HIPAA training for mental health professionals should be more thorough than for other health care professionals due to the number of times mental health professionals may be required to make decisions about disclosing PHI based on their professional judgement.
Under §164.530(b) of the Privacy Rule, covered entities “must train all members of the workforce on the policies and procedures with respect to Protected Health Information required by [the Privacy Rule] and [the Breach Notification Rule] as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity”.
Unfortunately, the provision of training on policies and procedures may not be sufficient for mental health professionals to carry out their functions compliantly. Depending on the services provided – and how they are provided – mental health professionals may need to know the answers to questions not normally asked of other healthcare professionals. For example:
- May mental health professionals provide therapy to patients in a group setting where other patients and family members are present?
- Can a mental health professional refer a homeless patient to a social services agency when doing so may reveal that the basis for eligibility is related to mental health?
- When does HIPAA allow a mental health professional to notify an individual’s family that a patient has overdosed, e.g., because of opioid abuse?
- When does HIPAA allow a mental health professional to notify an individual’s family that a patient has been admitted for an involuntary psychiatric hold?
- How does HIPAA interact with the Part 2 rules for disclosing information about substance use disorder treatment in an emergency?
The answers to all these questions are “circumstance-specific” inasmuch as a patient may consent to PHI being disclosed if they are able to, or the decision to disclose – or withhold – PHI could be made by a personal representative or a mental health professional. It is for this reason HIPAA training should be more thorough for mental health professionals than for other health care professionals.
What Should HIPAA Training for Mental Health Professionals Consist Of?
The content of HIPAA training for mental health professionals should include basic information such when is personal information PHI and when is it not PHI, and more advanced training such as the difference between consent, implied consent, and authorization. It may also be necessary for mental health professionals to be aware of exclusions to the definition of psychotherapy notes.
Unfortunately, there is no one-size-fits all model of HIPAA training for any type of healthcare worker. For example, mental health professionals may work in diagnosis, therapy, treatment, research, or other roles in the field. Therefore, it is important that training is tailored to the functions of each mental health professionals and the challenges to HIPAA compliance they may encounter.
Because of the volume of HIPAA training for mental health professionals – in addition to ongoing medical training and awareness training – it is advisable not to pack everything HIPAA-related into one training session. HIPAA training for mental health professionals should be modular, with refresher HIPAA training provided on key areas of practice at least annually.
Mental health organizations, covered entities with mental health departments, and mental health professionals concerned about the nature of training that is appropriate – or that require advice about what HIPAA training should consist of – are advised to seek professional compliance advice.