Requirements and Limits of Confidentiality

NOTE: THIS CONTENT IS NOT UP TO DATE.

Click HERE to access the updated content on Sunny.

Confidentiality is foundational to the therapeutic relationship. It is important to understand your confidentiality obligations while also recognizing its limits.

Still have a question? Submit a ticket here and ask our attorneys. Make sure to ask your RCD first.

THE DUTY OF CONFIDENTIALITY

The duty of confidentiality is at the heart of your relationship with your client. This is a duty which arises both out of your ethical obligations as a mental health professional, as well as state and federal privacy statutes and regulations (including HIPAA). Overarching the confidentiality requirement is the principle that your clients have entrusted you, and Thriveworks, with sensitive information that should be safeguarded. This includes not only the contents of therapy, but also the very fact that your client is, in fact, your client. As a general rule, all protected health information (PHI), must be kept confidential unless: (i) a specific exception applies, or (ii) the client provides a specific, written authorization for disclosure. If you're a fan of analogies, you can think of confidentiality as a locked box which should only be opened if one of the specific keys are provided. In other words, you should start with the default position of confidentiality and then only disclose when you are specifically permitted to do so.

EXCEPTIONS

Client Request.

In keeping with the locked box analogy, you can think of your client as holding the "master key". While Thriveworks is the owner and custodian of a client's medical records, clients themselves (or their legal guardian) have the legal right to access their own records and to receive copies of them. If you do get a request like this from your client, our wonderful Medical Records team is here to help. Click here for the polices and procedures related to records requests.

2. Written Authorization.

The client's "master key" can also be used to open the box for others. Generally, unless another exception applies, a written authorization is required in order to disclose PHI to third parties. These written authorizations are also often referred to as "ROIs" (Releases of Information) or "PHI Releases". The label is not as important as the substance of the authorization, which generally should be a detailed written document, signed by the patient (or their legal guardian), giving Thriveworks/you permission to use/disclose PHI to specified individuals/entities for specified purposes. Generally, authorizations must include a description of the information to be shared, and clients can elect to share their entire record or specific elements (for example, a client may be willing to share only their billing statements with a family member). Authorizations must also contain an expiration date. Thriveworks has a standard ROI which can be found in/sent through AMD, and please do not hesitate to reach out to your RCD and/or Legal with questions about written authorizations and their validity.

3. When Duty Calls. (Duty to Report/Warn/Protect)

You, as the clinician, also carry with you a key that must be utilized under certain circumstances when state law and/or ethical obligations require confidentiality to be broken. Click here for information regarding the Duty to Report, Duty to Warn, and Duty to Protect.

4. HIPAA's Permitted Purposes - Treatment, Payment, & Operations

Clients generally expect that their information will be used and disclosed as necessary to treat them, bill for treatment, schedule sessions, and perform other necessary administrative functions. In line with this, the HIPAA Privacy Rule allows for the limited use and disclosure of PHI when specifically used or disclosed for one of the three "Core Health Activities": (i) Treatment; (ii) Payment; and (iii) Operations. For example, the "Payment" exception is what allows providers to communicate with a client's insurance to obtain reimbursement and file claims, and the "Operations" exception covers administrative, financial, legal, and quality improvement activities. What this means for you, as a clinician, is that the law gives you a safe harbor when you are, for example, communicating with our internal billing department regarding payment of a client's account or with our compliance department regarding documentation requirements. For more information about HIPAA, click here or refer to your HIPAA training materials.

5. Court Order / Specific Statutory Authority

Finally, as you can expect, the government holds some keys as well, though these are limited in nature and and you are not likely to encounter these situations often. These exceptions are typically defined in state law and include, for example, disclosures made to a healthcare oversight agency (such as your licensing board) in conjunction with an active investigation. A valid court order signed by a judge is also grounds for disclosure as well, though it is important not to confuse a subpoena issued by someone other than a judge (such as an attorney) with an actual court order (click here for more information regarding subpoenas). Please reach out to your RCD and Legal if you are encountered with these types of uncommon disclosure situations.

Thriveworks-Consent-and-Services-Agreement-23.5-Hour-Cancellation---(v2l.pdf

Page updated

Report abuse