The Surgeon General's Report on Mental Health
Confidentiality of Mental
Health Information: Ethical, Legal,
and Policy Issues
Current State of Confidentiality Law
One expert has described the current law governing the confidentiality of health care information as a crazy quilt of Federal and state constitutional, statutory, regulatory and case law that erodes personal privacy and forms a serious barrier to administrative simplification (Waller, 1995, p. 44). This aptly describes the current legal framework for the confidentiality of mental health and substance abuse information as well.
There is at present no national standard for the confidentiality of health care information in general or mental health information in particular. Rather, each state has laws that establish confidentiality rules and exceptions. In response to a serious public policy concern that the criminal justice ramifications of use of illegal substances would significantly deter individuals from seeking substance abuse treatment, a national standard governing the confidentiality of substance abuse treatment information was codified. However, there often are significant differences among states and between the state and Federal requirements, which can create problems for the administrators of health care plans and for those providing treatment for people with co-occurring mental illness and substance abuse disorders.
As noted, nearly all states have discrete statutes addressing the confidentiality of mental health records and information. In a handful of states, a general law applicable to all health care information applies. In some states, the mental health confidentiality statute applies only to information gathered when a state facility provides treatment; in others, it applies to mental health treatment regardless of the auspice of care.
One common criticism of health care information laws generally is that they apply primarily to information gathered in the course of treatment and in the possession of the caregiver. This means that different standards apply to the distribution of information held by others not party to the treatment relationship. This observation fairly characterizes most state mental health laws as well. The focus of the laws tends to be upon the clinical relationship, and often what happens to information once it is disseminated beyond the clinical relationship is unaddressed. Many of the reform proposals advanced in recent years would apply confidentiality rules to other parties that come into possession of protected information, although the proposals vary regarding application of a national standard to employers, schools, correctional facilities, and other settings in which a significant volume of health care is provided. In addition, the proposals vary regarding the question of whether the individual has a legal right to consent to disclosures beyond the clinical relationship: How this question is resolved will determine in large measure whether individuals in the role of patient believe that confidentiality protections are strong enough to warrant seeking treatment.
While the various reform proposals differ in detail, few dispute the need to extend the obligation to protect confidentiality to other parties. In the early 1980s, one expert found that between 25 and 100 people had access to an individual inpatient record (Siegler, 1982), a number that has grown in recent years. In addition, as health care delivery and payment have become increasingly complex and as provider networks rather than individual practitioners increasingly provide care, the number of people who may come into possession of health care information continues to expand. One observer describes three zones of users of personal health care information. Zone one users are involved in direct patient care, while zone two users are involved in support and administrative activities like payment and quality of care reviews. Zone three users include public health agencies, social welfare agencies, researchers, and direct marketing firms (Westin, 1993). Some of these parties traditionally have had ready access to health care information; others, for example, utilization review managers and direct marketing firms, are comparatively new to health care. Whether a party that has access to information should have access to that information is a separate question that lies at the heart of much of the debate about confidentiality.
Each state law creates exceptions to confidentiality. While state laws vary regarding the number and type of exceptions permitted, the most common exceptions to confidentiality are discussed briefly below. As a prefatory note, many experts assume that client consent presumptively should be required prior to most if not all disclosures, and that any waiver of confidentiality by the client must be truly informed (Campbell, 2000). However, as the discussion below suggests, many state laws permit a variety of disclosures without client consent, raising questions regarding the adequacy of these laws in protecting client confidentiality in the current environment.
Consent by the Person in Treatment
The most common exception to confidentiality is when the person who is or has been in treatment consents to the waiver of confidentiality. (For minor children, this right rests with the parents or legal guardians.) For example, the practitioner may ask that the person sign a consent form authorizing the release to the practitioner of other health care records. This reflects the fact that the right to confidentiality is designed primarily to protect the patient, not other parties, from unwanted disclosures, and that the right to waive confidentiality presumptively rests with the patient. In some instances, where confidentiality is waived, the patient nonetheless may wish to avoid release of certain information in any circumstances and direct that the provider not include in the file sensitive personal informationfor example, sexual orientation or marital infidelities.
Although each state provides for waiver of confidentiality by the person in treatment, few states spell out in statute the elements of a valid consent. This is in contrast to the Federal laws on substance and alcohol treatment information, discussed below, which provide explicit details regarding the content of a valid consent.
In addition, the various reform proposals that have been introduced in Congress and elsewhere each contain criteria for consent. These typically include requirements that consent be in writing, name the individual or entity to which disclosure of information is to be made, identify the purpose or need for disclosure and the type of information to be disclosed, and state the period for which the consent is effective. However, it should be noted that the proposals differ on the question of the degree to which a persons consent to disclosure would be truly voluntary. Many of the proposals suggest that a persons treatment, or reimbursement for treatment, may depend on whether the person consents to have his or her records disclosed. This may raise questions about how voluntary such consent is, in fact, given that access to the services sought may be contingent upon agreeing to the release of information divulged during treatment.
Disclosure to the Client
Many, though not all, state laws provide that individuals have a right of access to health care records containing information about them. Some provide that a clinician may restrict access to the record, if in the clinicians judgment, access would cause harm to the client. Some statutes also provide that a clinician may restrict access to particular parts of the record if access might harm the client or if third parties provided information with the expectation that it would be held in confidence. Some experts have suggested that limiting client access undercuts the principle that information contained in the record belongs first to the client (Campbell, 2000). Each reform proposal articulated to date provides for access by an individual to health care information. These proposals assume that access is necessary both so that the individual is fully informed regarding his or her health care and so that the individual can correct information that might be erroneous. Generally, for minor children, parents have the right of access. Some experts have suggested that in the case of children, even in instances in which the parents or guardians control the information, there should be a right for the child to establish a zone of privacy for certain intimate information. Such information could not be accessed by responsible adults except when the clinician determines that it indicates imminent danger of harm to self or others (Melton, 2000).
Disclosure to Other Providers
An important question in an era in which networks of providers provide increasing amounts of care is whether and how confidentiality laws permit disclosure to other caregivers. The majority of states that address this issue typically provide for disclosure to others involved in providing care. Some states require consent before information can be disclosed, although the majority of state laws that address the issue do not. Few states address the question of information exchange within a network of providers.
Some proposals before Congress would permit disclosure of information to other care providers without requiring consent. Others would require consent prior to any disclosure. At least one presumptively would permit disclosure, but give the individual the opportunity to opt out of a particular disclosure. As noted earlier, conditioning access to treatment (or to reimbursement) on a waiver of confidentiality calls into question the voluntariness of the waiver.
Disclosure to Payers
Many states have provisions in their mental health confidentiality laws that permit disclosure of otherwise confidential information as necessary to obtain reimbursement or other financial assistance for the person in treatment. Most of these statutes were written before the emergence of managed care and third-party utilization review. Therefore, most state laws that create this exception to confidentiality impose few if any limitations on the type or amount of information that can be disclosed to obtain reimbursement, and most do not explicitly require consent prior to disclosure. There are exceptions that might prove useful models to other jurisdictions. For example, New Jersey restricts disclosure of information from licensed psychologists to third-party payers. The statute permits disclosure only if the client consents, and if disclosure is limited to: (1) administrative information; (2) diagnostic information; (3) the legal status of the patient; (4) the reason for continuing psychological services; (5) assessment of the clients current level of functioning and level of distress; and (6) a prognosis, limited to the minimal time treatment might continue (New Jersey Statutes). The Commonwealth of Massachusetts also limits disclosures to third-party payers of mental health information (Massachusetts Annotated Laws).
As noted, the proposals that have been made to date to create a national standard for the confidentiality of health care information differ in how they treat disclosures to other providers and payers. Some proposals would require patient consent prior to any disclosure. Others would presume consent. Still others would permit the individual to opt out of specific disclosures. The last would require that individuals be given the names of providers and payers that might be provided access to information; the individual could then decline permission to provide information to specific payers or providers.
The question of how much information should be made available to third-party reviewers is a contentious one. As the research described earlier suggests, the willingness to self-disclose, or to participate in treatment, appears to be contingent at least in part on the strength of confidentiality provisions. As the amount and sensitivity of information made available to third- party reviewers increases, a corresponding decrease on the part of some individuals to seek treatment is likely.
Disclosure of Information to Families
An issue of some controversy in mental health is whether families should be provided information regarding their adult child in certain circumstances. As a general rule, access to information in circumstances involving minor children is provided to parents or the legal guardian of the child, until the child attains the age of majority or an age at which the child is permitted under state law to make his or her own treatment decisions.
Some states provide that parents acting in the role of caregiver may be given information, usually limited to diagnosis, prognosis, and information regarding treatment, specifically medications. Of those states with these or similar provisions, some permit the disclosure of this information without the consent of the individual, while others require consent, with some providing for administrative review if consent is not given. All of the reform proposals that have been introduced before Congress provide for the disclosure of limited information regarding an individuals current health status to family or next of kin. Consent generally is not required, although most provide the patient with the opportunity to request that information not be provided in such circumstances. It should be noted that in the context of mental health treatment, there is disagreement regarding this issue, particularly on the issue of prior consent. Family advocates often take the position that a family in a caregiving role should have access to some types of information whether or not the individual specifically has consented to the disclosure, because it is necessary to play a caregiving role (Lefly, 2000). Advocates for consumer-recipients often argue that consent should be required, because the right to confidentiality belongs to the recipient of services, and because there may be intrafamily conflicts that could be exacerbated by the release of information to family members.
Oversight and Public Health Reporting
All states have provisions that allow entities with oversight responsibilities to have access to medical records without client consent. Similarly, states mandate that certain types of information be made available to public health officials for various public health purposes, for example, the reporting of infectious diseases or the prescription of particular types of medication. The various reform proposals would do little to change this type of reporting, although at least one would create a preference for the use of records in which personal identifying information has been deleted.
The confidentiality of individually identifiable information gathered in the course of conducting research can be protected from compelled disclosure by obtaining federally issued certificates of confidentiality. These certificates are issued through the Department of Health and Human Services upon application by the researcher for research which involves the collection of specific types of sensitive information judged necessary to achieve the research objectives. The importance of the protection against disclosure afforded by Federal certificates of confidentiality increases as research expands its traditional boundaries to include genetic information of uncertain/evolving clinical relevance. An individual may voluntarily consent to the disclosure of information obtained in the course of protected research. In addition, the researcher may identify certain specific information which may be voluntarily disclosed in participants consent forms.
States that address access to confidential information for research purposes generally provide for access without consent if it is impractical to obtain individual consent and the research has been approved by the agency with approval authority under the state law. It should be noted that regardless of the aforementioned protections, information obtained in protected research studies, which finds its way into the participants regular medical chart, is not covered.
Disclosure to Law Enforcement Agencies
Many state laws limit access to information regarding people with mental illness by law enforcement officials to situations in which an individual who has been hospitalized has left the hospital and not returned, or to situations in which a crime has been committed on the grounds of a treatment facility. A handful of state laws provides access for the purpose of investigating health care fraud. In contrast, most of the reform proposals designed to create a national standard provide comparatively broad access by law enforcement officials. Others would limit discovery to situations in which law enforcement could demonstrate, usually by clear and convincing evidence, that disclosure is necessary.
This is a controversial issue. Some professional and advocacy groups believe that broad access by law enforcement officials will lead to unwarranted invasions of privacy and encourage fishing expeditions in which material revealed during treatment becomes the basis of criminal prosecution. On the other hand, some have argued that broad access is necessary, particularly to investigate health care fraud in which the conduct of the provider rather than the client is at issue. The current Federal substance abuse laws provide for a stricter standard for access to information by law enforcement officials than is provided for in many of the proposals before Congress. This strict standard is based on the assumption that broader access would have a negative effect on the willingness of people to seek substance abuse treatment, if seeking treatment might lead to criminal prosecution. While these provisions seem to have met their intended goal of encouraging individuals to seek treatment, there is no evidence that stricter Federal standards for access to substance abuse information have impeded law enforcement efforts.
Disclosure to Protect Third Parties
In 1976, the California Supreme Court ruled that a mental health professional has an obligation to take steps to protect identified third parties whom the professional reasonably believes might be endangered by a client (Tarasoff v. Regents, 1976). This decision was criticized by a number of groups, including the American Psychiatric Association and the American Psychological Association, on the grounds that it required mental health professionals to perform a task for which they were ill-suited (that is, assess future risk) and that it would compromise confidentiality. Since the courts decision, many states, either through statute or judicial decision, have addressed this topic.
The majority of states that have done so through statute provide that a mental health professional who concludes that his or her client represents an imminent danger to an identified third party may take steps, including notifying the individual or law enforcement officials, to protect the third party without becoming liable for a breach of confidentiality. These states also typically provide that the clinician will not be liable if he or she decides not to actrather, the statutes give the clinician discretion in deciding how to proceed.
In addition, all states permit or mandate disclosure in other situations where a third party might be at risk for harm. Child abuse and elder abuse reporting laws are examples. Most of the proposals to create a national standard permit disclosures necessary to protect an identifiable third party when the caregiver concludes that there is a risk of serious injury or death, or when disclosure is necessary to protect the patient from serious harm.
An individual who seeks treatment for mental illness runs the risk of discrimination and invasion of privacy if information disclosed during treatment becomes known to third parties. An individual who seeks treatment for a substance use problem may reveal information that if disclosed could become the basis for criminal prosecution. The prospect of prosecution as a price of entering treatment quite clearly may create disincentives to seek treatment.
In an effort to create incentives for people with substance use and alcohol problems to seek treatment, Congress enacted perhaps the strictest confidentiality law extant. As a result, Federal law governs the confidentiality of information, obtained by federally assisted, specialized substance abuse treatment pro- grams, which would identify a patient as receiving treatment services (42 U.S.C. 290dd-2; 42 C.F.R. 2.1, et seq.).
Disclosure of patient identifying information by federally assisted programs is permitted only in explicitly delineated circumstances. The person receiving services can waive confidentiality, but consent must be written; name the client, the program making the disclosure, and the intended recipient of the information; state the purpose of the disclosure and the information to be disclosed; be signed by the client or representative of the patient where appropriate; and state the duration of the consent and conditions under which it expires. In the absence of consent, disclosures may be made only in the circumstances permitted by the regulations. For example, information may be exchanged within the program providing services, but only to the extent necessary to provide services. In other words, information is to be exchanged even within the treatment program on a need to know basis. Disclosures may be made without consent to other service providers if providers have entered into a qualified service agreement with the treating program. This is to permit the treating program to obtain collateral services, for example, blood work, that are not performed by the program itself. Disclosures to other providers not part of a qualified service agreement can only occur with consent.
Disclosure also is permitted to law enforcement officials when there was a crime committed on the premises or against the personnel of the treatment program. Even in this case, information provided is to be limited initially to the name, address, and last known whereabouts of the individual who committed or threatened to commit a crime. Other circumstances in which disclosures are permitted without consent include medical emergencies as defined in the regulations; child abuse reports; court orders, when the court has followed procedures established in the regulations; and in criminal investigations of extremely serious crimes as defined in the regulations (Center for Substance Abuse Treatment, 1994). The statute and regulations do not address, and therefore do not permit, disclosures to families of clients or to payers without consent of the client.
The Federal law is generally much more detailed than any state mental health law in delineating the conditions that must be met before disclosures can occur. In addition, as this brief summary suggests, state mental health laws and the Federal alcohol and substance abuse laws differ substantively in many respects. This may create difficulties for providers caring for people with co-occurring mental illness and substance use disorders, because the provider may be operating under two quite different legal standards in considering requests for information regarding the same individual. This issue is discussed in more detail below.
Other Federal statutes have limited applicability to the confidentiality of health care information. The Privacy Act of 1974 prohibits disclosure of an individuals record without prior written consent and provides access to review, copy, and correct records. However, the Act applies only to federally operated hospitals and to research or health care institutions operated pursuant to Federal contracts, so it does not cover the vast majority of organizations and entities collecting health care information (Gostin, 1995). In addition, disclosure of personally identifiable information is permitted if necessary for the routine use of the receiving facility, a very broad exception.
Finally, the Americans With Disabilities Act (ADA) of 1990 requires employers to maintain medical information in separate files and on discrete forms. As the ADA is enforced, it may lead to increased protection of the privacy of medical records at the workplace. In relevant part, however, the ADA applies only to people with a disability as defined by the statute, and to actions taken by employers based on an individuals disability. Therefore, the ADA provides only limited confidential- ity protection; it does not create a general right to medical privacy within the workplace.
There is general consensus that the current legal framework for protecting the confidentiality of health care information is inadequate. There are significant differences among the states in addressing confidentiality issues. While a state-by-state approach may have been good policy before recent trends in the organization and financing of health care, the increasing dominance of the health care industry by providers and payers doing business on a national scale has caused many to advocate for a national confidentiality standard.
This lack of uniformity may be exacerbated in the context of mental health care. There are differences in standards not only among the states, but between the states and the Federal government. Separate state standards for mental health information and Federal standards for alcohol and substance use information may be problematic in an era in which it has become evident that many people with mental illnesses also have substance abuse or alcohol problems. In addition, there are often within the same state a number of statutory provisions that address the confidentiality of mental health information. These may include the state mental health law (which may apply to all mental health information or only information held by state-operated providers), judicial privilege statutes, laws applicable to licensed professionals, and various state oversight laws. This may make it difficult even within a particular state to articulate the state law on the confidentiality of mental health information.
Many state mental health laws also lack provisions that most reform proposals contain. For example, many states do not articulate standards for client consent to disclosure. In contrast, most reform proposals require that consent be in writing, be of definite rather than indefinite duration, and specify recipients of information rather than provide open-ended consent to disclose. Many state laws providing for disclosure of mental health information to payers without client consent were written before the increased demands for information common today. Access by other providers is variable as well. Many states provide for comparatively mild penalties for the breach of confidentiality. In contrast, most reform proposals would considerably strengthen penalties for violating confidentiality protections.
As the debate regarding a national standard proceeds, there are two additional issues of consequence for those considering the confidentiality of mental health information. The first is the question of preemption. Most reform proposals considered by Congress in recent years would establish a national standard that would become the minimum standard for health care information. The standard would preempt (or supercede) any state laws that provided less protection than that in the national standard. The Secretary of the Department of Health and Human Services recommended such an approach in a recent report to Congress entitled, Confidentiality of Individually Identifiable Health Information. Should a national standard be enacted, determining whether a states mental health law provides more or less protection than a national standard may be difficult in at least some cases. For example, in one state, the law permits disclosures without consent to some but not all types of providers. One of the proposals to establish a national standard would permit disclosures to be made to other providers without the consent of the individual, but would give the individual the opportunity to opt out of disclosures to specified providers. In this example, it is difficult to determine whether the state law in question is more or less protective than the proposed national standard. On the one hand, the state law in this example is more restrictive than the reform proposal because it limits the types of providers that can receive information without consent. On the other hand, it is weaker than the reform proposal because it does not provide the individual with an opportunity to decline permission to disclose to those providers. The problem is not insurmountable: in this example, one solution might be to apply the opt-out provision of the national standard to that part of the state law that permits some types of disclosures without consent. At the same time, the current condition of many state mental health laws may make application of the preemption principle difficult.
A second important question is whether there should continue to be separate legal standards for mental health confidentiality and for substance use and alcohol use confidentiality. The reform proposals advanced to date generally would leave the Federal substance use law intact. This would have the practical effect of locking in the disparate standards that currently exist for mental health information (governed by state laws) and substance and alcohol use information (governed by the Federal law). Some experts disagree with the notion of having discrete, disease-based standards, on the ground that there are other diseases that raise legitimate concerns regarding privacy that do not receive special protection (Gostin, 1995). Others would retain the strict protections currently available to substance and alcohol use data, while extending the same protections to mental health information. This report does not endorse either perspective. However, it would be useful to examine more closely whether disparate standards have an effect on clinical practice and on the privacy expectations of individuals in treatment, particularly those with both a mental illness and a substance abuse diagnosis.
There are many reasons why an individual with a mental illness might decide not to seek treatment. For example, some people might forego treatment for financial reasons. Others might decide that the risk of stigma and discrimination that people with mental illness still encounter is too high a price to bear. In the latter situation, being able to provide assurances that the principle of confidentiality receives strong protection may make the difference in the decision to enter and participate fully in treatment.
Confidentiality is a matter of both ethical and legal concern. As noted earlier, each of the health care professions endorses confidentiality as a core matter. However, it is the law that establishes the basic rules that govern confidentiality in practice. The law can expand confidentiality, as the U.S. Supreme Court did when it ruled that a psychotherapeutic privilege would apply in Federal court. The law also can decide that the principle of confidentiality must yield to other values, as the California Supreme Court did when it decided that mental health professionals had an obligation to protect third parties whom the professional reasonably concluded could be endangered by a client in treatment.
It is clear that confidentiality is not absolute. There are other competing values that require its breach in certain circumstances. However, it also seems clear that there are significant gaps in the current legal framework that protects the confidentiality of mental health information. Consideration of an appropriate level of legal protection for mental health information should acknowledge that mental illness continues to be a category of illness that may subject a person receiving a diagnosis to discrimination and other disadvantages.
In the absence of strong confidentiality protections, some individuals with mental illness may decide that the benefit of treatment is outweighed by the risk of public disclosure. This would be harmful not only to the individual, but to a public that has a stake in the mental health of its members. The U.S. Supreme Court summarized this public interest succinctly in the decision quoted at the beginning of this section:
- The psychotherapist privilege serves the public interest by facilitating the provision of appropriate treatment for individuals suffering the effects of a mental or emotional problem. The mental health of our citizenry, no less than its physical health, is a public good of transcendent importance. (Jaffee v. Redmond, 1996)
It is to be hoped that this public good, as well as the private good represented by successful treatment for mental illness, governs the continuing debate regarding the protection of confidentiality.