Privacy Act Violations Overview

Questions and Answers

What does Zezulka say about informing victims?

Clinician doesn't have to inform the victim, just effectively treat.

What is required for reporting child abuse?

Report within 48 hours.

What is the reporting requirement for elder abuse?

Report immediately.

Only LPCs have an obligation to report violations; LMFTs do not.

True (A)

If there is a breach of less than 500 people, report within ______ days of the next calendar year.

60

What can happen if you violate privacy or security laws?

You can be fined, imprisoned, or a remediation plan may be developed.

The security rule only covers electronic transmission of information.

True (A)

How long should the disclosure of records and privacy practices be kept?

6 years.

What must a covered entity comply with under HIPAA and Privacy Standards?

Access, amendment, uses and disclosures of PHI, and notice of privacy practices.

What should be included in informed consent for telehealth?

Plan for if technology fails and risks and benefits of using the format.

What should you communicate if doing a forensic evaluation?

Results will be communicated to appropriate parties and disclose who is paying for evaluation.

What should be embedded in intake and consent forms regarding Chapter 611?

Use of PHI to collect fees may involve a collections agency.

What does Texas law say about requests for records?

TX says 15 days, can extend for 15.

A federal provision allows withholding of information from a client if it would pose ______.

physical harm

You must turn records over if a subpoena is signed by a judge.

True (A)

You don't have to turn records over for just a general subpoena.

True (A)

What are the duties and responsibilities regarding council investigations?

Must respond, cooperate, and inform clients about complaints.

When can non-therapeutic relationships occur?

2 years after therapy ends for former clients; 5 years for sexual contact.

How long must records be kept?

For a minimum of 7 years from date of termination or 5 years after client reaches age of majority.

When can you tell a parent no when they ask for a copy of the child's records? The answer is ______.

harm to the child or if they don't have parenting rights.

What should you do if a parent asks you to buy a raffle for their child's fundraiser?

Maintain therapeutic boundaries; do not participate.

What should you consider if a client owes you money but is in crisis?

Offer a few sessions to bridge the gap.

How long does a client have to file a complaint under HIPAA privacy rules?

180 days.

What do you do when a client expresses intent to harm themselves?

Create a safety plan and increase the number of sessions.

How long must you keep documents created/maintained under HIPAA?

6 years, but state rule is 7 years.

What do you do when a federal rule differs from a state rule?

Follow whichever is stricter.

Distance therapy via landline is covered by the HIPAA security rule.

False (B)

What should you do if a new client is communicating with their former therapist?

Understand the time limits for relationships and confidentiality.

A supervisor can have a social or romantic relationship with a former supervisee.

True (A)

What should you consider if a client accuses you of a crime?

Consider engaging a lawyer.

What must be reported if a client alleges sexual misconduct with a former therapist?

Report to the licensing board and district attorney.

It's okay to tell someone at a social function to call you for an appointment after they complain about their therapist.

False (B)

What are three potential consequences of violating the Privacy Act?

Administrative action taken by the HHS Office of Civil Rights; Civil penalties of no more than $100 per violation with a total amount during a calendar year not to exceed $25,000; Criminal penalties of 1-10 years in prison and fines up to $50,000.

What consequences can a counselor face under Chapter 181, 'Medical Records Privacy' of the Texas Health & Safety Code for privacy violations?

Sanctioning, probation, license suspension or revocation; Civil penalties of $3,000 per violation or up to $250,000.

Any person who believes that a covered entity is not complying with the Privacy Rule may file a complaint with the Office of Civil Rights (OCR) but must do so within 90 days of learning of the violation.

False (B)

OCR can conduct compliance reviews of your practice to ensure compliance with the Privacy Rule.

True (A)

A counselor who transmits protected health information (PHI) in electronic form is a 'Covered Entity' under both State and Federal privacy law.

True (A)

What is the definition of psychotherapy notes?

Any note recorded in any form by a mental health professional that covers content from conversation during a counseling session, not a progress note.

Who constitutes a business entity under HIPAA?

A mental health care worker providing care under someone or dealing with billing and notes; legal, actuarial, accounting, or consulting entities who are disclosed information on clients' financials and health.

The provisions of the HIPAA Privacy Rule will always preempt and supersede state privacy law.

False (B)

A covered entity must retain this documentation for six (6) years from the date of its creation or the date when it last was in effect, whichever is later.

True (A)

A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI.

True (A)

A covered entity must have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies of the covered entity.

True (A)

Explain the 'Scalability Rule'.

The covered entity must comply with the standard, implementation specifications, or other requirements of the Privacy Rule as enforced within its reasonably designed policies and procedures with respect to PHI.

List three permitted uses and disclosures of a person's PHI.

To the individual themself; for treatment, payment, or health care operations; when required by law.

Explain the minimum necessary rule.

When disclosing PHI, the healthcare professional must make a reasonable attempt to limit the information to only what is necessary to satisfy the purpose of the request.

A covered entity must document satisfactory assurances that a billing contractor for the practice associate will appropriately safeguard the PHI through a written contract.

True (A)

HIPAA provides that PHI for a minor client may be disclosed or withheld from parents pursuant to state law.

True (A)

A covered entity may require the individual to make a request for confidential communication in writing.

True (A)

A covered health care provider may not require an explanation from the individual as to the basis for the request as a condition of providing communications on a confidential basis.

True (A)

When is a covered entity not required to obtain an authorization for any use of psychotherapy notes? List 3.

Use or disclosure by the originator for treatment; use or disclosure by the covered entity to defend itself in a legal action; use or disclosure required by OCR to investigate or determine compliance.

A client who executes an authorization for his PHI does not have to state a specific purpose and can simply state 'at the request of the individual'.

True (A)

A covered entity may disclose PHI to a health oversight agency for oversight activities authorized by law.

True (A)

List three things from a client's PHI a covered entity may disclose in response to a law enforcement official's request.

Name, address and SSN; date and place of birth; ABO blood type and Rh factor.

A covered entity may disclose PHI to a coroner or medical examiner for the purpose of identifying a deceased person.

True (A)

A covered entity is obligated to disclose PHI if it believes the use is necessary to prevent a serious and imminent threat.

False (B)

Explain the 'minimum necessary rule'.

When disclosing PHI, the healthcare professional must limit the information to what is necessary for the purpose of the request.

A covered entity may deny an individual access to their records if access is likely to endanger life or physical safety.

True (A)

What can clients be charged when they request copies of their records?

$0.25 per page.

Describe the procedure when clients seek changes to their health care records.

The covered entity must allow individuals to request amendments to their PHI, which may require a written request and a reason to support it.

What is the retention period for records and documentation required by HIPAA?

6 years from the date of creation or when last in effect.

What is an accounting of disclosures of PHI?

Individuals have the right to receive an accounting of disclosures of PHI made by a covered entity in the 6 years prior.

Compliance with the Security Rules starts with a risk assessment.

True (A)

What is the difference between a required implementation specification and an addressable implementation specification?

The required implementation specification must be implemented; the addressable specification is not mandatory but must be implemented unless an alternative is reasonable and appropriate.

The Security Rule is intended to create a minimum level of security.

True (A)

What are four general security standards required of all covered entities?

Ensure confidentiality, integrity, and availability of electronic PHI; protect against anticipated threats; protect against unpermitted disclosures; ensure compliance by workforce.

In deciding on which security measures to use under the Scalability Rule, what factors must a covered entity take into account?

The size and complexity of the entity; the entity's technical infrastructure and capabilities; the cost of security measures; the probability and criticality of potential risks.

A covered entity must implement policies and procedures to limit physical access to its electronic information systems.

True (A)

For how long must a covered entity retain written records of its Security Standards actions?

6 years.

It is recommended that mental health professionals develop a security log or security manual.

True (A)

What does 'HITECH' stand for?

Health Information Technology for Economics and Clinical Health.

The HITECH Act strengthens enforcement of the HIPAA privacy rule.

True (A)

The term 'breach' under the HITECH Act means the unauthorized acquisition of PHI which compromises security.

True (A)

The HITECH Act gives individuals the right to receive an electronic copy of their PHI.

True (A)

In the event of a breach of unsecured PHI, the covered entity must notify individuals whose information has been accessed.

True (A)

If the breach involves PHI for fewer than 500 individuals, when must a report be filed with the Secretary of HHS?

Within 60 days and annually thereafter.

The HITECH Act defines unsecured PHI as information that is not secured through specified technology.

True (A)

What would you put into informed consent if doing telehealth that you wouldn't put in for face-to-face services?

List of procedures for technological failure; info about the platform or technology for virtual sessions.

What kind of communication is covered by HIPAA security rules?

Fax machine, paper, and traditional mechanisms.

If you find out someone is practicing LPC without a license, what do you do?

Report to Texas Behavioral Health Executive Council.

When a mental health professional has an ethical dilemma, who should they consult?

A mental health attorney.

What's the primary mission of the licensing board?

Protect the public and enforce ethics codes.

Why do mental health professionals keep records?

To protect themselves, ensure continuity of care, defend claims to insurance, and refresh memory.

Are you required to render a diagnosis when you treat every client?

False (B)

Who owns the client file?

The business owner.

Do you have an obligation if the owner is doing what's expected for maintenance and security of records?

True (A)

How long do you have to respond to a request for records by a client in Texas?

15 days.

What is the HIPAA privacy rule response period?

30 days except when state law requires a shorter response.

Is a parent always entitled to a complete release of a child's records?

False (B)

What if you're in a custody case and a judge asks which parent you think they should go for?

False (B)

How do you share records with others if something happens to you?

Identify a custodian for records and solidify that with a written agreement.

Mistake in documentation for a client, how do you fix it?

Put a line through it and date it, then make adjustments. If electronic, add an addendum.

What is the most common basis that mental health information is disclosed?

Plain consent.

What are penalties a licensing board can impose on you?

Fines; revoke license; advisory letters; publicly suspend; reprimands.

What does taking the Fifth Amendment mean?

Can't be called as a witness against oneself; right against self-incrimination.

What's the difference between privilege and confidentiality?

Privilege is a rule of exclusion in legal evidence; confidentiality pertains to the privacy of records.

Do you have liability if an employee accidentally disclosed info about a client to a third party?

True (A)

You provide counseling sessions to a married couple. One asks for copies of marital therapy records. What do you do?

Both clients must agree; without permission from one spouse, you must redact information.

If a client states they are going to kill someone, who do you inform?

Law enforcement and medical personnel, if necessary. Notify the intended victim only if stated in informed consent.

What does Tarasoff refer to?

The requirement that clinicians inform potential victims of threats (not applicable in TX).

Study Notes

Privacy Act Violations

• Violating the Privacy Act can lead to administrative actions by the HHS Office of Civil Rights.
• Maximum civil penalties are $100 per violation, up to $25,000 per calendar year.
• Criminal penalties range from 1-10 years in prison with fines up to $50,000 for egregious violations.

Texas Health & Safety Code (Chapter 181)

• Possible penalties for privacy violations include sanctions, probation, and license suspension or revocation.
• Civil penalties can reach $3,000 per violation, totaling up to $250,000.

Filing Complaints and Compliance

• Complaints about non-compliance with the Privacy Rule must be filed within 180 days of discovering the violation.
• The OCR can conduct compliance reviews to ensure adherence to the Privacy Rule.

Covered Entities and Protected Health Information (PHI)

• Counselors transmitting PHI electronically are considered "Covered Entities" under both federal and state laws.
• Psychotherapy notes are distinct from progress notes and include content from counseling conversations.

Business Entities Under HIPAA

• A business entity can be a mental health worker providing care or billing services, or professionals dealing with client financial and health information.

Interaction of HIPAA with State Laws

• State privacy laws are not automatically superseded by HIPAA regulations.

Document Retention and Safeguards

• Covered entities must retain documentation for six years from the creation date or last effective date.
• Must implement administrative, technical, and physical safeguards for protecting PHI privacy.

Minimum Necessary Rule and Disclosures

• When disclosing PHI, only the minimum necessary information should be shared to fulfill the request.
• Common permitted uses of PHI include personal access, treatment, payment processes, and legal requirements.

Business Associate Contracts

• Covered entities must secure assurances from business associates regarding the safeguarding of PHI through written agreements.

Rights of Minors and Confidentiality

• The discretion to disclose PHI concerning minor clients may be guided by state laws.

Breach Notification and HITECH Act

• The HITECH Act mandates notifying individuals of unsecured PHI breaches.
• Defines a "breach" as unauthorized use or disclosure of PHI compromising security and privacy.

Security Standards & Compliance

• Organizations should continually assess risks and establish electronic PHI security measures.
• Covered entities should maintain records of security actions for six years.

Ethical Considerations in Mental Health Practice

• Counselors should document procedures for technological failures during telehealth sessions.
• They must maintain appropriate records for legal proceedings and client continuity of care.

Client Access and Record Keeping

• Rights related to client PHI access include written request procedures.
• Professional records should be maintained for a minimum of six years to ensure legal and ethical compliance.

Reporting Obligations

• Clinicians must report suspected child abuse within 48 hours and elder abuse immediately.
• There are specific guidelines regarding consent and disclosure when handling married clients.

Mental Health Ethics and Liability

• Legal right to confidentiality differs from privilege, which can be excluded in legal contexts.
• Counselors can be held liable for their employees' accidental disclosures if adequate training was not provided.

Consequences of Violating Privacy Laws

• Violation consequences include federal fines and potential prison time for serious infractions while licensing boards can revoke licenses based on complaints.

Record Sharing and Documentation Corrections

• A formalized plan must be in place for record accessibility in cases of the counselor's incapacity.
• Corrections in documentation should be made transparently, maintaining clear records of alterations.### Informed Consent for Telehealth
• Essential to have a plan for potential technology failures.
• Clearly outline the risks and benefits associated with the telehealth format.

Forensic Evaluation Communication

• Inform clients that assessment results will be shared with relevant parties.
• Advise clients that findings may not support their plea.
• Disclose the funding source for the evaluation.

Use of PHI for Fee Collection

• Chapter 611 allows using PHI to collect fees; collections agencies can be employed.
• Embed this information in intake and consent forms.
• Recommended to avoid sending bills to collections; allow debts to go.

Request for Records

• Texas law mandates a 15-day response timeframe, extendable by 15 days.
• HIPAA allows 30 days, extendable by 30 days; adhere to Texas laws, which are stricter.
• Charging for electronic records capped at $6.50; no search fees allowed.
• Compliance with requests for paper or electronic copies should not impose unreasonable burden.

Withholding Client Information

• Federal law permits withholding information if revealing it poses physical harm.
• Texas law enables withholding records that could cause reasonable emotional distress.
• Documentation of withheld records must include the date, reason, and means to file complaints.

Subpoenas and Record Disclosure

• Records must be provided if a subpoena is signed by a judge.
• General subpoenas do not necessitate turning over records.

Duties and Responsibilities

• Mandatory cooperation with council investigations.
• Clients must be informed about complaint filing procedures included in documentation.
• Required to display the complaint process prominently in the office and website.

Non-Therapeutic Relationships

• Engaging in non-therapeutic relationships with former clients is restricted to specific timeframes.
• Sexual contact permitted five years post-therapy if consensual and non-exploitative.

Record Retention Policy

• Retain records for at least seven years post-termination or five years after a client reaches the age of majority.
• If records are maintained by another agency, retention requirements may differ.

Parental Access to Child's Records

• May deny a parent access to a child's records if it could harm the child or if parenting rights are not established.

Maintaining Therapeutic Boundaries

• Counselors must uphold therapeutic boundaries, as engaging in fundraising activities outside therapy is prohibited.

Client Debt and Services

• Sending a client to collections without prior agreement in informed consent is not advisable.
• In vulnerable situations, offering sessions despite unpaid fees may be necessary to avoid abandonment.

Filing Complaints Under HIPAA

• Clients have a 180-day window to file complaints regarding privacy rule violations.

Risk of Client Self-Harm

• If a client exhibits suicidal tendencies, implement a safety plan while maintaining regular therapy sessions.
• Higher-level care may be recommended.

Document Maintenance Requirements

• Required to maintain documents relevant to HIPAA for six years; state laws may extend this to seven years.

Discrepancies Between Federal and State Law

• Adhere to the stricter of the two regulations.

Telehealth and HIPAA Security

• Distance therapy via landline is not covered under HIPAA if it is not considered electronic communication.

Former Therapist Interaction

• Counselors have an extended period (2-5 years) relating to relationships with former clients, differing by professional licensing.
• Confidentiality from the client takes precedence over reporting unless required by mandated reporting statutes.

Supervisor/Supervisee Relationships

• Social or romantic relationships between supervisors and former supervisees are not strictly prohibited.

Addressing Accusations Against Counselors

• Legal counsel should be considered if facing accusations of criminal activity or ethical concerns.
• A cease-and-desist letter may be warranted if threatened with a lawsuit.

Reports of Past Client Interactions

• Counselors must report allegations of sexual misconduct within a mandated timeframe based on licensing parameters.

Client Recruitment Ethics

• Counselors cannot solicit clients who are currently receiving therapy from another practitioner.

Description

This quiz covers the key aspects of Privacy Act violations, including penalties and administrative actions under the HHS Office of Civil Rights. It also addresses the Texas Health & Safety Code regarding privacy violations and the requirements for filing complaints. Test your knowledge on the regulations surrounding covered entities and protected health information (PHI).