Avoiding Liability Bulletin – May 2009
… Confidentiality is the primary cornerstone of psychotherapy. Without the promise of confidentiality, patients and clients would be reluctant to “open up” with their therapists and counselors, and as a consequence, successful treatment would likely be hindered. Therapists and counselors learn about confidentiality early in their careers and understand its importance. Hopefully, they also understand that a negligent or intentional breach of confidentiality can result in significant negative consequences for them.
Typically and traditionally, the patient or client has had two remedies. One remedy is to sue for monetary damages in a civil lawsuit. Depending upon the nature and extent of the breach, and the consequent damages or harm to the client, the civil lawsuit might have significant value. Hopefully, the practitioner will be covered by professional liability (malpractice) insurance! (Intentional acts are typically excluded from coverage). The other remedy available to the client is the filing of a complaint with the licensing board. A complaint could result in a fine, a suspension or revocation of one’s license, multiple years of probation upon various and onerous terms and conditions, or a combination thereof. Additionally, licensing board actions are usually publicized, in one way or another (e.g., on the Internet).
It is now possible, at least in one state, for an inadvertent breach of confidentiality to result in monetary liability (administrative fines) by three separate governmental entities – one federal agency and two state agencies! Imagine a practitioner who inadvertently sends records to a third party, but later realizes that the authorization form that the patient signed was only valid through a certain date, which had recently passed. The possible implications of such a situation, or other more serious situations involving a breach of confidentiality, are rather extensive in this state and perhaps others.
In the state referenced above, the licensing board for marriage and family therapists and clinical social workers has the authority, as an alternative to the usual disciplinary actions they can initiate, to issue an administrative citation for violations of the law that are inadvertent or minor in nature. Such a procedure allows the practitioner to pay the fine assessed by the Board (up to $5000) or to contest it, both informally and formally.
If the practitioner is a “covered entity” under HIPAA, then he or she is also subject to a complaint to, and fine by, the federal Office of Civil Rights, which is part of the U.S. Department of Health and Human Services. While the range of possible fines per violation is rather wide, depending upon the circumstances, inadvertent or negligent violations of confidentiality, especially for first time offenders, have been rather light under the HIPAA enforcement provisions. Recently, however, Congress passed the so-called “stimulus package” in order to stimulate the economy – more formally known as the American Recovery and Reinvestment Act. A part of that Act is the HITECH Act – which stands for Health Information Technology for Economic and Clinical Health. In the latter Act, the amount of the civil fines that may be assessed against a “covered provider” has been substantially increased. Providers can either pay the administrative fine or contest the matter.
As if that were not enough, the state referenced above has created yet another agency that can fine licensed health care professionals for violations of a patient’s confidentiality. This new agency, the Office of Health Information Integrity, is a creature of recent legislation. Its general purpose is to ensure the enforcement of state law mandating the confidentiality of “medical information” (includes mental health records maintained by a variety of psychotherapists) and to impose administrative fines for the unauthorized use of medical information. The reason why this law was passed (in my view, in haste and without enough thought) is directly a result and reaction to some gross breaches of confidentiality that occurred regarding one or more well-known entertainers. Legislators quickly reacted by passing this law – which is somewhat duplicative of the HIPAA enforcement provisions and various licensing law and related provisions allowing for administrative fines and more severe disciplinary action.
The penalty provisions for violating confidentiality have been expanded by this recently passed state law. On the upper end of the penalties for a breach of confidentiality, a $250,000 administrative fine or civil penalty is possible, for example, if a licensed health care professional knowingly and willfully obtains, discloses, or uses medical information in violation of the state’s basic confidentiality law for the purpose of financial gain. This stiff fine or civil penalty (the maximum) is applicable in the case of a third violation. A first time violation could garner an administrative fine or civil penalty up to $5,000, while a second violation could result in a fine or civil penalty of up to $25,000. Lesser penalties are provided for in cases where a disclosure is made by a licensed health care professional as the result of negligence (as opposed to knowing and willful behavior) and not for financial gain.
This new law requires every provider of health care to establish and implement appropriate administrative, technical, and physical safeguards to protect the privacy of a patient’s medical information. It requires providers of health care to reasonably safeguard confidential medical information from any unauthorized access or unlawful access, use, or disclosure. While the requirements mentioned above have not previously been expressly stated in the law (other than in HIPAA regulations), the duty of confidentiality obviously, and as a practical matter, requires these basic steps to be taken by any practitioner who is duty bound to preserve patient confidentiality. A bill has recently been introduced in the state’s Legislature that would give the newly created Office of Health Information Integrity the right to audit the procedures and records of a provider of health care at any time in order to determine the provider’s compliance with these requirements. I expect that this bill will be the subject of great concern for associations representing various providers of health care.
Finally, the Confidentiality of Medical Information Act in this state (California) provides that any violation of the law of confidentiality, as contained in the CMIA, that results in economic loss or personal injury to a patient is punishable as a misdemeanor. The “civil penalty,” referred to above, is assessed and recovered in a civil action (lawsuit) brought in the name of the people of the State of California in any court of competent jurisdiction by any district attorney, any city attorney of a city, the Attorney General of the State of California, or others! Accountability enough? Is there anything similar in your state?