APA Comments: Proposed Rule Providing Modifications to Standards for Privacy of Individually Identifiable Health Information
by Russ Newman, PhD, JD
April 24, 2002
U.S. Department of Health and Human Services
Office for Civil Rights
Attention: Privacy 2
Hubert H. Humphrey Building
Room 425A
200 Independence Avenue, SW
Washington, DC 20201
Re: Proposed Rule Providing Modifications to Standards for Privacy of Individually Identifiable Health Information, as published in 67 Fed. Reg. 14776, March 27, 2002
Dear Department of Health and Human Services Representatives:
I submit these comments on behalf of the American Psychological Association ("APA" or "we"), the largest membership association of psychologists with more than 155,000 members and affiliates engaged in the practice, research, and teaching of psychology, pursuant to the March 27, 2002 request (67 Fed. Reg. 14776) for comments regarding proposed modifications to the final rule regarding standards for the privacy of individually identifiable health information ("privacy rule"). As requested by the Department of the Health and Human Services (the "Department"), we focus our comments on three provisions of the privacy rule for which modifications have been proposed. Our comments concern: the proposed elimination of the patient consent requirement, the psychotherapy notes authorization requirement, and the "minimum necessary" requirement.
On December 17, 2001, the Mental Health Liaison Group ("MHLG"), the primary mental health advocacy coalition for mental health consumers, professionals and providers in Washington, DC, wrote to Secretary Tommy G.Thompson, regarding the patient consent, minimum necessary, psychotherapy notes authorization requirements, and other provisions in the rule. Our comments offered below are similar to those contained in the MHLG letter, which was signed by 38 other leading mental health consumer, professional and provider groups. Given this similarity and that the MHLG letter represents a consensus on the consent and other provisions that the Department now proposes to modify, we attach this letter to our comments for your consideration.
Patient consent should remain in the rule and be refined to address concerns of emergency medical providers, pharmacists and other entities regarding its impact on care.
The APA is disappointed with the proposed removal of the patient consent requirement of the rule at 45 C.F.R. § 164.506. During Congressional consideration of privacy legislation in the 1990's and throughout the privacy rulemaking process, we have consistently argued that patient consent is a cornerstone of assuring medical records privacy.
Patients have a right to their privacy, and therefore the right to protect the privacy of their records. Patients are afforded the opportunity to exercise their privacy right when they give consent for the use and disclosure of their records for payment, treatment, and health care operations purposes. Removing consent as proposed essentially shifts "ownership" of records to the entities that use and disclose them for treatment, payment, and health care operations purposes. Under the proposed modification, the patient is merely given the opportunity to acknowledge that he or she has received notice as to how his or her records will be used and disclosed.
As the Department notes, consent has little value under current practice and in the rule because it is mandatory. If a patient refuses to give consent, for example, he or she could be denied treatment. In practical terms, the distinction between patient consent and notice may appear slight. The patient will either allow his or her records to be used and disclosed for payment, treatment, and health care operations purposes, or be refused care in both instances. The distinction, however, may have legal ramifications for patients and for those entities that use and disclose the patient's records.
Consent represents a signed agreement by the patient regarding the manner in which health care professionals, providers, insurers, and other entities will use and disclose health information in the future. If a patient believes that his or her information has been improperly used or disclosed, evidence of such violation is legally framed by the terms of the consent agreement. Patient notice does not provide this framework, since a written and signed agreement does not exist between the patient and users of the record.
We urge the Department to carefully weigh this distinction, because the proposed consent modification, as mentioned, essentially shifts "ownership" of the record from the patient to the entities that use and disclose the record for treatment and administrative purposes. Under the modification, patients will lose their ability to give permission regarding the use of their records. Entities, but mainly insurers, will gain regulatory recognition of their use and disclosure of patient records. This modification, subtle as it may be in practical effect, appears to undermine the right of patients to the privacy of their records.
Rather than remove the consent provision entirely, the APA suggests that the provision be refined. For example, we believe that the Department makes strong arguments regarding the excess burden that consent places on pharmacists and emergency care providers. These arguments revolve around the difficulty of obtaining patient consent and its intrusion on the provision of patient care and services. The consent provision should be refined to consider such circumstances.
Health plans should be required to obtain patient authorization for treatment, payment, and health care operations purposes for which a patient could not foresee the use and disclosure of individually identifiable information.
In addition to strengthening the patient consent requirement, health plans should be required to obtain patient authorization for those treatment, payment, and health care operations purposes for which a patient could not foresee the use and disclosure of individually identifiable information. We view these certain purposes as administrative functions of the insurer that are not part of the direct treatment of an individual patient. We suggest this change preferably in addition to retention of the consent provision. If the Department ultimately removes consent, such patient authorization would be an important compromise that will help ensure the privacy of patient records.
The Department's statement in commentary to these proposed modifications that many patients "expect that their health information will be used and disclosed as necessary to treat them, bill for treatment, and, to some extent, operate the covered entity's health care business" may be true (1). Many patients, however, accurately believe that their treatment is no longer private. This belief appears to be particularly held by patients in large health plans, which commonly place private health information in easily accessible databases for use and disclosure by many employees for many purposes, identified in the rule as treatment, payment, and health care operations purposes (2).
Patients have lost confidence in the privacy of their records and in the confidentiality of their relationship with their direct treating professionals. In fact, we suggest that many patients loathe the current access of health plans to their private records for administrative purposes that benefit the health plan and have nothing or little to do with their individual treatment. Part of the problem stems from the necessary reality that, as the Department acknowledges, health plans lack direct contact and only have an "indirect treatment relationship" with the patient (3). This lack of direct contact and a treatment relationship with the patient, however, is at the core of the need for a patient privacy law in the first place.
Patients generally are not concerned with the use of their records by their treating professionals. Rather they are worried, and legitimately so, with the use of their records by entities with which they have little or no contact.
The current broad use and disclosure of records by health plans represents an unacceptable status quo. A status quo that the Department exacerbates by providing health plans with great access to patient records through very broad definitions of "payment", "treatment", and "health care operations".
Health insurance industry advocates have argued that expansive definitions of "payment, treatment, and health care operations" are warranted, since access to identifiable patient information helps them improve patient care in addition to plan administration. Indeed the APA agrees that some health plan activities, such as on-going quality assessment, can improve patient care. However, these activities generally improve patient care in the aggregate and are not related to the direct provision of care to an individual patient. Therefore, an individual patient's privacy is substantially weakened or even lost when his or her individually identifiable information is shared for administrative purposes or for purposes that may benefit patients in general.
While the patient consent requirement would certainly not interfere with the treatment, payment, and health care operations of health plans, patient authorization for use and disclosures that are administrative would take some effort on the part of health plans. However, in our view health plans should not have such access to individually identifiable patient information for these purposes without patient authorization in the first place. Requiring patient authorization would represent an important proactive step toward guarding the privacy of patient records.
Many of these administrative functions that should require patient authorization are embedded in the "health care operations," "treatment," and "payment" definitions. These various administrative functions include: quality assessment and improvement activities, protocol development, clinical guidelines development, student training activities, and fraud abuse and detection programs. We urge the Department to require patient authorization for these and other administrative functions of health plans.
The psychotherapy notes patient authorization should be accompanied by an additional patient authorization for the release of particularly sensitive psychological test data.
The APA is gratified to see the Department's continued support for patient authorization for the release of psychotherapy notes for treatment, payment, health care operations purposes and for other uses and disclosures. By requiring an insurer or other covered entity to obtain patient authorization for psychotherapy notes, 45 C.F.R. § 164.508(a)(2) provides an important privacy protection for patients seeking and receiving psychotherapy and related mental health services. Slight modifications proposed by the Department appear to strengthen the provision and, as the Department notes, to "clarify that this information is not permitted to be used or disclosed without individual authorization for purposes of another entity" (4).
We appreciate the Department's commitment to the understanding that mental health records, such as psychotherapy notes, need heightened protection in the rule. The reasons for such heightened protection are manifold but rooted in societal stigmatization of mental disorders, and more intimately to the individual patient, in the fear that disclosure of a mental disorder and treatment to loved ones, family, friends, business associates, and even acquaintances could harm these relationships, perhaps irreparably.
Patient authorization for release of psychotherapy notes will help secure the privacy of the relationship between the patient and treating psychologist, but more protection is needed. Psychologists and some other mental health professionals typically create and maintain psychological test data, which are in addition and often directly related to psychotherapy notes.
The privacy of test data should also be protected through patient authorization for release to ensure effective psychotherapy and other mental health treatment. Such authorization will help preserve an atmosphere of confidence and trust so that a patient "is willing to make a frank and complete disclosure of facts, emotions, memories, and fears (5)."
To clarify terms, "test data" includes test results, raw test data (generally, the test form itself, the actual answers of the patient on the test form, etc.), reports, and global scores, and "test materials" include protocols, manuals, test items, scoring keys or algorithms, and any other materials considered secure by the test developer or publisher. In this comment, we refer to both test data and test materials under the blanket term, "test data."
Since publication of the proposed rule in November 1999, the APA has repeatedly requested that the Department provide for patient authorization for the release of psychological test data in comments to the proposed and final rule (6). We have since been joined in our request by 38 other leading mental health advocacy organizations of the Mental Health Liaison Group. In a December 17, 2001 letter to Secretary Thompson (as referenced above and attached), the MHLG requested that the Department amend the rule to provide for patient authorization for the release of testing records.
A primary reason for providing for patient authorization of test data is one of continuity. A patient cannot feel secure in the privacy of his or her relationship with a psychologist, if a realistic perception exists that some records, namely psychotherapy notes, require specific authorization for release, while other records, psychological testing and assessment records, with similar and highly sensitive, often embarrassing, information do not.
In discussing the psychotherapy notes patient authorization requirement in the final rule, the Department clarified the rationale for the requirement:
[T]he rationale for providing special protection for psychotherapy notes is not only that they contain particularly sensitive information, but also that they are the personal notes of the therapist, intended to help him or her recall the therapy discussion and are of little use or no use to others not involved in the therapy. Information in these notes is not intended to communicate to, or even be seen by, persons other than the therapist. Although all psychotherapy information may be considered sensitive, we have limited the definition of psychotherapy notes to only that information that is kept separate by the provider for his or her own purposes. It does not refer to the medical record and other sources of information that would normally be disclosed for treatment, payment, and health care operations (7).
We respectfully submit that psychological test data are exactly the same type of sensitive information as psychotherapy notes to warrant patient authorization for release. Essentially, the Department has determined that heightened protection for psychotherapy notes is needed because such notes: (A) contain particularly sensitive information, and (B) are kept separate by the mental health professional for his or her own purposes. The Department further elucidates on the second requirement by indicating that such notes are of little or no use to others not involved in the therapy, are not intended be communicated to or even be seen by persons other than the therapist, and do not refer to the medical record and other sources that would normally be disclosed for treatment, payment, and health care operations. As with psychotherapy notes, psychologists and other therapists may include portions of test data in patient medical records, but that portion which is generally not shared should similarly fall under a patient authorization requirement for release.
A. Test data in psychological assessment contains particularly sensitive information.
Psychologists typically utilize psychological tests that require patients to divulge highly sensitive personal information, which is typically as sensitive as the information contained in psychotherapy notes. For example, the Minnesota Multiphasic Personality Inventory (MMPI-2), one of the most commonly used clinical tests, contains an item asking the respondent to indicate whether he or she has "indulged in unusual sex practices." For example, MMPI-2 asks a respondent whether he or she "has used alcohol excessively." For example, the Rorschach, again a common testing technique, asks respondents to interpret what a series of inkblots might represent. Common responses include emotional expressions, fantasies, and notations by the psychologist on the respondent's behavior while giving the response.
Obviously, these questions themselves and the answers the patient provides contain particularly sensitive information, far more sensitive than nearly any information related to treatment for physical diagnoses. This information is more sensitive than general mental health information that may be provided to health plans for purposes of payment, treatment, and health care operations. Certainly, test data include patient emanations of highly sensitive information, which may have meaning only to the psychologist giving the test. For these reasons, psychological test data contain sensitive patient information similar to that contained in psychotherapy notes and meets this part of the Department's rationale for requiring patient authorization for release. In addition, these highly sensitive and personal responses are meaningless to persons not trained to interpret them in the aggregate, as elaborated below.
B. Highly sensitive test data are kept separate by the mental health professional for his or her own use.
A psychologist is required by ethical standards, law, and contractual agreements to carefully determine the release of test data, to keep certain test data for his or her own purposes, and to not include such data in the medical record (8). Many of these standards and laws are meant to protect the patient and the privacy of the records, and contractual agreements with the test developer or publisher are primarily meant to protect the tests themselves.
According to the APA Code of Ethics, a psychologist must " . . . make reasonable efforts to maintain the integrity and security of tests and other assessment techniques consistent with law, contractual obligations, and in a manner that permits compliance with the requirements of this Ethics Code (9)." Unless otherwise mandated by law, a psychologist must request patient consent for release of test data in order to obtain payment for services (10). Many states have statutes that require formal consent before records can be released or protect against disclosure of mental health records under the psychotherapist-patient relationship. Even with such consent and consent requirements, however, many psychologists release only certain test data to health plans.
For purposes of disclosing test data to health plans, such as (under this rule) for payment, treatment, and health care operations, many psychologists provide written psychological assessments in place of sensitive test data. A psychological assessment, often a standardized report, contains such information as an overall summary of diagnosis and treatment, diagnostic impressions and interpretations, and treatment recommendations. Psychologists generally keep separate and for their own use test results (other than summary results provided), raw test data, global scores, and test materials, such as protocols, manuals, test items, scoring keys, algorithms, and other related materials.
A psychologist keeps much test data for his or her own use for purposes of psychotherapy and treatment and to protect the privacy of the patient and of their psychotherapeutic relationship. In addition, many psychologists specialize in testing and administer testing for psychologists and other therapists for purposes of patient treatment. Authorization must also apply to psychologists as test givers.
When a patient provides answers during psychological assessment, these are responses of the patient, similar to responses that a patient would provide during psychotherapy. Assessment questions may require the patient to reveal highly sensitive personal information, and the psychologist will protect this information as necessary. Psychological testing then, like psychotherapy, depends upon "an atmosphere of confidence and trust in which the patient is willing to make frank and complete disclosure of facts, emotions, memories, and fears."
Psychologists are particularly careful not to release test data, other than assessment summaries, to individuals who are not qualified to use such data. Regarding assessment techniques, interventions, results, and interpretations, for example, psychologists have an ethical duty to " . . . take reasonable steps to prevent others from misusing the information these techniques provide. This includes refraining from releasing raw test results or raw data to persons, other than to patients or clients as appropriate, who are not qualified to use such information (11)." Psychological testing standards call for responsibility for test use to be assumed by or delegated only to those individuals with the training and experience necessary to handle these responsibilities in a responsible and technically adequate manner (12).
Inappropriate release of test data can harm the health of the patient and the treatment relationship between the psychologist and the patient. In commentary to the proposed and final rule, the Department clearly recognizes this potential harm and has thus included a patient authorization requirement for release of psychotherapy notes. A patient, however, may be harmed in numerous other ways not directly related to treatment when sensitive test data is inappropriately disclosed.
One way that a patient can be harmed by the release of certain test data, such as raw data for example, is by its misinterpretation by individuals not trained in psychological testing, or by its use out of proper context. For example, an item on the MMPI-2 is combined with other items to determine if the respondent is being truthful. In other words, for assessment purposes several items on the MMPI-2, when viewed together can assist a psychologist in determining whether the respondent is attempting to mislead with his or her responses. One of these items asks the question: "I do not always tell the truth." If the person answers "no" to this question, it may then be combined with other answers to indicate that the person is actually attempting to mislead the tester. However, a "yes" answer, to a person not trained in interpreting this test, may be seen as meaning that the person is an untruthful person, when in fact he or she is being truthful in answering the item.
In addition to potential misuse, psychologists must consider release of test materials in relation to test security, potential invalidation, copyright law and contractual obligations. Psychologists' consideration of these issues has been succinctly discussed in psychological publication:
Disclosure of secure testing materials (e.g., test items, test scoring, or test protocols) to unqualified persons may decrease the test's validity. Availability of test items to an unqualified person can not only render the test invalid for any future use with that individual, but also jeopardizes the security and integrity of the test for other persons who may be exposed to test items or responses. Such release imposes very concrete harm to the general public-loss of effective assessment tools. Because there are a limited number of standardized psychological tests considered appropriate for a given purpose (in some instances only a single instrument), they cannot easily be replaced or substituted if an individual obtains prior knowledge of item content or the security of the test is otherwise compromised (13).
Psychologists must make sure when disclosing records to health plans, for example, that an individual in that plan is able to use the test data appropriately and to ensure that unqualified individuals do not have access to the data. In doing so or in providing assessment summaries in lieu of test data, psychologists protect the interests of the patient and meet their contractual and other obligations to the developer or publisher of the test materials.
Because test data contain particularly sensitive patient information, which psychologists and other professionals, under ethical and legal obligations, keep separate for treatment purposes of the individual patient, the APA urges the Department to require patient authorization for test data. The mental health consumer and professional community is united behind the need for test data authorization as an important means of securing the privacy of the records of persons seeking and receiving psychotherapy and other mental health services. This important authorization should be included in the final rule.
Psychologists and other therapists should not have their participation in health plans predicated on seeking patient authorization for psychotherapy notes.
An important component of the psychotherapy notes authorization requirement is that a covered entity, such as a health plan, "may not condition the provision to an individual of treatment, payment, enrollment in the health plan, or eligibility for benefits on the provision of an authorization (14)." Obviously, this provision ensures that the psychotherapy notes authorization requirement is meaningful in that a patient may continue to receive treatment and remain enrolled in a health plan, even if he or she chooses not to provide sensitive information contained in psychotherapy notes to a plan.
Likewise, a psychologist or other therapist should not have his or her participation in a health plan predicated on seeking patient authorization for psychotherapy notes. In its December 2001 letter to Secretary Thompson, the MHLG anticipated that health plans could potentially attempt to pressure therapists into seeking patient authorization for psychotherapy notes. The MHLG urged the Secretary to provide guidance to ensure that the psychotherapy notes authorization could not be circumvented in this manner.
Unfortunately, we believe that health plans are now generating HIPAA information, targeted to our member psychologists, which is unclear as to whether they must obtain patient authorization in order to remain in the plan. For example, in a recent publication from Regence BlueCross BlueShield of Oregon ("Regence BCBSO"), participating professionals are informed that:
Non-psychotherapy notes are maintained in the patient's chart. Any items falling into the non-psychotherapy notes category must be disclosed to the health plan and the patient, with only a general consent. With patient authorization (specific disclosure with expiration and/or revocation rights) psychotherapy notes may also be disclosed to the health plan. All Regence BCBSO and affiliated health plan agreements require the creator of the record to release records necessary to facilitate payment and health care operations. In the future, Regence BCBSO will require contracted physicians and other mental health and chemical dependency providers to secure authorizations under HIPAA that permit them to "use and disclose" information to the health plan (15).
After elucidating the privacy rule's definition of items not included in psychotherapy notes, the Regence BCBSO publication states that:
Under some circumstances non-psychotherapy notes may be sufficient to meet health plan needs for documentation. However, the quality of record keeping varies widely and access to psychotherapy notes may be necessary to make payment on some claims (16).
Under the Regence BCBSO description of patient authorization for release of psychotherapy notes, a psychologist or other therapist could reasonably believe that a health plan can require him or her to obtain authorization for purposes of the treatment, payment, or health care operations of the plan. In addition, the therapist may perceive from this health plan instruction that obtaining patient authorization may be required as part of his or her continued participation in the plan or that payment for services is predicated on the obtaining of patient authorization for psychotherapy notes.
While it may be appropriate, in extraordinary circumstances, for a health plan to request that a psychologist or other therapist seek patient authorization for psychotherapy notes, such request should not be coerced, either on the patient or the therapist. Certainly, this should not be a routine request under "some" circumstances, related to inadequacy of the quality of documentation provided to the plan by a health care professional.
The privacy rule is quite clear that psychotherapy notes are not required for purposes of payment, treatment, or health care operations. The rule clearly indicates those data elements that are excluded from the term "psychotherapy notes" that may be made available to a health plan for treatment, payment, and health care operations purposes. These are: medication prescription and monitoring, counseling session start and stop times, modalities and frequencies of treatment, results of clinical tests, and summaries of diagnosis, functional status, treatment plan, symptoms, prognosis, and progress to dates. Psychotherapy notes are separated from these elements for the use of the therapist in treatment. A plan may ask for clearer or better documentation from a provider regarding that information which is not part of the patient's psychotherapy notes, but a plan may not routinely, or even sometimes, require a therapist to authorize release of information contained in psychotherapy notes for its administrative purposes.
The APA does not know how common this sort of instruction, as provided in the Regence BCBSO materials, is. Unfortunately, we believe that it could be a common instruction, which highlights the need for guidance by the Department on this issue.
The "minimum necessary" requirement should be interpreted most favorably to the patient to preserve the privacy of records when disclosed to health plans and other entities for treatment, payment, and health care operations purposes.
We appreciate the Department's proposed modifications that clarify that oral communications between health care professionals in treatment of a patient are not subject to the minimum necessary requirement. The "incidental" disclosure exception to the minimum necessary requirement for such oral communications appears well designed and narrow to ensure that patient treatment between health care professionals is not impeded. The APA supports the inclusion of this modification in the rule.
More importantly, we appreciate the Department's rejection of the suggestion that disclosures for treatment, payment, and health care operations be exempted from the "minimum necessary requirement (17)." Requiring that health plans request the minimum amount of individually identifiable patient information necessary for health plan administrative purposes lies at the heart of the protection that the rule affords to patients and their records.
The privacy rule provides health plans and other entities great access to patient records for uses and disclosures related to treatment, payment, and health care operations. This broad access is balanced in part by the minimum necessary requirement so that each time a patient's record is accessed by a health plan or other third party, such entity must demonstrate that it is requesting the minimum amount of patient information necessary for the purpose of its use. Removing or weakening the minimum necessary requirement would swing the balance of the rule in favor of health plans and would essentially gut the protections that the rule affords for patients.
The Department appears to recognize this balance in its commentary accompanying these proposed modifications:
With regard to payment and health care operations, the Department remains concerned, as stated in the preamble to the Privacy Rule, that, without the minimum necessary standard, covered entities may be tempted to disclose an entire medical record when only a few items of information are necessary, to avoid the administrative step of extracting or redacting information. The Department also believes that this standard will cause covered entities to assess their privacy practices, give the privacy interests of their patients and enrollees greater attention, and make improvements that might otherwise not be made (18).
The APA appreciates the Department's continued recognition of the primary importance of the minimum necessary requirement for the protection of the patient record. From our standpoint, health plans are most likely to be tempted to request an entire medical record, as has occurred in the past. Throughout our comments, we have mentioned our belief that health plan demands for individual patient information have substantially eroded the privacy of the records. For persons seeking and receiving mental health services, where particularly sensitive health information is involved, the minimum necessary and the psychotherapy notes authorization requirements will improve records privacy, while not denying health plans access to information for their administrative purposes.
The APA welcomes the Department's recent outreach to psychology and other professionals and consumers regarding the minimum necessary requirement. We assume that outreach is part of the Department's intention, as stated in commentary to the proposed modifications, "to issue further guidance to clarify issues causing confusion and concern in the industry, as well as provide additional technical assistance materials to help covered entities implement the provision (19)."
Regarding any such clarification or interpretation that the Department may provide regarding the minimum necessary standard, we strongly urge that the Department interpret the provision most favorably to the patient and treating professional. This means in practice that if health plans must have concrete definitions of minimum necessary information for treatment, payment, and health care operations purposes, that such information be the absolute minimum necessary for such purposes.
To some extent, this minimum necessary data is already outlined for mental health records in the rule through the "psychotherapy notes" definition. In other words, depending on the purpose of the disclosure, a health plan may have that portion of the patient's record that concerns medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and summaries of diagnosis, functional status, treatment plan, symptoms, prognosis, and progress to date (20). A health plan may not have a patient's psychotherapy notes, absent patient authorization.
A health plan should never request, as some health plans currently demand, a patient's entire record without a compelling reason of a need for the entire record. This is an abuse of records disclosure of which the Department is apparently aware and which the minimum necessary requirement is meant to end.
Psychologists, by nature of the patients that they serve and the sensitivity of records associated with treatment, are deeply committed to the preservation of the privacy of mental health records and patient records in general. The APA is currently working to help our members understand and come into compliance with the privacy rule. We hope to continue to tell our members that the privacy rule contains a substantial floor of federal protection for their patients' records. For these reasons, we hope that the Department will retain the consent provision and improve the psychotherapy notes authorization and minimum necessary requirements, as we have requested.
The APA appreciates the Department's consideration of these and our past comments. We hope that the Department will continue to rely on the APA as it implements the rule. Please contact Doug Walter, J.D., Legislative and Regulatory Counsel, Government Relations, at (202) 336-5889, regarding these comments and for any further assistance that we may provide.
Sincerely,
Russ Newman, PhD, JD
Executive Director for Professional Practice
Endnotes:
(1) 67 Fed. Reg. at 14778.
(2) Regarding patient concerns with the privacy of their records, see for example, California HealthCare Foundation, National Survey: Confidentiality of Medical Records (January 1999). Available at http://www.chcf.org.
(3) 65 Fed. Reg. at 82648.
(4) 67 Fed. Reg. 14798.
(5) Jaffee v. Redmond, 518 U.S. 1 (1996), at 10.
(6) APA comments to the proposed rule may be found at http://www.apa.org/practice/privacycomments.html. APA comments to the final rule may be found at http://www.apa.org/practice/thompson.html.
(7) 65 Fed. Reg. 82623.
(8) For purposes of brevity, we generally do not attempt in this comment to discuss the large body of federal and state law that concern the release of psychological test data. Many of these laws are peripheral to but affect the disclosure of test data for purposes of treatment, payment, or health care operations. We reference these laws for purposes of the Secretary's information and would provide more information regarding these laws upon his request.
(9) American Psychological Association, Ethical Principles of Psychologists and Code of Conduct, Standard 2.10 (1992).
(10) Id. at Standard 5.05.
(11) Id. at Standard 2.02.
(12) American Educational Research Association, American Psychological Association, National Council on Measurement in Education, Standards for Educational and Psychological Testing, Standard 11.3 (1999).
(13) American Psychological Association, "Statement on the Disclosure of Test Data," American Psychologist, 51, no. 6 (June 1996): 646.
(14) 45 C.F.R. § 164.508(b)(4).
(15) Regence BlueCross BlueShield of Oregon, "The Behavioral Health BluePrint Newsletter," 1, no. 1 (November 2001): 3. (Available on line at: www.or.regence.com/provider/bcbso.)
(16) Id.
(17) 67 Fed. Reg. 14786.
(18) 67 Fed. Reg. 14786.
(19) 67 Fed. Reg. 14787.
(20) 45 C.F.R. § 164.501.
