful in answering the item.
A powerful example of how this particular question was misused is suggested by the South Carolina case of Hudgins v. Moore, 337 S.C. 333; 524 S.E. 2d 105 (1999). In Hudgins, the prosecution entered, as evidence against the defendant in a capital murder case, several individual items provided by the defendant during testing from the MMPI-A (the test version for adolescents). One of the answers to the question "I do not always tell the truth" was entered as evidence to impeach the defendant's credibility. On appeal to the South Carolina Supreme Court, APA provided an amicus brief that pointed out that, "[r]esponses to individual questions are never intended to be viewed in isolation, as the prosecutor did here. Indeed, when interpreted properly by a trained professional as part of a battery of related questions, an affirmative response to the statement 'I do not always tell the truth' actually is more likely to reflect that a person is answering honestly." The South Carolina Supreme Court, in addressing this issue on appeal, agreed that submission of such individual questions was a problem.
Hudgins presents one example of inappropriate use of test data, but beyond such potential misuse, psychologists must consider release of test materials in relation to test security, potential invalidation, copyright law and contractual obligations. Psychologists’ consideration of these issues has been succinctly discussed in psychological publication:
Disclosure of secure testing materials (e.g., test items, test scoring, or test protocols) to unqualified persons may decrease the test’s validity. Availability of test items to an unqualified person can not only render the test invalid for any future use with that individual, but also jeopardizes the security and integrity of the test for other persons who may be exposed to test items or responses. Such release imposes very concrete harm to the general public—loss of effective assessment tools. Because there are a limited number of standardized psychological tests considered appropriate for a given purpose (in some instances only a single instrument), they cannot easily be replaced or substituted if an individual obtains prior knowledge of item content or the security of the test is otherwise compromised.
Psychologists must make sure when disclosing records to health plans, for example, that an individual in that plan is able to use the test data appropriately and to ensure that unqualified individuals do not have access to the data. In doing so or in providing assessment summaries in lieu of test data, psychologists protect the interests of the patient and meet their contractual and other obligations to the developer or publisher of the test materials.
We have provided some of the reasons why many psychologists keep certain test data separate for their own use. To ensure that this test data is protected by the rule, we strongly urge that the following narrow amendment be included in the definition of "psychotherapy notes." In the definition of "psychotherapy notes" as provided in 45 C.F.R. § 164.501, add the following sentence immediately after the first sentence:
Test data related to direct responses, scores, items, forms, protocols, manuals, and other materials shall be considered a part of psychotherapy notes for purposes of treatment, as determined by such mental health professional.
Incorporating this change (text underlined), the "psychotherapy notes" definition reads as follows:
Psychotherapy notes means notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record. Test data related to direct responses, scores, items, forms, protocols, manuals, and other materials shall be considered a part of psychotherapy notes for purposes of treatment, as determined by such mental health professional. Psychotherapy notes excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: Diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.
The final rule should not preempt stronger state laws. Many state laws provide for stronger privacy protection for mental health records than those contained in this rule. Patients seeking and receiving mental health treatment should not lose the protections state laws afford through federal preemption.
We are pleased that the final rule retains the non-preemption of stronger state laws related to the privacy of patient records. As APA had noted in comments to the proposed rule, non-preemption of stronger state laws is mandated by section 262 (as adding section 1178 to the Social Security Act) and section 264(c)(2) of the Health Insurance Portability and Accountability Act. Therefore, HHS lacks authority to preempt stronger State laws. We wonder why some commenters had requested HHS to ignore this legislative mandate and preempt State laws. As HHS states in commentary to the final rule, ". . . this is an area where the policy choice has been made by Congress . . . provisions of state privacy laws that are contrary to and more stringent than the corresponding federal standard, requirement, or implementation specification are not preempted. The effect of these provisions is to let the law that is most protective of privacy control . . . ."
For psychologists and their patients, the non-preemption of stronger state laws is of primary importance. As discussed in our comments to the proposed rule, many states have enacted laws that more stringently protect the privacy of mental health records than the standards provided in this new rule. State legislatures and governments have long recognized the need for heightened protection of mental health records. The recent and comprehensive survey of state records privacy laws, conducted by the Institute for Health Care Research and Policy of Georgetown University, concluded that "[b]y far, state legislation concerning mental health is among the most detailed and complex. All states have some statutory provision addressing mental health communications and records."
States have enacted many laws related to the privacy of mental health records, because of the need for heightened protection for these records. States have recognized that mental health records typically contain information that leave a patient vulnerable to embarrassment or stigmatization. For patients seeking and receiving mental health services, the potential loss of records' privacy can be devastating.
Without preservation of stronger state mental health laws, this new rule would actually reduce or even jeopardize the privacy associated with mental health treatment in the many states that have enacted stronger laws regarding mental health records. By preserving stronger state laws, this rule will provide for a strong "floor" of mental health records protection and allow each state to continue to enact those laws that it deems are in the best interests of its citizenry.
Patient consent for use of records should be retained in the final rule and improved to ensure consent for health plan uses related to benefits administration.
We are pleased to see that HHS has included in the final rule the requirement that patients must consent to release of their records for purposes of "treatment, payment, and health care operations." While we had urged that a consent requirement be included in the final rule, we note that only health care providers and not health plans are required to request consent.
We understand that there are substantial barriers for health plans to obtain consent from patients. As the rule mentions, this is primarily so because, as primary administrators of care, health plans lack direct contact and only have an "indirect treatment relationship" with the patient. As we discussed at length in our comment to the proposed rule, however, the reason for the need for standards provided by this new rule are related to health plan and other third-party access to patient records.
Patients generally are not concerned with the use of their records by their treating providers, rather they are worried, and legitimately so, with the use of their records by entities with which they have little or no contact. Therefore, it is somewhat incongruous to place the onus of gaining patient consent on the treating health care professional for the many health plan administrative uses of the records that are provided in the broad categories of "treatment, payment, and health care operations," as provided in the rule.
At the same time, despite our urging and the urging of many other patient and provider advocates that HHS narrow the very broad definitions of "payment," "treatment," and "health care operations," the department has actually broadened these terms in the final rule. We view such expansion of these definitions as troubling, because it allows for many administrative uses of patient records without patient consent for health plan purposes that are not directly related to an individual patient's care.
Health insurance industry advocates have argued that expansive definitions of "payment, treatment, and health care operations" are warranted, since access to identifiable patient information helps them improve patient care in addition to plan administration. Indeed many managed health plan activities, such as on-going quality assessment and development of clinical and formulary guidelines, can improve patient care. However, these activities generally improve patient care in the aggregate and are not concerned with the direct provision of care to an individual patient. Therefore, an individual patient's privacy is substantially weakened or even lost when his or her individually identifiable information is shared for administrative purposes or for purposes that may benefit patients in general.
In comments provided to the proposed privacy rule, APA extensively discussed the problem of access by third parties to individually identifiable patient records and focused on the particular erosion of privacy related to health plan access to records for plan administration and payment activities. Our comments apply to the final rule, particularly in light of the expansion of health plan uses for purposes of "payment, treatment, and health care operations." Since already part of the regulatory record and for purposes of brevity, we refer HHS to our comments on the proposed rule for this discussion.
Since the final rule allows health plans broad access to patient records for "payment, treatment, and health care operations" purposes, the final rule should retain the patient consent requirement. Patient consent for release of records affords the patient some control over how his or her records will be used. While a patient cannot refuse consent and expect to receive treatment, a patient may determine, for example, that he or she would rather pay for particular services than to have records submitted for health plan purposes. Similarly, patient consent allows the opportunity for a psychologist or other provider to discuss with the patient the many ways in which the records will potentially be used by health plans for administrative, treatment and payment functions.
In addition to retaining the patient consent requirement, we ask that the Secretary provide for an additional consent requirement under which health plans would request patient consent for plan use of their records for administrative purposes not directly related to treatment. Many of these administrative functions are embedded in the "health care operations," "treatment," and "payment" definitions. These various administrative functions include: quality assessment and improvement activities, protocol development, clinical guidelines development, student training activities, and fraud abuse and detection programs.
APA will pursue improvements to the rule in the future, regarding provisions with particular impact on psychologists and their patients.
In our comment to the proposed rule, we had offered several specific suggestions to improve it, most of which were directly related to the protection of the privacy of mental health records. We were unable to persuade HHS of, or HHS disagreed with us regarding the need for some of these suggestions. We mention them briefly here and look forward to opportunities to address them for purposes of the rule in the future. These suggestions include and are related to:
 Appropriate standards for health plan administrative uses of records. As discussed above, we urge the consideration of a more limited health plan access to individually identifiable patient records for administrative and payment purposes not directly related to patient care.
 The disclosure of patient records without consent or authorization for purposes of averting a serious threat to health or safety to an individual or the public, as provided in 45 C.F.R. § 164.512(j). We continue to query whether this provision is drafted too broadly, because it permits any number of individuals in a covered entity to potentially disclose patient records based merely on a "good faith" belief of a threat of harm or to safety. Only licensed health care professionals should be making these determinations, and certainly, the patient’s treating mental health or other health care professional should be involved in these disclosure decisions.
 Psychological harm related to patient access to and inspection of records, as provided in 45 C.F.R. § 164.524. The final rule fails to recognize, as some states have recognized, that patients can be psychologically harmed if permitted to see sensitive information in their mental health records. We will continue to urge that the patient access and inspection provisions be amended to permit licensed mental health professionals to prevent such disclosure upon a determination that such disclosure could cause psychological harm to the patient.
As head of the Practice Organization of the APA, I assure the Secretary that practitioners in the psychological community have a deep interest in ensuring that the privacy protections of this rule will help preserve the privacy of patient records. This interest is on-going, and the Practice Organization would appreciate the opportunity in the future to assist the Secretary and HHS in improving the standards provided by this rule. For purposes of this comment, please contact Doug Walter, J.D., Legislative and Regulatory Counsel, Government Relations, at (202) 336-5889, if you have further questions.
The APA Science Directorate submitted comments regarding the impact of the proposed rule on psychological research. It is our understanding that some of the concerns raised by that directorate have not been addressed in the final rule. While we leave specific discussion of these changes to the Science Directorate, the Practice Organization urges that the final rule incorporate changes offered by that APA directorate.
Sincerely,
Russ Newman, PhD, JD
Executive Director for Professional Practice
