Original Publish Date: April 4, 2017
California’s version of HIPAA, the Confidentiality of Medical Information Act, or “CMIA,” (Cal. Civil Code § 56 et seq.), permits hospitals and other health care providers to disclose medical information without the patient’s consent for the purposes of reviewing the competence or qualifications of health care professionals or health care services with respect to medical necessity, level of care, quality of care, or justification of charges. This appears to be a broad exception to CMIA’s confidentiality requirements, but many providers seem to be unaware that this peer review disclosure exception does not apply to any medical information specifically related to a patient’s participation in outpatient treatment with a psychotherapist.
CMIA’s rules for how a health care provider may release outpatient psychotherapy treatment information to a third party requestor without the patient’s written authorization are very specific. The person or entity requesting the information must first submit a written request (meeting certain requirements) to the health care provider. A copy of this request must be provided to the subject patient within 30 days of the requestor’s receipt of the applicable information, unless the patient waives in writing his or her right to receive such notice.
This special process for disclosing outpatient psychotherapy treatment information does not apply to disclosures for diagnosis and treatment purposes or certain disclosures to law enforcement and regulatory agencies. Unfortunately, there is no such disclosure exception for peer review. As a result, health care providers have the following options if they wish to disclose outpatient psychotherapy treatment information for the purposes of external peer review:
Failure to comply with CMIA exposes health care providers to civil penalties of up to (1) $2,500 per negligent violation, (2) $25,000 per knowing and willful violation, and (3) $250,000 per knowing and willful violation for the purposes of financial gain. Violations resulting in economic loss or personal injury to the patient are also punishable as a misdemeanor. In addition, CMIA provides the patient with a private right of action for use or disclosure of his or her medical information in violation of CMIA. Health care facilities licensed by the California Department of Public Health (CDPH) also are required to report to CDPH and the affected patient any unlawful or unauthorized access to, and use or disclosure of, the patient’s medical information within 15 business days of detection. It is important, therefore, for health care providers to ensure that disclosures of outpatient psychotherapy treatment information for the purposes of peer review, or otherwise, comply with CMIA.
Jade Kelly is a partner at Arent Fox, LLP, where she is a member of the Health Care Group and Privacy, Cybersecurity & Data Protection Group. She advises health systems, hospitals, long-term care facilities, start-ups and other organizations on business and regulatory matters. Jade has extensive experience counseling clients regarding HIPAA, privacy and security, fraud and abuse, and other health care laws. Jade’s practice also includes negotiating and structuring health care business arrangements and transactions, including negotiating and drafting service agreements and other contracts, mergers and acquisitions, setting-up health care entities, and hospital-physician alignment strategies. She can be reached at 213-443-7619 or email@example.com.
To learn more about Arent Fox LLP visit www.arentfox.com.