Southeast Institute

Privacy Rights

Main Menu

• Home
• The Institute
• The Director
• Other Resident Faculty
• Calendar of Events
• Training Approaches
    & Clinical Services
• Transactional Analysis
• Redecision Therapy
• EMDR
• NC EMDR Networking
• Energy Psychology
• Books and Videos
• Dr. Peterson's Intake
• Privacy Rights
• Directions to
    the Institute

Patient Notification of Privacy Rights
Health Insurance Portability and Accountability Act (HIPAA)
Federal Medical Privacy Rule: 45 CFR 164

This document describes how your mental health records may be used and disclosed and how you can get access to this information. Please read it carefully.

I. Introduction

Licensing laws provides extremely strong privileged communication protections for conversations between your therapist and you in the context of your established professional relationship with your therapist. There is a difference between privileged conversations and documentation in your mental health records. Records are kept documenting your care as required by law, professional standards, and other review procedures. HIPAA very clearly defines what kind of information is to be included in your "designated medical record" as well as some material, known as "psychotherapy notes" which is not accessible to insurance companies and other third party reviewers and in some cases, not to the patient himself/herself.

HIPAA provides privacy protections about your personal health information, which is designated as "protected health information" (PHI). PHI consists of three (3) components: treatment, payment and health care operations.

Treatment refers to activities in which I provide, coordinate, or manage your mental health care or other services related to your mental health care. Examples include a psychotherapy session, psychological testing, or talking to your primary care physician about your medication or overall medical condition or to your psychotherapist to coordinate treatment.

Payment is when I obtain reimbursement for your care. An example of this would be if we filed insurance on your behalf to help pay for some of the costs of the services provided to you.

Health care operations are activities related to the performance of my practice such as quality assurance. In mental health care, an example of health care operations is when utilization review occurs, a process in which your insurance company reviews our work together to see if your care is "medically necessary."

The use of your protected health information refers to activities the office conducts for filing your claims, scheduling appointments, keeping records and other tasks within the office related to your care. Disclosures refer to activities you authorize which occur outside the office such as the sending of your protected health information to other parties (such as your primary care physician or the school your child attends).

II. Uses and Disclosures of Protected Health Information (PHI) Requiring Authorization

North Carolina requires authorization and consent for treatment, payment and healthcare operations. HIPAA does nothing to change this requirement by law in North Carolina. I may disclose PHI for the purposes of treatment, payment and healthcare operations with your consent. You have signed this general consent to care and authorization to conduct payment and health care operations, authorizing me to provide treatment and to conduct administrative steps associated with your care (such as filing insurance, if indicated).

Additionally, if you ever want me to send any of your protected health information of any kind to anyone outside my office, you will always first sign a specific authorization to release information to this outside party. A copy of that authorization form is available upon request. The requirement of you signing an additional authorization form is an added protection to help insure your protected health information is kept strictly confidential. An example of this type of release of information might be your request that I talk to your child's schoolteacher about his/her ADHD condition and what this teacher might do to be of help to your child. Before I talk to that teacher, you will need to have first signed the proper authorization for me to do so.

There is a third, special authorization provision potentially relevant to the privacy of your records: my psychotherapy notes. In recognition of the importance of the confidentiality of conversations between a clinician and patient in treatment settings, HIPAA permits keeping separate "psychotherapy notes" separate from the overall "designated medical record." Insurance companies cannot secure "Psychotherapy notes" nor can they insist upon their release for payment of services as has unfortunately occurred over the last two decades of managed mental health care. "Psychotherapy notes" are my notes recorded in any medium by a mental health provider documenting and analyzing the contents of a conversation during a private, group or joint family counseling session and that separated from the rest of the individual's medical record. "Psychotherapy notes" are necessarily more private and contain much more personal information about you--hence, the need for increased security of the notes.

"Psychotherapy notes" are not the same as your "progress notes" which provide the following information about your care each time you have an appointment at my office: medication prescriptions and monitoring, assessment/treatment start and stop times, the modalities of care, frequency of treatment furnished, results of clinical tests, and any summary of your diagnosis, functional status, treatment plan, symptoms, prognosis and progress to date.

Certain payers of care, such as Medicare and Workers Compensation, require the release of both your progress notes and the psychotherapy notes in order to pay for your care. If I am required to submit your psychotherapy notes in addition to your progress notes for reimbursement for services rendered, I will ask that you sign an additional authorization directing me to release my psychotherapy notes. Most of the time I will be able to limit reviews of your protected health information to only your "designated record set" which includes the following: all identifying paperwork you completed when you first started your care here, all billing information, a summary of our first appointment, your mental status examination, your individualized, comprehensive treatment plan, your discharge summary, progress notes, reviews of your care by managed care companies, results of psychological testing, and any authorization letters or summarizes of care you have authorized me to release on your behalf. Please note that the actual test questions or raw data of psychological tests, which are protected by copyright laws and the need to protect patients from unintended, potentially harmful use, are not part of your "designated mental health record."

You may, in writing, revoke all authorizations to disclosure protected health information at any time. You cannot revoke an authorization for an activity already done that you instructed me to do nor if the authorization was obtained as a condition for obtaining insurance and North Carolina law provides the insurer the right to contest the claim under the policy.

III. Business Associates Disclosures

HIPAA requires that clinicians work with, train and monitor the conduct of those performing ancillary administrative services supporting clinical practice and refers to these people as "business associates." In my practice, "business associates" includes secretaries who provide services such as typing, making phone calls, and filing insurance claims -all activities which bring them into some measure of contact with your protected health information. The clerical staff does not have access to those sections of your designated medical record that contains the particulars of your mental health concerns; only I have access to your full-designated mental health record. I have separated your administrative and clinical records in an attempt to further enhance your privacy. The only other "business associate" in my office is the cleaning person. In compliance with HIPAA, there is a formal contract with this business associate, that very clearly spells out to her the importance of her protecting any mental health information as an absolute condition for employment. She is educated about the privacy practices, monitored in her compliance, and corrected if any errors occur.

IV. Uses and Disclosures Neither Requiring Consent Nor Authorization

The law may require release of protected health information without your consent or authorization in the following circumstances:

• Child abuse;
• Suspected sexual abuse of a child;
• Adult and domestic abuse;
• Health oversight activities (i.e., the state licensing board in North Carolina);
• Judicial or administrative proceedings (i.e., if you are ordered here by the court for an independent child custody evaluation in a divorce);
• Serious threat to health or safety (i.e. our "duty to warn" law, national security threats);
• Workers Compensation Claims (If you seek to have your care reimbursed under Workers Compensation, all of your care is automatically subject to review by your employer and/or insurer(s)).

I never release any identifiable information of any sort for marketing purposes.

V. Patient's Rights and Clinician Duties

You have a right to the following:

1. The right to request restrictions on certain uses and disclosures of your protected health information which I may or may not agree to but if I do, such restrictions shall apply unless our agreement is changed in writing.
2. The right to receive confidential communications by alternative means and at alternative locations. For example, you may not want your bills sent to your home address so I will send them to another location of your choosing.
3. The right to inspect and copy your protected health information in my designated mental health record set and any billing records for as long as protected health information is maintained in the record.
4. The right to amend material in your protected health information, although I may deny an improper request and/or respond to any amendment(s) you make to your record of care.
5. The right to an accounting of non-authorized disclosures of your protected health information.
6. The right to a paper copy of notices/information from me, even if you have previously requested electronic transmission of notices/information.
7. The right to revoke your authorization of your protected health information except to the extent that action has already been taken.

For more information on how to exercise each of these aforementioned rights, please do not hesitate to ask for further assistance on these matters. I am required by law to maintain the privacy of your protected health information and to provide you with a notice of your Privacy Rights and my duties regarding your PHI. I reserve the right to change my privacy policies and practices as needed with these current designated practices being applicable unless you receive a revision of my policies when you come for your future appointment(s). My duties as a clinician on these matters include maintaining the privacy of your protected health information, to provide you this notice of your rights and my privacy practices with respect to your PHI, and to abide by the terms of this notice unless it is changed and you are so notified. If for some reason you desire a copy of the internal policies for executing privacy practices, please let me know and I will get you a copy of these documents I keep on file for auditing purposes.

VI. Complaints

At SEI, Vann Joines, Ph.D. is the appointed "Privacy Officer" for practice per HIPAA regulations. If you have any concerns of any sort that the office may have somehow compromised your privacy rights, please do not hesitate to speak to Dr. Joines immediately about this matter. You will always find him willing to talk to you about preserving the privacy of your protected mental health information. You may also send a written compliant to the Secretary of the U.S. Department of Health and Human Services.

The Federal Medical Privacy Rule went into effect April 14, 2003 and will remain so until new notice provisions effective for all protected health information are enacted.