DEFINITION: Confidentiality is the right of a patient to have personal communications spoken or written in confidence protected against disclosure to outside parties without expressed informed consent.

PRIVILEGE: (more accurately "testimonial privilege"; derived from the right to confidentiality) A statutorily created rule of evidence that permits the holder of the privilege (e.g. client/patient) the right to prevent the person to whom confidential information is given (e.g. mental health professional) from disclosing it, especially in a judicial setting.

HIPPOCRATIC OATH: "Whatsoever things I see or hear concerning the life of man, in any attendance on the sick or even part therefrom, which ought not to be voiced about, I will keep silent thereon."

HISTORY / LEGAL BACKGROUND: Foundations

1. State laws recognizing the right of protection in licensing laws and confidentiality and privilege statues,
2. ethical codes of various mental health professions,
3. common law which recognizes attorney-client privilege and which has been extended to privilege between a client and his/her psychotherapist.
4. Constitutional rights to privacy.

RIGHTS OF CLIENTS: Information shared in a professional relationship belongs legally to the client and only to the client. Likewise, the right to release the information to an outside party belongs to the client. Thus, the therapist has no right to release the information without informed consent, and furthermore, is obliged by ethics and the law to abide by and protect the client's right to confidentiality. There are certain exceptions to this that are spelled out in the 1996 Federal Law, The Health Insurance Portability and Accountability Act, referred to as HIPAA.

The HIPAA Privacy Act is intended to protect the privacy of individually identifiable health information and to protect the rights of individuals who are the subject of the information. It outlines those rights, the procedures for the exercise of those rights, and the authorized and required uses of this information.

The HIPAA Privacy Rule for the first time creates national standards to protect the individuals' medical records and other personal health information.

• It gives patients more control over their health information.
• It sets boundaries on the use and release of health records.
• It establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information.
• It holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients' privacy rights.
• And it strikes a balance when public responsibility supports disclosure of some forms of data -- for example, to protect public health.
• It enables patients to find out how their information may be used, and about certain disclosures of their information that have been made.
• It generally limits release of information to the minimum reasonably needed for the purpose of the disclosure.
• It generally gives patients the right to examine and obtain a copy of their own health records and request corrections.
• It empowers individuals to control certain uses and disclosures of their health information.

For the average health care provider or health plan, the Privacy Rule requires activities, such as:

• Notifying patients about their privacy rights and how their information can be used.
• Adopting and implementing privacy procedures for its practice, hospital, or plan.
• Training employees so that they understand the privacy procedures.
• Designating an individual (HIPAA Privacy Officer) to be responsible for seeing that the privacy procedures are adopted and followed.
• Securing patient records containing individually identifiable health information so that they are not readily available to those who do not need them.

Disclosures without Client Permission: No permission from the client is required to disclose Public Health Information (PHI) in twelve specific circumstances. In most of these cases, the Privacy Rule outlines conditions of disclosure that must be satisfied in order to make the disclosure without an authorization. The twelve circumstances are:

1. when the use or disclosure is required by law (but only if the use or disclosure complies with and is limited to the relevant requirements of such law);
2. for public health activities to a public health authority, including a government agency authorized to receive reports of child abuse and, for certain purposes, the Unites States Food and Drug Administration;
3. for disclosures about a client whom the provider reasonably believes to be a victim of abuse, neglect, or domestic violence (but, for other than child abuse, only if (i) the client agrees to the disclosure or (ii) the disclosure is expressly authorized by law and the provider believes that disclosure is necessary to prevent serious harm to the individual or other potential victims);
4. to a health oversight agency for health oversight activities including audits; civil, administrative, or criminal proceedings or actions, or other activities necessary for appropriate oversight of (i) the health care system, (ii) certain government benefit programs, (iii) entities subject to government regulatory programs, or (iv) entities subject to civil rights laws;
5. for judicial and administrative proceedings in response to (i) court orders or (ii) subpoenas, discovery request, or other lawful processes that are not accompanied by a court order (but only if the provider receives satisfactory assurances that reasonable efforts have been made (i) to ensure that the client who is the subject of the PHI has been given notice of the request or (ii) to secure a qualified protective order);
6. for law enforcement purposes to a law enforcement official (but only if (i) required by law or by certain civil, administrative, or criminal processes; (ii) for identification and location purposes with respect to certain limited information; or (iii) to report information about a client who is suspected to be a victim of a crime);
7. for purposes of identifying a deceased person, determining a cause of death, or performing other legal duties of a coroner or medical examiner;
8. for cadaveric organ, eye, or tissue donation purposes;
9. for research purposes (but subject to numerous conditions regarding waiver of authorization under federal law and review of the research project by an Institutional Review Board or similar privacy board);
10. for purposes of preventing or lessening a serious and imminent threat to the health or safety of a person or the public (but the disclosure must be to a person able to prevent or lessen the threat) or for purposes of permitting law enforcement authorities to identify or apprehend a client who has admitted participation in a violent crime resulting in physical harm to the victim or who has escaped from a correctional institution or other lawful custody;
11. for specialized governmental functions, such as military or veterans' activities or national security and intelligence activities; and
12. for compliance with workers' compensations laws (but only as authorized by and to the extent necessary to comply witch such laws).

NOTIFICATION TO CLIENTS OF RIGHTS: Under Oklahoma law, the Rules and Regulations of the Department of Mental Health, and the requirements of HIPAA Act, every client of the Edwin Fair Mental Health Center, Inc., must be informed of her/his right to confidentiality. This is done three ways:

1. Inclusion of notification in the "Client Bill of Rights" distributed to all clients at the time they become clients.
2. By the therapist in the therapy sessions and by providing clients with the Notice of Privacy Practices.
3. Implied and insured in writing in our Consent to Release Information".

NEED TO DISCUSS RIGHTS / LIMITS WITH CLIENTS AHEAD OF TIME: Often our clients are in distress when they come into the Clinic and do not take the time to read the "Client Bill of Rights". They may also lack the ability to read or understand the full meaning of their rights to confidentiality. Therefore, they may reveal information to us in therapy that is sensitive and personal and that warrants and / or requires protection against undo release. It is our responsibility, therefore, to insure that our clients understand their rights to confidentiality before they release such information to us. Only in this way can we fully insure that our client's rights to confidentiality are not violated and that we do not put ourselves in the position of having to violate our client's wishes. Such actions would only serve to harm the therapeutic relationship and possible lead to lawsuits for unethical or illegal behavior.

CHART / FILE / DESIGNATED RECORD SET: (These words may be used interchangeably) For the purpose of this presentation, the word "file", "chart", or "designated record set" includes all information given to any staff member by a client (e.g. income information, clinical data, payment information, fee slips, and any verbal information) whether it is stored physically (such as on paper), electronically, or in any other manner. This includes information given to any staff member (e.g. secretary, therapist, administrator, etc.) in written or verbal form or otherwise observed. Such information includes information given formally in scheduled sessions as well as information given informally such as in conversation on the phone or in the halls. Be especially careful of information that you might know about the client before they become a client (Ponca, Pawhuska, and Stillwater are small towns). This information, once it becomes a part of the client's chart or file, should be handled as privileged (it may be hard to prove in a court of law that you did not gain this information from the client in the Center). In addition, information that is known about a client but is not physically documented is also privileged.

ACCESS TO FILES LIMITED: Access to files is limited to persons with a clear need to access information in the file or to place information in the file. You are to discipline yourself from reading any part of the file that you have no need to see. Violation of this principle is unethical and illegal and is a HIPAA violation.

PHYSICAL RECORD - PROPERTY OF CLINIC / CONTENT - PROPERTY OF CLIENT: The information in the chart belongs to the client and the client alone. However, the chart (paper, computer data, etc.) belongs to the Center since it constitutes the documentation of the process of therapy. Therefore, when a client requests that we release information from the chart, we typically release only copies of the chart, keeping the originals in the file (thus, we release the information but not the physical charting).

CHART - LEGAL RECORD: The chart is a legal record of the process of therapy and can be used for such legal purposes as collections, defense against lawsuits, evidence in court, etc. It is always prudent to keep this fact in mind when recording information in the chart. Remember, the client has the right to reveal the information in court (it belongs to her / him). You may be required to defend the information in court. Or, even worse, you may have to defend yourself against charges brought by a client or a third party using only information recorded in the file. A chart that correctly records all of the relevant information can be a big help in court for our clients and for us. A record that is in error or that does not contain vital information cannot be a help to you even if your work was appropriate and complete.

CORRECTION OF CHARTS: Never correct a chart with whiteout, erasures, etc. Instead, in the case of minor errors (such as misspelled words) mark through the error and write "error" above the word then initial and date the error and continue with the correct wording. If a major error is found in a chart, write a separate note explaining the error and the circumstances of the error as well as the correct information. Never change a chart entry after a record is requested/subpoenaed by the court.

RESPONSIBILITY FOR RECORDS - PHYSICAL / CONFIDENTIALITY: Responsibility for the completeness of the record ultimately resides with the person/persons providing the service (presentation of the Client Bill of Rights, recording of therapy notes or treatment plans, documentation of payment, recording of releases, etc.) Since the entire Edwin Fair staff participates in the compilation of client records, it is the responsibility of each team member to insure that the parts for which they are responsible are recorded accurately and promptly. We all need to help each other. It is also the responsibility of each person who has contact with the chart in any way as well as the administration to participate in it's safeguarding.

SUPERVISION - CLINICAL ADMINISTRATIVE: Policies and procedures concerning the proper way to handle confidential client information are listed in the Edwin Fair Policy and Procedure Manual. Every Edwin Fair staff member should consult with her/his supervisor to clarify any questions as to the proper way to handle confidential client information that are not clarified in the Policy and Procedures Manual.

STORAGE OF RECORDS: All records are to be kept in the Center at all times. When not in the direct possession of a staff member with need for the chart, they should be in the file room under lock and key. When checked out, the person checking the chart out should legibly fill out and leave a check-out card in the file so that the file can be located at all times. Edwin Fair Policies and Procedures require prompt location and maintenance of records in the area in which the client is being treated. All records are to be secured in locked storage each evening. All client records are to be maintained and stored indefinitely or until the record has been reviewed and meets the criteria for chart destruction. The Chief Administrative Officer is responsible for the storage of all records. In the rare case that a chart must leave the clinic (such as when a chart is subpoenaed to court or when there is a need to transport the file to another location for treatment needs) the chart should be properly checked out, those that might have a need for the chart need to be informed, and the chart needs to be transported in a secure manner with the appropriate staff member having them in their direct possession and control at all times.

GENERAL PRINCIPLES FOR RELEASE OF RECORDS:

Release only for/by client or court order (note exceptions discussed below).

Release only what is necessary (write summary letter if necessary).

Release only with informed consent. (The client should know and understand the specific information to be released, the specific purpose for the release, the person / agency to which it is released, and any possible negative or positive consequences of the release of the information).

HIPAA allows the client to restrict the disclosure of confidential information and forms are available for those requests. The client also has a right to an accounting of all disclosures that have been made of their protected health information (PHI). There are forms available for that procedure as well.

HIPAA also permits a provider to disclose PHI to another health care provider for treatment purposes; for example, a provider may send clinical records to another health care provider to whom the provider has referred the client. However, keep in mind that the provider also needs to comply with more stringent state law--so it is important to consult a state preemption analysis before deciding that PHI may be freely exchanged for all of these purposes.

The Privacy Rule empowers individuals to control certain uses and disclosures of their health information. As a general rule, health providers and health plans cannot use or disclose PHI without a valid authorization from the client. Of course, this rule does not apply to disclosures of PHI permitted for treatment, payment, and health care operations. It also does not apply to certain disclosures that may be made with the express agreement of the client. Also, it does not apply to twelve categories of disclosures that may be made without any permission of the client. (See page 2).

Document the client's permission to release the information, to whom the information was released, when it was released (date and time), and under whose direction the information was released should be recorded in the chart. The "accounting of disclosures of confidential information" is only those situations in which the client isn't required to give permission.

CONSENT FOR RELEASE: A proper consent to release confidential records should include:

• Who is to disclose the information
• Name of the person or organization to whom the disclosure will be made (with address)
• Purpose for disclosure
• What information will be disclosed (be specific)
• Name, birthday, and, if possible, the social security number of the person about whom the information will be disclosed
• Statement that the consent may be withdrawn at any time except to the extent that authorized disclosure has already been made
• Date upon which the consent expires if it is not withdrawn
• Signature of the patient (or appropriate person)
• Date of signature
• Witness' signature

AUTHORIZATION: Who can authorize the release of confidential information?

• Adults of legal age.
• Minors - Parent with custody (sole or joint), legal guardian (appointed by court) - it is often a good idea, legally, to have an older adolescent sign the release in addition to having the parent or guardian sign.
• Incompetent - Legal guardian (make sure there has been a court order declaring the incompetency of the client and stating that the person requesting/authorizing the release of information is the legally appointed guardian - put a copy of the court order in the file). It is best to have the client and the guardian sign. If a legal guardian is not available, consult with your supervisor. It may be necessary to obtain the services of an attorney to clarify the issues. A court order may be necessary to authorize release.
• Handicapped - Blind / Deaf / Mute / Illiterate - Handicapped clients who retain their own legal rights can sign a consent form themselves. However, we are bound to insure informed consent. It will often be advisable or necessary to utilize a trained interpreter. When in doubt, seek legal advice through your supervisor.
• Mentally handicapped - Can sign for themselves if they retain legal rights of guardianship for themselves. It is often best to also have a close family member sign also to insure informed consent. A legal guardian should sign if the client has been found incompetent and a guardian has been appointed.
• Blanket Releases - So called "blanket releases" (such as releases to unspecified persons or to "any medical professional or facility", or releases that simply specify "any and all information" or that do not specifically state that the records to be released include psychiatric records) should not be honored. The same is true for photocopies of faxes of releases. The client should be contacted and told that we are in receipt of a release and that the release is inadequate. If the client desires that the information be released, a consent form should be completed and signed by the client in person or through the mail.

DURATION OF CONSENT: A release cannot be open-ended since such a release cannot guarantee informed consent. The client must specify the time frame in which the release will be valid. The client can, however, withdraw her / his consent at any time. The duration of a consent cannot be longer than one year.

RE-DISCLOSURE: Once information has become a part of a designated record set, that information becomes available for the client to review and exercise their right to secure a copy of such. In addition, if records are requested by an outside party, all documents in the designated record set are subject to disclosure. Prior to HIPAA, re-disclosure was considered unethical. HIPAA has redefined that practice. At times, a client record may contain older portions of a medical record that were created by another / previous provider. HIPAA Privacy Rule permits a provider who is a covered entity to disclose a complete medical record even though portions of the record were created by other providers.

STAMP: All confidential information released by the Center must bear a stamp. Information that does not include drug and alcohol treatment related information should be stamped with the following notice:

"This information has been disclosed to you from records whose confidentiality is protected by Federal Law. Federal regulations prohibit you from making any further disclosure of it without the specific written consent of the person to whom it pertains, or as otherwise permitted by such regulation. A general authorization for the release of medical or other information is NOT sufficient for this purpose."

DOCUMENTATION OF RELEASE OF RECORDS IN CLIENT'S CHART: All releases of confidential records should be documented in the chart by the person releasing the information. Documentation should include the name of the client, the specific information that was released, the time and date that the information was released, the person authorizing the release, the person or agency receiving the information, the method of transfer (electronic, fax, mail, etc) and be accompanied by the consent (or court order) authorizing the release.

DRUG / ALCOHOL RECORDS: Laws - Federal regulations (laws) covering any information about drug and/or alcohol patients obtained by any alcohol or drug program which receives any form of Federal assistance (including Edwin Fair), protect the privacy of any client treated by the program "to insure that an alcohol or drug abuse patient in a federally assisted alcohol or drug abuse program is not made more vulnerable by the reason of the availability of his or her patient record than an individual who has a drug or alcohol problem and who does not seek treatment". To conform with these laws (Regulations 42 CFR part 2) we must have any client who has a drug or alcohol problem and who requests that any part of her/his records be released, fill out the portion of the consent form that relates to the release of drug and alcohol records including the dates that the services were provided. This procedure documents informed consent.

Requirements / stamp - All information released that related to the treatment of clients with drug and or alcohol problems must be stamped with the following information:

"This information has been disclosed to you from records protected by Federal confidentiality rules (42 CFR Part 2). The Federal rules prohibit you from making any further disclosure of this information unless further disclosure is expressly permitted by the written consent of the person to whom it pertains or is otherwise permitted by 42 CFR Part 2. A general authorization for release of medical or other information is NOT sufficient for this purpose. The Federal rules restrict any use of the information to criminally investigate or prosecute any alcohol or drug abuse patient."

Violations of the federal regulations are punishable by fines of up to $500.00 for the first offense and up to $5,000.00 for each subsequent offense.

"IN-HOUSE" CONSULTATION: "In-house" consultation between persons directly involved in the case do not require written consent. However, only persons with the need to know should be given access to confidential information. In any case, only information necessary for the consultation should be shared. It is advisable to withhold or change the name of the client and to delete or disguise any identifying information in order to protect the client's privacy. When extensive consultation is undertaken, it is advisable to inform the client of the need for the consultation, the person with whom you are consulting, and the information to be shared as well as to get their written consent to share the information. This is especially advisable when information is to be shared between programs or with supervisors.

CLIENTS SEEN BY STUDENTS OR OTHER CLINICALLY SUPERVISED THERAPISTS: When a client's therapy is closely supervised by a clinician other than their therapist, such as in a situation where a student provides the direct service, the client retains the right to be so informed and to consent or refuse to the treatment situation. They have the right to be informed of the degree and nature of the supervision, the amount of information being released, and the identity of the supervisor. The fact that the client was so informed and that they consented should be documented in writing, signed by the client, and placed in the chart.

EMERGENCY SITUATIONS - CRISIS / E.D.s: In the case of bona fide emergencies (such as the need to provide imminently needed medical treatment for a condition which poses an immediate threat to the health of any individual) patient identifying information, the nature of the emergency, information for procuring the necessary services, and information for appropriate treatment planning may be disclosed to persons with a clear need to know. It is important to release only the information necessary to meet the emergency. HIPAA allows such disclosures without securing permission from the client. True emergency calls that come to us through Help Line fall in this category.

EVALUATIONS: When an evaluation is court ordered, the client should be informed prior to the initiation of the evaluation that any information shared may be included in the report and shared with the court. The evaluator is responsible for explaining the evaluative nature of their relationship to the client and insuring that the client appreciates the differences between the evaluative nature of the relationship and what they might ordinarily expect in a therapeutic relationship, specifically as it applies to confidentiality and self-incrimination. If the client does not fully appreciate the differences, the evaluation should not proceed. In such a case, the issues should be discussed with the client's guardian, or if the client is a competent adult, the client should be referred to consult their legal counsel.

Evaluations, even those ordered by the court, should include only information necessary for the purposes of the evaluation. Therefore, we should always be sure to clarify and specify the referral questions when an evaluation is requested. In any case, the client should be allowed to know what information is in the report and helped to understand any information that is confusing to him / her. Unless the evaluation is court ordered, the client has the right to refuse to allow the information in a report about her/himself to be released. The need for informed consent, therefore, requires that the client should review the completed report prior to signing the consent for release.

When evaluations (non court-ordered) are performed on minor or persons who have been found incompetent by the court, the guardian of the client should be allowed to review the completed report and to give or refuse permission for release. When doing evaluations, it is incumbent upon the evaluator to the evaluation and that the privacy of those persons is protected as far as possible (use first names only, use words that describe relationships (friend, employer, etc.) rather than names, etc.).

BUSINESS ASSOCIATE AGREEMENTS: A business associate is an organization or person other than a member of the Edwin Fair CMHC workforce who receives Protected Health Information (PHI) from our agency and provides services to or on behalf of the agency such as an accountant, billing services, or lawyer.

PHI may be disclosed to a business associate. However, our agency will need to obtain satisfactory assurance in the form of a written contract that the business associate will appropriately safeguard the information. A business associate contract must clearly establish what is permitted and required regarding use and disclosure of records. Subcontractors must also agree to all the contract's conditions and restrictions. In effect, the agency will need to contractually obligate the business associate to follow all the HIPAA compliance requirements the agency is required to follow.

Once a business associate contract is in place, the respective parties must monitor the agreement to insure that all terms of the contract are met. If Edwin Fair CMHC knows that a business associate is in breach of violating his or her obligation under the contract, we will need to take reasonable steps to cure the breach. If those steps are unsuccessful, our agency may have to terminate the contract and report the problem to the department of Health and Human Services.

Persons participating in health care treatment generally are not considered to be business associates. However, another health care provider such as a hospital performing non-health care services for the agency, such as billing, is considered a business associate.

HIV CLIENTS: All information and records, which identify any person who has or may have AIDS, AIDS-related complex, or tests sero-positive for exposure to the HIV is confidential. Such information shall be released only by informed written consent of the client, or the client's guardian, or court order when the State Department of Health has determined that it is necessary to protect the health and will being of the general public if such a determination is made pursuant to the state Administrative Procedures, when necessary to notify persons who have had risk exposure (pursuant to rules and regulations of the State Board of Health), to health professionals to enforce laws, rules, and regulations concerning control and treatment of communicable or venereal diseases, for statistical purposes (in such a way that no person can be identified), and to health care providers within a therapeutic environment for the purpose of diagnosis and treatment of the person whose information is to be released. Such a release requires a written informed consent that must include in bold typeface that information authorized for release may include information on venereal disease which may include but is not limited to diseases such as hepatitis, syphilis, gonorrhea or the immunodeficiency virus, also known as Acquired Immune Deficiency Syndrome (AIDS).

SPECIAL SITUATIONS: Group therapy – All persons in group therapy should be informed of the absolute need for confidentiality before the group therapy process begins as well as frequently informed of the necessity for confidentiality throughout the therapy process. Whereas written agreements for consent to share information among the group members is not strictly necessary, it is advisable and often a way of building trust and group cohesiveness. Written agreements to not share information outside of the group are also a good idea and can help to underscore the need for confidentiality as well as a feeling of security among the group members. Separate charts should be kept on all group members and chart entries should avoid including any identifying information about any members of the group other than the client (first names only or initials may be used).

Marital therapy / Divorced couples / Custody situations – When working with couples in marital therapy, it is important to remember that the information contained in the file may be subpoenaed in the future (such as in the case of a divorce). Therefore, it is recommended that separate charts be kept for the husband and wife. It is important that information about the spouse of a client be recorded in a way that would protect the spouse's confidentiality if the chart were ordered to be released at a later date (recorded in a general way, background information should not be included in the spouse's chart, identifying information should be omitted). When needed, a summary may be made (deleting any information concerning the spouse) and submitted in response to a request or order to release information about a client.

"CONFIDENTIAL" CHARTS: Certain persons being seen at the Center may need to have special consideration in order to insure confidentiality. Such persons may include employees or their family members, high profile persons, etc. Their files can be placed in a separate locked cabinet. The Chief Administrative Officer should be consulted in such cases.

EXCEPTIONS: Danger to self – In cases where there is a direct and clear danger of a person doing harm to themselves in the near future, confidentiality can be breached in order to take reasonable precautions to protect the client from him/herself. Such action may include notification of persons that are close to the client (significant others), other persons involved in the treatment of the client, or law enforcement officials. As always, information released should be limited to that information that is specifically needed to take the appropriate precautions.

Danger to others (Tarasoff) – Court decisions have made it clear that mental health professionals have a responsibility to warn persons who may reasonably be in danger of physical harm to their physical safety because of threats or potential violent behavior on the part of their client.

Tarasoff vs The Regents of the University of California at Berkeley – A counselor at the University counseling center was seeing a male client who was obsessed with Tatiana Tarasoff, a female student at the University. When the therapist became aware that the client was capable of physically harming Miss Tarasoff, he contacted the police and warned them of the potential danger to Miss Tarasoff. The client did murder Miss Tarasoff. Miss Tarasoff's parents sued claiming "wrongful death", asserting that the therapist should have warned Miss Tarasoff directly. The suit was decided in the Tarasoff's favor. (1974)

In the written decision, the court stated that the "protected privilege (to confidentiality) ends where the peril to public safety begins". As a result, the court spelled out that when the following conditions are met:

1. a special relationship, (e.g. counselor - client) exists,
2. when there is reasonable prediction of a conduct that constitutes a threat to another,
3. when the client possesses the means to carry out the threat, and
4. when there is a defined and foreseeable victim, the mental health professional is required to take reasonable action defined as:

1. notifying authorities of the threat, and

2. notifying the potential victim of the threat.

In the years since the Tarasoff decision, the courts have ruled in a way that expands the mental health professional's responsibility. However, with some exceptions, the definitions of the requirements have not been defined so that there remains a great deal of ambiguity. For example, the mental health professional is additionally required to "reasonably assess dangerousness using the knowledge, skills, and care ordinarily possessed and used by members of the profession". It is not clearly defined, however, what the "knowledge, skills, and care ordinarily possessed and used by members of the profession" mean. For example, is a case manager required to use the same level of "knowledge, skill, and care" that a psychiatrist is expected to possess? What "knowledge, skill, and care" have been defined as the standards for mental health professionals?

The definition of potential victim has been expended to include "unidentifiable but probable targets if the client were to become violent", (e.g. A male client is very jealous of his wife after she divorces him. The therapist learns that the client has made threats ("If she isn't mine, she won't belong to anyone else") and has the means to "take care of it". The therapist would be required to notify the police, the client's ex-wife, and the ex-wife's boyfriend.).

The definition of "reasonable action" required of the therapist is not well defined (by phone call, mail, etc.), however, it has been expanded to include the option of taking the necessary steps to involuntarily hospitalize the client to prevent the violent behavior. If the client is hospitalized, the therapist and the client's therapist in the hospital are required to take whatever action is necessary to insure that the client stays in the hospital until any threat of violence has ceased. They are liable if the client leaves the hospital and carries out the threat.

Furthermore, the definition of "dangerousness" which is often used to define the criteria for the potential threat of harm has been expanded to include behaviors that might not be directly aimed at others but which still have the capability to cause harm to others. For example, in Peterson vs. the State of Washington, a woman was injured when involved in an automobile accident with a psychiatric patient that had recently been treated for drug abuse. The patient was under the influence of drugs at the time and collided with the woman's car. The courts held that the psychiatrist who knew of the patient's tendencies toward drug abuse and yet released him had a duty to protect anyone who might be a foreseeable victim of his patient's drug related problems.

A condition of impaired judgment to the point that it may indirectly or directly place others in danger has been suggested as a requirement for the clinician to take steps under the "duty to warn" responsibilities. This situation is vague and not clearly illuminated under the law. One example might be an industry worker who is psychotic or who is dependent upon drugs and who works around others in a work situation that requires keen judgment and attention in order to prevent serious industrial accidents. Another situation might be a public safety worker (policemen or firefighter) who has seriously impaired judgment due to depression or psychosis. One mental health professional was sued for allowing the parents of an adult psychotic client to transport the client to the hospital after the client jumped out of their car on the highway and was hit by an oncoming truck and killed. The suit was won by the parents when the court ruled that the mental health professional should have recognized the danger and prevented the parents from transporting or instructed them more adequately about the danger and how to handle it properly.

There has been a general consensus in the literature that the level of dangerousness necessary to justify breaking confidence and to require action on behalf of the therapist to notify any and all potential victims exists when a therapist learns that a client is positive for HIV (has AIDS) and is engaging in unprotected sex with others. This standard has not been tested in court.

In order to act professionally and to protect ourselves and the Center, we should always:

1. Inform all clients of the limits of confidentiality and the requirements of the therapist and Center surrounding "duty to warn" prior to initiating therapy.
2. Assess dangerousness in all clients on a continuing basis (and documenting the assessment).
3. When a threat or potential of a dangerous situation exists or may come into being, consult with other staff and your supervisors to formulate a plan to use in dealing with the client and the situation.
4. Discuss any threats and / or conditions of potential violence with the client in order to assess the level of dangerousness and to arrive at solution in which the client cooperates.
5. Take all threats or potential violent conditions seriously.
6. Inform the authorities (usually the police or sheriff) if a threat exists giving the client's name, the specifics of the situation, the names of the intended victim, and the names of any person(s) who might directly or indirectly expected to be in a danger as a result of the client's threat.
7. Directly warn all potential victims and any other persons who may be at risk.
8. Attempt to arrange for involuntary hospitalization (through court commitment or emergency detention) and to facilitate the continuation of the hospitalization until the threat ceases to exist.
9. Carefully document all of the above in the client's chart. (Some have advocated deleting any charting relevant to the assessment or dealings with threats or potentially violent situations reasoning that they could 1) use the defense that they did not know of the potential of violence, and 2) that since the burden of proof that they were negligent would be on the prosecuting party, (no notes would make negligence hard to prove). The court has taken a dim view towards such defenses. The responsibility to assess and to take action can best be dealt with by being responsible and documenting everything.

Determination of dangerousness - Assess for:

1. Past history of violence
2. Background of violence in family.
3. Increased level of anger (especially repressed, brooding anger).
4. Increased stress level (external and internal)
5. Decrease in supports (deaths, divorce, recently moved)
6. Drug and / or alcohol use or abuse.
7. Impulsivity.
8. Verbalization of indirect or direct threats.
9. Presence of plan to do violence - assess how organized/realistic.
10. Presence of mental instability - psychosis, delusions, paranoia.
11. Availability of means and opportunity to carry out plans - has gun, lives with or sees potential victim.
12. Steps taken to implement the plan.

Luckily, the courts have begun to recognize that the requirements placed upon the mental health worker are vague and at times unrealistic. They are making attempts to define them more closely and there may be some signs that the courts are retreating from the strict and sweeping requirements that have been mandated in the past.

CHILD ABUSE REPORTING: Reporting of suspected child abuse is required by State law and does not require a client to give consent for release. Oklahoma Statute SS 843-850 requires reporting by any person who has reason to believe (even if they do not have clear ability to prove) that a child under the age of eighteen has had physical injury or injuries inflicted upon him or her by other than accidental means where the injury appears to have been caused as a result of physical abuse or neglect. Such reporting is to be made immediately by phone to the Child Protective Services of the Department of Human Services and followed by a written report within five working days. The verbal and written report shall be documented in the chart. It is advisable to discuss the requirement to disclose information about abuse to the client before beginning the intake interview, especially when there is likelihood that such information may be discovered (e.g. custody evaluation, etc.). It is often a good therapeutic strategy to invite the client to call DHS with you or to meet with you and the DHS worker to discuss the suspected abuse. In this way, the client can take the responsibility for her / his actions and begin a cooperative effort at remediation.

CLIENT ACCESS TO OWN RECORDS: As a general rule, a client has a right of access to inspect and copy all PHI about him/herself in a "designated record set." A designated record set is defined to include medical records, billing records, and any other records used to make decisions about the client. However, there are exceptions to the client's right of access as follows.

• The provider is not required to provide clients with access to psychotherapy notes. Psychotherapy notes means notes recorded by a health care provider who is a mental health professional documenting or analyzing the contents of conversations during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual record. The regulation do not consider the following as psychotherapy notes: medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment, results of clinical tests, and any summary of the following items: diagnoses, functional states, the treatment plan, systems, prognosis, and progress to date. All of this is considered part of the designated record set.
• The provider may refuse to give clients access to information compiled for use in a civil, criminal, or administrative action or proceeding.
• The provider is not required to give clients access to PHI that is subject to (or, under certain circumstances, exempt from) the Clinical Laboratory Improvements Amendments of 1988.

The Provider may also deny a client access to his/her PHI when:

• an inmate of a correctional institution requests PHI and furnishing the copy would jeopardize the health, safety, security, custody, or rehabilitation of the client or other inmates or the safety of a correctional officer;
  
• the PHI concerns treatment-related research, the client has agreed in advance to the denial of access, and the provider has informed the client that the right of access will be restored upon completion of the research;
• a client seeks access to records subject to the Federal Privacy Act and such access may be denied under that law
• the PHI was obtained under a promise of confidentiality from someone other than a health care provider and the access requested is reasonably likely to reveal the source of information;
• the access requested is reasonably likely to endanger the life or physical safety of the client or another person;
• the PHI makes reference to another person and the access is reasonably likely to cause substantial harm to such other person; or
• the request for access is made by the client's personal representative and the provision of access to such representative is reasonably likely to cause substantial harm to the client or another person.

The client must make a request for access to records in writing; and, when access is granted, the provider must act upon the request within 30 days after it receipt of the request. The time frame for a response may be extended for an additional 30 days under limited circumstances. The provider may impose a reasonable, cost-based fee for photocopying requested records. If the provider decides to deny access to the records based upon one of the grounds listed above, the provider must give the client access to any other PHI requested after excluding the PHI that is the subject of the denial.

SUBPOENAS: A subpoena is a unilateral request of a party for the production of a document or testimony. A subpoena does not, however, authorize the disclosure of confidential information. It is incumbent upon the clinician or agency receiving the subpoena to determine if there has been a waiver of the client's privilege before releasing the information. A waiver of client privilege can only be given by: 1) the client or a legal guardian of the client, 2) a valid court order, or 3) any of the exceptions given above. In cases where the client privilege has not been documented, the client and his/ her attorney should be notified to determine if they are waiving the privilege to confidentiality. If so, written consent should be sought from the client and the lawyer and documented in the chart. If the clinician is asked in court to disclose confidential information and there has not been a waiver, she or he should appeal to the judge to clarify the issue by raising the issue that the information is confidential and privileged and asking is he/she is required to release the information. The information should not be released until the clinician is satisfied that the client has waived his/ her privilege or that the court has ordered the release of the information. When a subpoena is received, the clinician should inform her/his Program Coordinator/Supervisor and clarify any confusion that might exist.

There are two types of subpoenas that a clinician is likely to receive: 1) Subpoena ad testificadum (often abbreviated to "subpoena") - requires the clinician to appear in court. 2) Subpoena Duces Tecum - requires the clinician to bring the complete client record.

Remember that the subpoena requires the clinician to appear or to bring the chart to the court--it does not authorize the release of the records. When consent has been given or there is a court order for the release of testimony and/or the record, the information given should be limited to information needed to answer the questions directed to the clinician.

A valid State subpoena should contain the name of the court, the names of the plaintiff(s) and defendant(s) in the action, the docket number of the case, the date, time and place of the requested appearance, the specific documents sought by the subpoena (in the case of a subpoena duces tecum), the name and telephone number of the attorney that caused the subpoena to be issued, and the signature and stamp or seal of the clerk of the court issuing the subpoena. Some federal court subpoenas have differing requirements. If there is any question about the validity of a subpoena, consult with your Program Coordinator/Supervisor or the Executive Director.

COURT ORDERS: Upon receiving a valid court order to release information or to testify, the client and her/his attorney should be notified. (They may wish to file a petition to quash the order.) The clinician and/or agency are required to respond to a court order in a timely manner. No informed consent is required from the client in order to respond to a court order (consent or refusal to consent would be irrelevant). As with a subpoena, any information released in response to a court order should be limited to the information ordered to be released. If the court order is ambiguous, ask the court to clarify its request. In case of any confusion as to how to respond to a court order, consult with your Program Coordinator/Supervisor.

DEPOSITIONS: A clinician can be subpoenaed or court ordered to give a deposition. A deposition is a structured interview in which the clinician is questioned by an attorney(s) under oath. An official record will be made of the depositional testimony for possible use in court. The same procedures should be followed for depositions as are followed for subpoenas or court orders. The clinician has the right to review and correct the written record of the deposition before signing and to receive a copy of the testimony given. The copy of the testimony should be placed in the chart.

DEATH OF CLIENT: The duty to maintain confidentiality that existed in life follows the patient in death. If a request for confidential information concerning a person who is deceased is received, informed consent from the executor or administrator of the deceased person's estate must be obtained. In cases of confusion, the court will need to clarify the issue.

COLLECTION AGENCIES: The Center is allowed under law to release certain information to collection agencies when it is necessary to collect unpaid bills. The information released should be only that information needed for the collection agency to utilize in collecting the bill (name, address, phone number, dates of services, and amount due). The client should be informed at intake that this information may be released if referral to a collection agency is required.

COMPUTER SYSTEMS AND RECORDS: Extreme care should be taken to guard against unauthorized access to information stored in computer systems. Safeguards are built into the system and tested regularly. Edwin Fair has a HIPAA Security Officer who makes monthly inspections of computers and their usage.

ELECTRONIC TRANSFER OF DATA / FAXES: When there is electronic transfer of confidential data between different information systems or by fax, particular care should be taken to limit the information transferred to only that which is necessary for the purposes involved. The security of such linkages should be tested from time to time. Care should be taken that the information is received directly and only by the person for which it is intended and that the receiver abides by the same standards of confidentiality used by the Center. All fax transmissions are required to be sent with a cover sheet that notifies the receiver of the confidentiality of the information being sent and the prohibition of any dissemination of the information as well as instructions for dealing with the information if it is received in error (see Policies and Procedures).

PEER REVIEW / AUDIT / PROGRAM EVALUATION: The disclosure of confidential data for peer review, audit, and program evaluation purposes within the agency is not considered a breach of confidentiality. Likewise, the sharing of data with regulating agencies such as the Department of Mental Health or for Medicaid audits without written consent is allowed. However, the client should be made aware of the sharing of data for peer review purposes and the information shared should be limited to only that data that is required.

TRANSPORTATION OF RECORDS: Client records are not to be transferred out of the agency at any time except for specific purposes such as transfer of records from one Edwin Fair facility to another Edwin Fair facility as required to provide clinical services, for audits, or for peer review (see Policies and Procedures).

PHONE INQUIRES: All requests for information that is confidential (no matter how little or "innocuous") should be diplomatically but firmly turned down. One way to do this is to politely state that all information about clients is confidential and requires written consent for release. Care must be taken to avoid revealing even that the person is a client or has an appointment at the Center. If the caller persists, the statement above can be repeated and the caller can be asked if there is any other way that he/she can be helped.

LAWSUITS AGAINST THERAPIST/AGENCY: When a lawsuit is filed against a clinician or the agency concerning their contact with a client, the client automatically waives her / his right to confidentiality. Consult with the Executive Director and your Program Coordinator/Supervisor in such a case. Legal consultation may be warranted and can be facilitated by your supervisors.

LIABILITY: When there is an inadvertent and unauthorized disclosure of someone's PHI, HIPAA requires certain actions on our part. All efforts should be made to mitigate the harm done such as securing any records from someone who they weren’t intended to be sent to or asking that any unauthorized information sent be returned immediately. In addition, the agency must inform the client of the inadvertent breach of confidentiality.

In the case of unauthorized or unwarranted disclosure of confidential information, you and the Center may be liable for prosecution under at least four areas of the law: malpractice, breach of statutory duty, invasion of privacy, or breach of (implied) contract. Should you receive notice of a lawsuit or suspect that a lawsuit may be forthcoming, inform your Program Coordinator/Supervisor and the Executive Director immediately.

ORIENTATION OF NEW EMPLOYEES / YEARLY UPDATE: All new employees are to be oriented as to Center policies and procedures concerning confidentiality at the time they are hired. All Edwin Fair staff is to be updated annually as to confidentiality policies and procedures.

CONFIDENTIALITY EXAMPLE: You saw Mr. and Mrs. Jones in marital therapy two years ago and, as a part of the therapy, had three sessions with their daughter, Suzy; two sessions with Suzy and her parents and one with Suzy alone. Now they are divorced.

You receive a subpoena from Mr. Jones' lawyer commanding you to appear in court to testify about the therapy you conducted with Mr. and Mrs. Jones and to produce the records you kept about the therapy. Mr. Jones alleges that Mrs. Jones' boyfriend is physically abusing Suzy. Mr. Jones and his attorney feel that there is an emergency and that they need you to testify about your contacts with Mr. Jones, Mrs. Jones, and with Suzy.

WHAT DO YOU DO?