| Contents | Previous | Next |
Effective psychotherapy. . . depends upon an atmosphere of confidence and trust in which the patient is willing to make a frank and complete disclosure of facts, emotions, memories, and fears. Because of the sensitive nature of the problems for which individuals consult psychotherapists, disclosure of confidential communications made during counseling sessions may cause embarrassment or disgrace. For this reason, the mere possibility of disclosure may impede development of the confidential relationship necessary for successful treatment.
This ringing endorsement of the importance of confidentiality in the provision of mental health treatment comes from the U.S. Supreme Court (Jaffee v. Redmond, 1996). The Court’s language, in a decision creating a psychotherapist privilege in Federal court, appears to leave little doubt that there is broad legal protection for the principle of confidentiality. Public opinion polls also show widespread support for the privacy of health care information: 85 percent of those responding to one survey characterized protecting the privacy of medical records as essential or very important (Peck, 1994).
Yet the reality is much more complex. State and Federal laws do protect the confidentiality of health care information, including information created in providing mental health and substance abuse treatment. However, these laws have numerous exceptions, are inconsistent from state to state, and, in the opinion of many experts, provide less protection of confidentiality than is warranted.
In addition, changes in the health care industry, and advances in technology, have created new concerns regarding the privacy of health care information. Health care increasingly is delivered and paid for by for-profit corporations with business in many states. This shift has several relevant consequences. First, individual health care information may be held and disseminated far beyond the office of the practitioner providing care. Second, cost containment concerns have resulted in the emergence of a variety of techniques that depend on third-party review of a practitioner’s judgment that an individual should receive care, reviews that have resulted in increased demands for patient-specific information before care is approved. In addition, private health care information may be distributed for the purpose of marketing commercial products, such as pharmaceuticals, a growing business that many believe constitutes an improper use of such information (Jeffords, 1997; O’Harrow, 1998). Finally, private health information is used to create much larger databases, for various purposes including treatment and research, thereby increasing the number of people with access to such information.
Technology also has emerged as a major issue in privacy debates. The ultimate impact of technology is not yet clear. One leading expert on the privacy of health care information asked whether technology would help or hinder the protection of health care privacy, responded that the answer was yes and no (Gellman, in press). On the one hand, new technologies can support, and in some cases make possible, the changes that have transformed the health care industry. The“health information technology industry” in 1997 sold approximately $15 billion of products to health care organizations, including medical business decision-support software, data warehousing, clinical expert systems, and electronic medical record systems designed to support large health care enterprises (Kleinke, 1998). There also have been ongoing efforts to create computer-based patient records for several years (Dick & Stean, 1991). Such records in many ways can be more secure than paper records through various mechanisms, for example, by restricting access to designated users. Yet much of the same technology raises concerns about privacy, because of its capacity to store and disseminate rapidly to multiple users personal information that many individuals would prefer remain private. If the myriad needs of the health care system could be met by using only data stripped of patient-specific information, many concerns about privacy might be ameliorated. However, data that identify the individual are still considered necessary for many purposes, including the administration of payment systems and fraud investigations. This has led some to conclude that the ultimate question when patient-specific data are transported and used outside of the clinical context is security of the data (Moran, 1998).
Congress, in an effort to respond to growing public concern over health care information privacy, has committed the Federal government to the creation of a national confidentiality standard by 2000. Congress also has directed the Secretary of Health and Human Services to produce recommendations for simplifying and standardizing requirements for the electronic transmission of health information (Health Insurance Portability and Accountability Act, 1996). The purpose is to improve the effectiveness and efficiency of the health care system (Gellman, 2000). It is not yet clear, given the complexities of the issues, that the deadline for a national privacy standard will be met. However, it is clear that the confidentiality of health care information has emerged as a core issue in recent years, as concerns regarding the accessibility of health care information and its uses have risen.
This section of the report discusses the values underlying confidentiality, its importance in individual decisions to seek mental health treatment, the legal framework governing confidentiality and potential problems with that framework, and policy issues that must be addressed by those concerned with the confidentiality of mental health and substance abuse information. Although the current debate regarding Federal standards is not presented in great detail, it is referred to when appropriate to provide context for the broader discussion.
Each profession that provides mental health treatment embraces confidentiality as a core ethical principle. For example, the Code of Ethics of the American Medical Association (AMA) states that “a physician . . . shall safeguard a patient’s confidences within the restraints of the law” (American Medical Association [AMA], 1996). The AMA more recently has observed that “patients have a basic right to privacy of their medical information and records. . .patients’ privacy should be honored unless waived by the patient in a meaningful way, or in rare instances of strongly countervailing public interest” (AMA, 1998). The Ethical Principles of Psychologists state that“psychologists have a primary obligation and take reasonable precautions to respect . . . confidentiality rights” (American Psychological Association, 1992). (See also, American Managed Behavioral Healthcare Association, 1998; American Psychiatric Association, 1998; National Alliance for the Mentally Ill, 1998).
While the importance of confidentiality as an ethical principle is evident from these statements, it is also clear that confidentiality is not an absolute value. The AMA’s 1996 statement qualifies the principle of confidentiality by observing that it is to be protected “within the restraints of the law.” The American Psychological Association provides exceptions as well, noting for example that disclosure of otherwise confidential information is permissible“where permitted by law for a valid purpose, such as. . .(3) to protect the patient or client from harm” (Ethical Principles of Psychologists and Code of Conduct, 5.05). As the discussion below suggests, the law creates many circumstances in which confidentiality may or must be breached. At the same time, legal principles reflect broader values, and so there is often significant disagreement about the exceptions to confidentiality that the law permits or requires.
It is also important to note at the outset that the right to confidentiality belongs to the person receiving services (Campbell, 2000). The ethical codes of the various professions, and most confidentiality laws, obligate professionals to take steps to protect confidentiality. However, in general, the right to confidentiality belongs to the client; the right to waive confidentiality also is the client’s, although there are situations in which the provider of treatment has no choice under the law but to disclose.
The principle of confidentiality is designed to advance certain values. These include reducing the stigma and discrimination associated with seeking and receiving mental health treatment, fostering trust in the treatment relationship, ensuring individuals privacy in their health care decisions, and furthering individual autonomy in health care decisionmaking.
There are certain illnesses that often evoke public unease and on occasion overt discrimination. For example, in the past, cancer was often not discussed; in fact, physicians often chose not to tell patients that they had diagnosed cancer. In recent years, individuals with AIDS have often faced discrimination. Mental illness has often fallen into this category as well. For years, the stigma and discrimination associated with mental illness were reinforced by laws that stripped people of their legal rights upon admission to a psychiatric hospital, and by social attitudes that often equated mental illness with potential violence. While many of the legal rules that reinforced discrimination have been removed, public attitudes regarding mental illness continue to vary. In an effort to reduce the risk of stigma and the discrimination that often results, confidentiality laws seek to protect both the fact that an individual has sought mental health treatment as well as the disclosures that are made during treatment.
Confidentiality generally is considered to be a cornerstone of a doctor-patient relationship (Dierks, 1993). Many psychotherapists assume that mental health treatment is most likely to be successful only if the client has a trusting relationship with the clinician (Sharkin, 1995). The Supreme Court language quoted at the beginning of this section reflects the same assumption. While the research findings on this subject are somewhat mixed (see discussion below), it is beyond dispute that many individuals in seeking treatment for mental illness reveal much of their private selves. It seems reasonable to assume that for many people, trust that their privacy will not be intruded upon beyond the confines of the clinical relationship is an important element in permitting unguarded exchanges during treatment. Concerns regarding confidentiality may cause individuals to take steps to protect themselves from unwanted disclosures in other ways that carry their own costs. For example, an individual may decide to pay for his or her own care, withhold certain types of sensitive information during treatment, or avoid seeking care.
The law has given considerable attention in the last 3 decades to the idea that people have a right to privacy in making decisions regarding their health care. While the legal right to privacy has been discussed and applied most often in the context of decisions involving procreation and decisions at the end of life, the general principle that the value of privacy is important to mental health treatment is not disputed.
Competent individuals, or in the case of minor children, their parents or legal guardians, have a right to self-determination in deciding to seek or forego health care, including mental health or substance abuse treatment. There are exceptions, for example, the use of involuntary civil commitment or court-ordered treatment. However, the general trend has been to expand autonomy in health care decisionmaking. Two ethical and legal principles are important anchors to the principle of autonomy. The first, informed consent, assumes that the better informed an individual is, the better equipped he or she is to make health care decisions. The second, confidentiality, is considered to be particularly important in the context of mental health treatment. This is because of the assumption that an absence of confidentiality may make a person less likely to seek treatment.
The values that underlie confidentiality in large part assume that people will be less likely to seek needed help (Corcoran & Winsalde, 1994) and, once in treatment, less likely to disclose sensitive information about themselves if they believe that the information may be disseminated outside the treatment relationship. Available research supports these assumptions. For example, in one study, individuals receiving psychotherapy placed a high value on the importance of confidentiality to the therapeutic relationship, as did a matched group of hospital employees (McGuire et al., 1985). Parents of children in psychotherapy reported that confidentiality was an important issue that needed to be discussed in the context of informed consent processes (Jensen et al., 1991). Another study suggests that concerns regarding stigma and confidentiality were factors in decisions by people with dual diagnoses (psychiatric illness and substance abuse disorder) to seek treatment from the community mental health system (Howland, 1995). Yet another study reports that the decision of therapists to seek or not seek treatment was influenced, among other things, by concerns regarding confidentiality (Norman & Rosvall, 1994). In the context of drug testing, the degree to which confidentiality was protected influenced the attitudes of those who had been ordered into drug testing regarding the seeking of employment (Sujak et al., 1995).
Subjects who were told that confidentiality was absolute reported that they were more willing to disclose information about themselves than individuals who were told that confidentiality was limited (Nowell & Spruill, 1993). Confidentiality, of course, is not absolute, and so the impact on individuals in treatment of various limits on confidentiality is an important question. This was explored in one of the few confidentiality studies to use as research subjects people actually in treatment (rather than students simulating the role of patient). Taube and Elwork (1990) found that patient self-disclosure was influenced in large measure by how informed the patient was about confidentiality law and by how consequential to the patient the legal limits on confidentiality were in his or her particular circumstances. Roback and Shelton (1995), noting that some studies suggested that perceived limitations on confidentiality did not deter patients from self-disclosing, also noted that as persons perceived themselves at risk for serious sociolegal consequences, being informed that certain disclosures would result in mandatory reporting did limit self-disclosing.
Finally, one of the most recent studies of this subject, which used clients and college students as subjects for the research, concluded that subjects were less candid with a therapist if they understood that information regarding their treatment was to be disclosed to a third party for case utilization review (Kremer & Gesten, 1998). As a result, another observer concluded that “psychiatric treatment is often paid for by patients out-of-pocket, precisely to avoid creating a record over which a patient has little or no control” (Alpert, 1998, p. 89).
Surveys of the general public also indicate that privacy of health care information is a major concern. For example, 27 percent of the respondents to a 1993 Harris survey believed that health care information about them had been improperly disclosed, 11 percent previously had decided to not file an insurance claim because of privacy concerns, and 7 percent had decided to forego care because of concern that information that would be generated in care might harm their employment possibilities or other opportunities (Louis Harris & Associates, 1993).
These findings suggest a dilemma for individuals who may wish to pursue treatment for mental illness and for treatment providers. All available data indicate that confidentiality of health care information is a significant concern for individuals. The evidence also indicates that people may become less willing to make disclosures during treatment if they know that information will be disseminated beyond the treatment relationship. At the same time, the caregiver is ethically obligated to disclose to the client the limits on confidentiality: A failure to reveal the limits of confidentiality seriously threatens the therapeutic relationship and the provider’s credibility. As a result, treatment may be compromised, and the patient may terminate treatment prematurely (Kremer & Gesten, 1998).
In short, available research supports the conclusion that strong confidentiality laws are critical in creating assurances for individuals seeking mental health treatment and thereby increasing willingness to participate in treatment to the degree necessary to achieve successful outcomes. However, the present legal framework does not provide strong, consistent protection of confidentiality in many instances.
It is important to note that additional factors may contribute to concern that confidentiality may be breached and, in turn, an unwillingness on the part of consumers to disclose or share information. In many instances, these factors cannot be addressed through stronger legal protections alone. In given clinical settings, for example, concern may stem from the existence of crowded or open facilities, frequent changes in clinical staff, language differences, cultural considerations, and other constraints that would limit establishing a trusting therapeutic relationship. In addition, individuals may not wish to disclose information regarding “pre-existing conditions” for fear it may result in a loss of insurance coverage as well as privacy.
One expert has described the current law governing the confidentiality of health care information as a “crazy quilt of Federal and state constitutional, statutory, regulatory and case law” that “erodes personal privacy and forms a serious barrier to administrative simplification” (Waller, 1995, p. 44). This aptly describes the current legal framework for the confidentiality of mental health and substance abuse information as well.
There is at present no national standard for the confidentiality of health care information in general or mental health information in particular. Rather, each state has laws that establish confidentiality rules and exceptions. In response to a serious public policy concern that the criminal justice ramifications of use of illegal substances would significantly deter individuals from seeking substance abuse treatment, a national standard governing the confidentiality of substance abuse treatment information was codified. However, there often are significant differences among states and between the state and Federal requirements, which can create problems for the administrators of health care plans and for those providing treatment for people with co-occurring mental illness and substance abuse disorders.
As noted, nearly all states have discrete statutes addressing the confidentiality of mental health records and information. In a handful of states, a general law applicable to all health care information applies. In some states, the mental health confidentiality statute applies only to information gathered when a state facility provides treatment; in others, it applies to mental health treatment regardless of the auspice of care.
One common criticism of health care information laws generally is that they apply primarily to information gathered in the course of treatment and in the possession of the caregiver. This means that different standards apply to the distribution of information held by others not party to the treatment relationship. This observation fairly characterizes most state mental health laws as well. The focus of the laws tends to be upon the clinical relationship, and often what happens to information once it is disseminated beyond the clinical relationship is unaddressed. Many of the reform proposals advanced in recent years would apply confidentiality rules to other parties that come into possession of protected information, although the proposals vary regarding application of a national standard to employers, schools, correctional facilities, and other settings in which a significant volume of health care is provided. In addition, the proposals vary regarding the question of whether the individual has a legal right to consent to disclosures beyond the clinical relationship: How this question is resolved will determine in large measure whether individuals in the role of patient believe that confidentiality protections are strong enough to warrant seeking treatment.
While the various reform proposals differ in detail, few dispute the need to extend the obligation to protect confidentiality to other parties. In the early 1980s, one expert found that between 25 and 100 people had access to an individual inpatient record (Siegler, 1982), a number that has grown in recent years. In addition, as health care delivery and payment have become increasingly complex and as provider networks rather than individual practitioners increasingly provide care, the number of people who may come into possession of health care information continues to expand. One observer describes three “zones” of users of personal health care information. “Zone one” users are involved in direct patient care, while “zone two” users are involved in support and administrative activities like payment and quality of care reviews. “Zone three” users include public health agencies, social welfare agencies, researchers, and direct marketing firms (Westin, 1993). Some of these parties traditionally have had ready access to health care information; others, for example, utilization review managers and direct marketing firms, are comparatively new to health care. Whether a party that has access to information should have access to that information is a separate question that lies at the heart of much of the debate about confidentiality.
Each state law creates exceptions to confidentiality. While state laws vary regarding the number and type of exceptions permitted, the most common exceptions to confidentiality are discussed briefly below. As a prefatory note, many experts assume that client consent presumptively should be required prior to most if not all disclosures, and that any waiver of confidentiality by the client must be truly informed (Campbell, 2000). However, as the discussion below suggests, many state laws permit a variety of disclosures without client consent, raising questions regarding the adequacy of these laws in protecting client confidentiality in the current environment.
The most common exception to confidentiality is when the person who is or has been in treatment consents to the waiver of confidentiality. (For minor children, this right rests with the parents or legal guardians.) For example, the practitioner may ask that the person sign a consent form authorizing the release to the practitioner of other health care records. This reflects the fact that the right to confidentiality is designed primarily to protect the patient, not other parties, from unwanted disclosures, and that the right to waive confidentiality presumptively rests with the patient. In some instances, where confidentiality is waived, the patient nonetheless may wish to avoid release of certain information in any circumstances and direct that the provider not include in the file sensitive personal information—for example, sexual orientation or marital infidelities.
Although each state provides for waiver of confidentiality by the person in treatment, few states spell out in statute the elements of a valid consent. This is in contrast to the Federal laws on substance and alcohol treatment information, discussed below, which provide explicit details regarding the content of a valid consent.
In addition, the various reform proposals that have been introduced in Congress and elsewhere each contain criteria for consent. These typically include requirements that consent be in writing, name the individual or entity to which disclosure of information is to be made, identify the purpose or need for disclosure and the type of information to be disclosed, and state the period for which the consent is effective. However, it should be noted that the proposals differ on the question of the degree to which a person’s consent to disclosure would be truly voluntary. Many of the proposals suggest that a person’s treatment, or reimbursement for treatment, may depend on whether the person consents to have his or her records disclosed. This may raise questions about how “voluntary” such consent is, in fact, given that access to the services sought may be contingent upon agreeing to the release of information divulged during treatment.
Many, though not all, state laws provide that individuals have a right of access to health care records containing information about them. Some provide that a clinician may restrict access to the record, if in the clinician’s judgment, access would cause harm to the client. Some statutes also provide that a clinician may restrict access to particular parts of the record if access might harm the client or if third parties provided information with the expectation that it would be held in confidence. Some experts have suggested that limiting client access undercuts the principle that information contained in the record belongs first to the client (Campbell, 2000). Each reform proposal articulated to date provides for access by an individual to health care information. These proposals assume that access is necessary both so that the individual is fully informed regarding his or her health care and so that the individual can correct information that might be erroneous. Generally, for minor children, parents have the right of access. Some experts have suggested that in the case of children, even in instances in which the parents or guardians control the information, there should be a right for the child to establish a “zone of privacy” for certain “intimate” information. Such information could not be accessed by responsible adults except when the clinician determines that it indicates imminent danger of harm to self or others (Melton, 2000).
An important question in an era in which networks of providers provide increasing amounts of care is whether and how confidentiality laws permit disclosure to other caregivers. The majority of states that address this issue typically provide for disclosure to others involved in providing care. Some states require consent before information can be disclosed, although the majority of state laws that address the issue do not. Few states address the question of information exchange within a network of providers.
Some proposals before Congress would permit disclosure of information to other care providers without requiring consent. Others would require consent prior to any disclosure. At least one presumptively would permit disclosure, but give the individual the opportunity to “opt out” of a particular disclosure. As noted earlier, conditioning access to treatment (or to reimbursement) on a waiver of confidentiality calls into question the voluntariness of the waiver.
Many states have provisions in their mental health confidentiality laws that permit disclosure of otherwise confidential information as necessary to obtain reimbursement or other financial assistance for the person in treatment. Most of these statutes were written before the emergence of managed care and third-party utilization review. Therefore, most state laws that create this exception to confidentiality impose few if any limitations on the type or amount of information that can be disclosed to obtain reimbursement, and most do not explicitly require consent prior to disclosure. There are exceptions that might prove useful models to other jurisdictions. For example, New Jersey restricts disclosure of information from licensed psychologists to third-party payers. The statute permits disclosure only if the client consents, and if disclosure is limited to: (1) administrative information; (2) diagnostic information; (3) the legal status of the patient; (4) the reason for continuing psychological services; (5) assessment of the client’s current level of functioning and level of distress; and (6) a prognosis, limited to the minimal time treatment might continue (New Jersey Statutes). The Commonwealth of Massachusetts also limits disclosures to third-party payers of mental health information (Massachusetts Annotated Laws).
As noted, the proposals that have been made to date to create a national standard for the confidentiality of health care information differ in how they treat disclosures to other providers and payers. Some proposals would require patient consent prior to any disclosure. Others would presume consent. Still others would permit the individual to “opt out” of specific disclosures. The last would require that individuals be given the names of providers and payers that might be provided access to information; the individual could then decline permission to provide information to specific payers or providers.
The question of how much information should be made available to third-party reviewers is a contentious one. As the research described earlier suggests, the willingness to self-disclose, or to participate in treatment, appears to be contingent at least in part on the strength of confidentiality provisions. As the amount and sensitivity of information made available to third- party reviewers increases, a corresponding decrease on the part of some individuals to seek treatment is likely.
An issue of some controversy in mental health is whether families should be provided information regarding their adult child in certain circumstances. As a general rule, access to information in circumstances involving minor children is provided to parents or the legal guardian of the child, until the child attains the age of majority or an age at which the child is permitted under state law to make his or her own treatment decisions.
Some states provide that parents acting in the role of caregiver may be given information, usually limited to diagnosis, prognosis, and information regarding treatment, specifically medications. Of those states with these or similar provisions, some permit the disclosure of this information without the consent of the individual, while others require consent, with some providing for administrative review if consent is not given. All of the reform proposals that have been introduced before Congress provide for the disclosure of limited information regarding an individual’s current health status to family or next of kin. Consent generally is not required, although most provide the patient with the opportunity to request that information not be provided in such circumstances. It should be noted that in the context of mental health treatment, there is disagreement regarding this issue, particularly on the issue of prior consent. Family advocates often take the position that a family in a caregiving role should have access to some types of information whether or not the individual specifically has consented to the disclosure, because it is necessary to play a caregiving role (Lefly, 2000). Advocates for consumer-recipients often argue that consent should be required, because the right to confidentiality belongs to the recipient of services, and because there may be intrafamily conflicts that could be exacerbated by the release of information to family members.
All states have provisions that allow entities with oversight responsibilities to have access to medical records without client consent. Similarly, states mandate that certain types of information be made available to public health officials for various public health purposes, for example, the reporting of infectious diseases or the prescription of particular types of medication. The various reform proposals would do little to change this type of reporting, although at least one would create a preference for the use of records in which personal identifying information has been deleted.
The confidentiality of individually identifiable information gathered in
the course of conducting research can be protected from compelled disclosure by
obtaining federally issued “certificates of confidentiality.” These certificates
are issued through the Department of Health and Human Services upon application
by the researcher for research which involves the collection of specific types
of sensitive information judged necessary to achieve the research objectives.
The importance of the protection against disclosure afforded by Federal
“certificates of confidentiality” increases as research expands its traditional
boundaries to include genetic information of uncertain/evolving clinical
relevance. An individual may voluntarily consent to the disclosure of
information obtained in the course of protected research. In addition, the
researcher may identify certain specific information which may be voluntarily
disclosed in participants’ consent forms.
States that address access to confidential information for research purposes
generally provide for access without consent if it is impractical to obtain
individual consent and the research has been approved by the agency with
approval authority under the state law. It should be noted that regardless of
the aforementioned protections, information obtained in protected research
studies, which finds its way into the participant’s regular medical chart, is
not covered.
Many state laws limit access to information regarding people with mental illness by law enforcement officials to situations in which an individual who has been hospitalized has left the hospital and not returned, or to situations in which a crime has been committed on the grounds of a treatment facility. A handful of state laws provides access for the purpose of investigating health care fraud. In contrast, most of the reform proposals designed to create a national standard provide comparatively broad access by law enforcement officials. Others would limit discovery to situations in which law enforcement could demonstrate, usually by clear and convincing evidence, that disclosure is necessary.
This is a controversial issue. Some professional and advocacy groups believe that broad access by law enforcement officials will lead to unwarranted invasions of privacy and encourage “fishing expeditions” in which material revealed during treatment becomes the basis of criminal prosecution. On the other hand, some have argued that broad access is necessary, particularly to investigate health care fraud in which the conduct of the provider rather than the client is at issue. The current Federal substance abuse laws provide for a stricter standard for access to information by law enforcement officials than is provided for in many of the proposals before Congress. This strict standard is based on the assumption that broader access would have a negative effect on the willingness of people to seek substance abuse treatment, if seeking treatment might lead to criminal prosecution. While these provisions seem to have met their intended goal of encouraging individuals to seek treatment, there is no evidence that stricter Federal standards for access to substance abuse information have impeded law enforcement efforts.
In 1976, the California Supreme Court ruled that a mental health professional has an obligation to take steps to protect identified third parties whom the professional reasonably believes might be endangered by a client (Tarasoff v. Regents, 1976). This decision was criticized by a number of groups, including the American Psychiatric Association and the American Psychological Association, on the grounds that it required mental health professionals to perform a task for which they were ill-suited (that is, assess future risk) and that it would compromise confidentiality. Since the court’s decision, many states, either through statute or judicial decision, have addressed this topic.
The majority of states that have done so through statute provide that a mental health professional who concludes that his or her client represents an imminent danger to an identified third party may take steps, including notifying the individual or law enforcement officials, to protect the third party without becoming liable for a breach of confidentiality. These states also typically provide that the clinician will not be liable if he or she decides not to act—rather, the statutes give the clinician discretion in deciding how to proceed.
In addition, all states permit or mandate disclosure in other situations where a third party might be at risk for harm. Child abuse and elder abuse reporting laws are examples. Most of the proposals to create a national standard permit disclosures necessary to protect an identifiable third party when the caregiver concludes that there is a risk of serious injury or death, or when disclosure is necessary to protect the patient from serious harm.
An individual who seeks treatment for mental illness runs the risk of discrimination and invasion of privacy if information disclosed during treatment becomes known to third parties. An individual who seeks treatment for a substance use problem may reveal information that if disclosed could become the basis for criminal prosecution. The prospect of prosecution as a price of entering treatment quite clearly may create disincentives to seek treatment.
In an effort to create incentives for people with substance use and alcohol problems to seek treatment, Congress enacted perhaps the strictest confidentiality law extant. As a result, Federal law governs the confidentiality of information, obtained by federally assisted, specialized substance abuse treatment pro- grams, which would identify a patient as receiving treatment services (42 U.S.C. 290dd-2; 42 C.F.R. 2.1, et seq.).
Disclosure of patient identifying information by federally assisted programs is permitted only in explicitly delineated circumstances. The person receiving services can waive confidentiality, but consent must be written; name the client, the program making the disclosure, and the intended recipient of the information; state the purpose of the disclosure and the information to be disclosed; be signed by the client or representative of the patient where appropriate; and state the duration of the consent and conditions under which it expires. In the absence of consent, disclosures may be made only in the circumstances permitted by the regulations. For example, information may be exchanged within the program providing services, but only to the extent necessary to provide services. In other words, information is to be exchanged even within the treatment program on a “need to know” basis. Disclosures may be made without consent to other service providers if providers have entered into a “qualified service agreement” with the treating program. This is to permit the treating program to obtain collateral services, for example, blood work, that are not performed by the program itself. Disclosures to other providers not part of a qualified service agreement can only occur with consent.
Disclosure also is permitted to law enforcement officials when there was a crime committed on the premises or against the personnel of the treatment program. Even in this case, information provided is to be limited initially to the name, address, and last known whereabouts of the individual who committed or threatened to commit a crime. Other circumstances in which disclosures are permitted without consent include medical emergencies as defined in the regulations; child abuse reports; court orders, when the court has followed procedures established in the regulations; and in criminal investigations of “extremely serious crimes” as defined in the regulations (Center for Substance Abuse Treatment, 1994). The statute and regulations do not address, and therefore do not permit, disclosures to families of clients or to payers without consent of the client.
The Federal law is generally much more detailed than any state mental health law in delineating the conditions that must be met before disclosures can occur. In addition, as this brief summary suggests, state mental health laws and the Federal alcohol and substance abuse laws differ substantively in many respects. This may create difficulties for providers caring for people with co-occurring mental illness and substance use disorders, because the provider may be operating under two quite different legal standards in considering requests for information regarding the same individual. This issue is discussed in more detail below.
Other Federal statutes have limited applicability to the confidentiality of health care information. The Privacy Act of 1974 prohibits disclosure of an individual’s record without prior written consent and provides access to review, copy, and correct records. However, the Act applies only to federally operated hospitals and to research or health care institutions operated pursuant to Federal contracts, so it does not cover the vast majority of organizations and entities collecting health care information (Gostin, 1995). In addition, disclosure of personally identifiable information is permitted if necessary for the “routine use” of the receiving facility, a very broad exception.
Finally, the Americans With Disabilities Act (ADA) of 1990 requires employers to maintain medical information in separate files and on discrete forms. As the ADA is enforced, it may lead to increased protection of the privacy of medical records at the workplace. In relevant part, however, the ADA applies only to people with a disability as defined by the statute, and to actions taken by employers based on an individual’s disability. Therefore, the ADA provides only limited confidential- ity protection; it does not create a general right to medical privacy within the workplace.
There is general consensus that the current legal framework for protecting the confidentiality of health care information is inadequate. There are significant differences among the states in addressing confidentiality issues. While a state-by-state approach may have been good policy before recent trends in the organization and financing of health care, the increasing dominance of the health care industry by providers and payers doing business on a national scale has caused many to advocate for a national confidentiality standard.
This lack of uniformity may be exacerbated in the context of mental health care. There are differences in standards not only among the states, but between the states and the Federal government. Separate state standards for mental health information and Federal standards for alcohol and substance use information may be problematic in an era in which it has become evident that many people with mental illnesses also have substance abuse or alcohol problems. In addition, there are often within the same state a number of statutory provisions that address the confidentiality of mental health information. These may include the state mental health law (which may apply to all mental health information or only information held by state-operated providers), judicial privilege statutes, laws applicable to licensed professionals, and various state oversight laws. This may make it difficult even within a particular state to articulate the state law on the confidentiality of mental health information.
Many state mental health laws also lack provisions that most reform proposals contain. For example, many states do not articulate standards for client consent to disclosure. In contrast, most reform proposals require that consent be in writing, be of definite rather than indefinite duration, and specify recipients of information rather than provide open-ended consent to disclose. Many state laws providing for disclosure of mental health information to payers without client consent were written before the increased demands for information common today. Access by other providers is variable as well. Many states provide for comparatively mild penalties for the breach of confidentiality. In contrast, most reform proposals would considerably strengthen penalties for violating confidentiality protections.
As the debate regarding a national standard proceeds, there are two additional issues of consequence for those considering the confidentiality of mental health information. The first is the question of preemption. Most reform proposals considered by Congress in recent years would establish a national standard that would become the minimum standard for health care information. The standard would preempt (or supercede) any state laws that provided less protection than that in the national standard. The Secretary of the Department of Health and Human Services recommended such an approach in a recent report to Congress entitled, Confidentiality of Individually Identifiable Health Information. Should a national standard be enacted, determining whether a state’s mental health law provides more or less protection than a national standard may be difficult in at least some cases. For example, in one state, the law permits disclosures without consent to some but not all types of providers. One of the proposals to establish a national standard would permit disclosures to be made to other providers without the consent of the individual, but would give the individual the opportunity to “opt out” of disclosures to specified providers. In this example, it is difficult to determine whether the state law in question is more or less protective than the proposed national standard. On the one hand, the state law in this example is more restrictive than the reform proposal because it limits the types of providers that can receive information without consent. On the other hand, it is weaker than the reform proposal because it does not provide the individual with an opportunity to decline permission to disclose to those providers. The problem is not insurmountable: in this example, one solution might be to apply the opt-out provision of the national standard to that part of the state law that permits some types of disclosures without consent. At the same time, the current condition of many state mental health laws may make application of the preemption principle difficult.
A second important question is whether there should continue to be separate legal standards for mental health confidentiality and for substance use and alcohol use confidentiality. The reform proposals advanced to date generally would leave the Federal substance use law intact. This would have the practical effect of locking in the disparate standards that currently exist for mental health information (governed by state laws) and substance and alcohol use information (governed by the Federal law). Some experts disagree with the notion of having discrete, disease-based standards, on the ground that there are other diseases that raise legitimate concerns regarding privacy that do not receive special protection (Gostin, 1995). Others would retain the strict protections currently available to substance and alcohol use data, while extending the same protections to mental health information. This report does not endorse either perspective. However, it would be useful to examine more closely whether disparate standards have an effect on clinical practice and on the privacy expectations of individuals in treatment, particularly those with both a mental illness and a substance abuse diagnosis.
There are many reasons why an individual with a mental illness might decide not to seek treatment. For example, some people might forego treatment for financial reasons. Others might decide that the risk of stigma and discrimination that people with mental illness still encounter is too high a price to bear. In the latter situation, being able to provide assurances that the principle of confidentiality receives strong protection may make the difference in the decision to enter and participate fully in treatment.
Confidentiality is a matter of both ethical and legal concern. As noted earlier, each of the health care professions endorses confidentiality as a core matter. However, it is the law that establishes the basic rules that govern confidentiality in practice. The law can expand confidentiality, as the U.S. Supreme Court did when it ruled that a psychotherapeutic privilege would apply in Federal court. The law also can decide that the principle of confidentiality must yield to other values, as the California Supreme Court did when it decided that mental health professionals had an obligation to protect third parties whom the professional reasonably concluded could be endangered by a client in treatment.
It is clear that confidentiality is not absolute. There are other competing values that require its breach in certain circumstances. However, it also seems clear that there are significant gaps in the current legal framework that protects the confidentiality of mental health information. Consideration of an appropriate level of legal protection for mental health information should acknowledge that mental illness continues to be a category of illness that may subject a person receiving a diagnosis to discrimination and other disadvantages.
In the absence of strong confidentiality protections, some individuals with mental illness may decide that the benefit of treatment is outweighed by the risk of public disclosure. This would be harmful not only to the individual, but to a public that has a stake in the mental health of its members. The U.S. Supreme Court summarized this public interest succinctly in the decision quoted at the beginning of this section:
The psychotherapist privilege serves the public interest by facilitating the provision of appropriate treatment for individuals suffering the effects of a mental or emotional problem. The mental health of our citizenry, no less than its physical health, is a public good of transcendent importance. (Jaffee v. Redmond, 1996)
It is to be hoped that this public good, as well as the private good represented by successful treatment for mental illness, governs the continuing debate regarding the protection of confidentiality.
In an era in which the confidentiality of all health care information, its accessibility, and its uses are of concern to all Americans, privacy issues are particularly keenly felt in the mental health field. An assurance of confidentiality is understandably critical in individual decisions to seek mental health treatment. Although an extensive legal framework governs confidentiality of consumer-provider interactions, potential problems exist and loom ever larger.