California Privacy Law Poses Challenge for External Peer Review of Outpatient Psychotherapists
* The following article was originally published by California Healthcare News. To read it on the California Healthcare News website, click here.
California’s version of HIPAA, the Confidentiality of Medical Information Act, or “CMIA,” (Cal. Civil Code § 56 et seq.), permits hospitals and other health care providers to disclose medical information without the patient’s consent for the purposes of reviewing the competence or qualifications of health care professionals or health care services with respect to medical necessity, level of care, quality of care, or justification of charges. This appears to be a broad exception to CMIA’s confidentiality requirements, but many providers seem to be unaware that this peer review disclosure exception does not apply to any medical information specifically related to a patient’s participation in outpatient treatment with a psychotherapist.
CMIA’s rules for how a health care provider may release outpatient psychotherapy treatment information to a third party requestor without the patient’s written authorization are very specific. The person or entity requesting the information must first submit a written request (meeting certain requirements) to the health care provider. A copy of this request must be provided to the subject patient within 30 days of the requestor’s receipt of the applicable information, unless the patient waives in writing his or her right to receive such notice.
This special process for disclosing outpatient psychotherapy treatment information does not apply to disclosures for diagnosis and treatment purposes or certain disclosures to law enforcement and regulatory agencies. Unfortunately, there is no such disclosure exception for peer review. As a result, health care providers have the following options if they wish to disclose outpatient psychotherapy treatment information for the purposes of external peer review:
- Ensure the requestor is following the written request process set forth under California Civil Code Section 56.104, including submitting a copy of the request to the subject patient within 30 days of receiving the requested information;
- Ask the patient to sign an optional written waiver whereby the patient waives notice under Section 56.104 with respect to disclosures for the purposes of peer review or, more generally, disclosures that otherwise comply with CMIA and HIPAA. Providers may consider presenting the waiver to the patient for review and signature, if acceptable, when obtaining written acknowledgement of receipt of their notice of privacy practices. Of course, patients may choose not to sign the waiver;
- Obtain written authorization from the patient permitting the provider to disclose the patient’s outpatient psychotherapy treatment information for peer review purposes. This approach seems less practical than the waiver, though, because the authorization must include an expiration date and meet the other requirements set forth under CMIA; or
- Redact all of the patient’s individually identifiable information from the outpatient psychotherapy treatment records prior to disclosure. Again, this approach may not be practical because such redaction is time consuming and may interfere with the external reviewer’s ability to properly review the psychotherapy treatment services provided.
Failure to comply with CMIA exposes health care providers to civil penalties of up to (1) $2,500 per negligent violation, (2) $25,000 per knowing and willful violation, and (3) $250,000 per knowing and willful violation for the purposes of financial gain. Violations resulting in economic loss or personal injury to the patient are also punishable as a misdemeanor. In addition, CMIA provides the patient with a private right of action for use or disclosure of his or her medical information in violation of CMIA. Health care facilities licensed by the California Department of Public Health (CDPH) also are required to report to CDPH and the affected patient any unlawful or unauthorized access to, and use or disclosure of, the patient’s medical information within 15 business days of detection. It is important, therefore, for health care providers to ensure that disclosures of outpatient psychotherapy treatment information for the purposes of peer review, or otherwise, comply with CMIA.
Jade Kelly is a partner at Arent Fox, LLP, where she is a member of the Health Care Group and Privacy, Cybersecurity & Data Protection Group. She advises health systems, hospitals, long-term care facilities, start-ups and other organizations on business and regulatory matters. Jade has extensive experience counseling clients regarding HIPAA, privacy and security, fraud and abuse, and other health care laws. Jade’s practice also includes negotiating and structuring health care business arrangements and transactions, including negotiating and drafting service agreements and other contracts, mergers and acquisitions, setting-up health care entities, and hospital-physician alignment strategies. She can be reached at 213-443-7619 or firstname.lastname@example.org.