ARRA on the Job / e-HIM Best Practices / Data Standards / Quality Care
A New Age for Mental and
Substance Abuse Health Records
Considerations for Protecting Highly Sensitive Records in Electronic Systems
By Elisa R. Gorton, MAHSM, RHIA
MENTAL HEALTH AND substance abuse records are gener- ally recognized as containing “sensitive” protected health infor- mation (PHI) in need of privacy and security measures above and beyond what is required by HIPAA. There was a time when this sensitive PHI was kept separate and apart from a patient’s health record and the access to it highly restricted. Today these records remain highly restricted in access, but as mental health and substance disorder records are transitioning to electronic systems, the risk for inappropriate uses and disclo- sures increases. An increase in the number of medical necessity requests by health insurance companies is only one example of how mental health and substance abuse PHI is leaving the
trusted hands of the HIM department and entering the world of
greater access even as it relates to reimbursement.
With paper records, auditor requests were mailed; with the
electronic health record, auditors are now requesting electronic
access. In this new electronic age, ensuring effective privacy and
security processes are in place is imperative.
This article reviews considerations in protecting mental and
substance abuse health records in a new age of electronic information.
Laws and Regulations
HIM professionals have the obligation of understanding the
complexity of the mental and substance abuse healthcare system, its rules and regulations, and its unique position in the
healthcare delivery system to ensure that organizational privacy
and security policies meet all state and federal regulations. They
must understand how these laws and regulations directly affect
the ability to access and disclose sensitive PHI.
For instance, HIPAA mandates each covered entity develop
and distribute a notice of privacy practice. It also requires that
this document contain explanations of how PHI is used within
an organization and offer patients the option to opt out of certain uses, such as providing an alternate mailing address or
phone number for individual confidentiality.
However, there is a question as to whether some electronic
systems can truly afford patients the service to opt out in regards
to restrictions on mental health and substance abuse records.
As healthcare systems transition to EHRs, HIM professionals
should ask whether the system allows a patient to restrict portions of his or her sensitive PHI from being included in a health
information exchange (HIE).
Federal regulations providing guidance on the privacy and
security of sensitive PHI are sparse, but they do exist. One example is 42 CFR 2, the federal regulation that governs substance
abuse. It is very clear about what, when, how, and to whom sensitive PHI may be released.
State statutes also play a vital role in properly maintaining
overall confidentiality and security. State statutes vary and have
different levels of protections.
Privacy and Security Considerations
How can organizations continue to protect the privacy and confidentiality of psychiatric and substance abuse records in the
new age of electronic health information? Providing safe, quality healthcare to a patient includes providing access to all PHI
relevant to the care provided. For instance, psychotropic medications, just like any medication, may have counterindications
with certain medications. Providers must have knowledge of the
full history of medications currently taken by a patient to ensure
overall quality and safety of the care given.
