July 19, 2018
A. By Patient Or Patient’s Representative Or Designee
1. Competent/Incompetent Adult Patients
Patients, regardless of their competency, are entitled to access their records. The significant issue that arises with incompetent clients is their ability to consent to disclosure of records. A client who is under a guardianship adjudicated in the probate court46 or who has an agent under a durable power of attorney47 does not have authority to consent to the release of mental health records to a third party without the approval of the guardian or agent.
An adult is any person 18 or more years old.48 To the extent an adult patient is suspected of being incompetent, but has not been declared so by a court, the patient continues to have the authority to consent to the disclosure of his or her records. A medical provider may attempt to counsel the patient regarding authorization of the disclosure. However, until the patient is declared incompetent by a court, the patient retains the absolute right to continue handling his or her affairs.
2. Minor Patients
In most situations, the parent or guardian of a minor child holds the right to disclosure unless the child is in the military, emancipated by marriage, or is emancipated from the parents.
Generally, minors do have access to the medical information contained in their medical records. However, only a parent or legal guardian appointed by the probate court may consent to releasing medical records.49
In the case of a child with divorced parents, each parent has the authority to authorize release of medical records. If one parent is awarded sole legal custody of a child, only that parent’s authorization is legally sufficient to release records. However, in contested custody disputes involving the records of minors, the release of records may require an independent evaluation by the Court if the disclosure is in the best interest of the child.50
3. Deceased Patients
Under prior law, the medical records became the property of the estate if the patient died and could only be disclosed or destroyed with the authorization of the executor of the estate. Since 2011, however, the surviving spouse is entitled to access the decedent’s medical record irrespective of whether the surviving spouse is the decedent’s executor, unless the decedent objected to such a release prior to his or her death.51 Generally, however, the records of deceased patients belong to their estate and only the executor or administrator of the estate may release them. Parents of minor children or next of kin (besides a spouse) cannot access records of a deceased person unless they are appointed by the Probate Court as executor or administrator of the estate. It should be noted that a person holding a power of attorney or guardianship appointment cannot access or release records once a patient has died. An exception gives the state medical examiner the power to obtain medical records of any person’s death under investigation by that office.52
4. Insurers
Insurers typically require their insured grant them full access to their medical records for purposes of payment to health care providers. This is normally contained in the agreement between the insurer and the insured. The health care provider is not typically a party to that agreement but should ascertain that the patient has consented to the disclosure. HIPAA attempts to simplify this process by allowing healthcare providers to use protected health information for payment purposes.
B. By Peer Review Organizations, Third Party Payors, Employers
Peer review organizations are generally allowed access to confidential medical records. For example, New Hampshire law governing confidential communications between a physician and a patient provides for the following exception:
This section shall not apply to investigations and hearings conducted by the board of medicine under RSA 329, any other statutorily created health occupational licensing or certifying board conducting licensing, certifying, or disciplinary proceedings or hearings conducted pursuant to RSA 135-C:27-54 or RSA 464-A.57
Additional statutes further define the identity of the peer review board. In New Hampshire, physicians are subject to the authority of the American Medical Association or the Medical Care Foundation.58
It is important to note that often, federal and/or state agencies require providers to make their records under limited circumstances. HIPAA privacy regulations also require that a covered entity (health plan, health care clearinghouse, and a health care provider who transmits health information in electronic form) must, “permit access by the Secretary [of Health and Human Services] during normal business hours to its facilities, books, records, accounts, and other sources of information, including protected health information, that are pertinent to ascertaining compliance with the applicable requirements” of the regulation.59
Frequently, law enforcement agencies will contact a medical provider in the course of a criminal investigation. Information regarding gunshot wounds, sexual assault, child abuse, and certain drug seeking activity may be released, but counsel should always be consulted first.
Additionally, for purposes of any medical examination into the cause and manner of a death, the chief medical examiner is statutorily entitled to access medical records of the deceased.60 The issue of privileged information is often raised during law enforcement investigations. Prosecutors in New Hampshire are now required to give patients notice of their attempts to subpoena medical records for grand jury proceedings. 61 Both the patient and the provider have the right to attempt to quash the subpoena. 62 There is a fine line between what may be disclosed under authorization, court order, or statutory exception, and what may be disclosed voluntarily.
In uncertain circumstances, it is advisable to seek the advice of legal counsel or someone in the company trained in determining which matters are privileged.
C. Workers’ Compensation Proceedings
New Hampshire’s “no fault” system of coverage under the Workers’ Compensation law provides that employees waive their right to confidentiality with regard to their medical records if they apply for benefits:
The act of the worker in applying for workers’ compensation benefits constitutes authorization to any physician, hospital, chiropractor, or other medical vendor to supply all relevant information regarding the worker’s occupational injury or illness to the insurer, the insurer’s representative, the worker’s employer, the worker’s representative, the worker’s employer’s representative and the department. Medical information relevant to a claim includes a past history of complaints of, or treatment of, a condition similar to that presented in the claim.
Any person who supplies information in accordance with this subparagraph and with rules adopted by the commissioner shall be immune from any liability, civil or criminal, that might otherwise be incurred for such action. The physician may require evidence from the workers’ representative in his or her representative capacity. This authorization shall be valid for the duration of the work-related injury or illness.63
A health care provider’s failure to supply the requested documents can result in a civil penalty of up to $2,500.00.64
D. Health Information Organization Corporation
In 2011, HB 489 became law in New Hampshire. The new law creates a “health information organization” – known as the Health Information Organization Corporation (“HIOC”) – that is intended to facilitate the exchange of PHI for “clinical decision-making purposes.” The genesis of the New Hampshire Health Information Organization Corporation was the 2009 federal American Recovery and Reinvestment Act (“ARRA”), which created an office housed within the Department of Health and Human Services dedicated to developing “a nationwide health information technology infrastructure.”65 In 2009, it was hoped that investment in health information technology would serve the dual goals of stimulating the economy and improving the nation’s health information technology infrastructure. The stated goal of the ARRA is for every American to have an electronic health record by 2014.66 The funding for the creation of the HIOC was provided for by subtitle C of the ARRA.67 New Hampshire received an initial grant of $5.5 million, and is expected to receive an additional $20-30 million over the next decade.68 Amounts received by the HIOC must be used “to conduct activities to facilitate and expand the electronic movement and use of health information among organizations according to nationally recognized standards through activities that include:
(1) enhancing broad and varied participation in the authorized and secure nationwide electronic use and exchange of health information;
‘‘(2) identifying State or local resources available towards a nationwide effort to promote health information technology;
‘‘(3) complementing other Federal grants, programs, and efforts towards the promotion of health information technology;
‘‘(4) providing technical assistance for the development and dissemination of solutions to barriers to the exchange of electronic health information;
‘‘(5) promoting effective strategies to adopt and utilize health information technology in medically underserved communities;
‘‘(6) assisting patients in utilizing health information technology;
‘‘(7) encouraging clinicians to work with Health Information Technology Regional
Extension Centers as described in section 3012, to the extent they are available and valuable;
‘‘(8) supporting public health agencies’ authorized use of and access to electronic health information;
‘‘(9) promoting the use of electronic health records for quality improvement including through quality measures reporting; and
‘‘(10) such other activities as the Secretary may specify.”69 New Hampshire House Bill 489 creates an entity that is eligible to receive this federal assistance. That entity, the HIOC, is in the process of creating an exchange through which health care providers (or their business associates) will transmit patients’ PHI. Only other health care providers may access the PHI, and only then for purposes of treatment.70 The goal of the health information organization is to improve efficiency and patient safety, reduce costs, and insure that PHI is safeguarded.
Because the health information organization is only in its infancy, many of the details of its operations have yet to develop. However, the organization should be viewed as affecting existing confidentiality and disclosure laws in only a limited way. The law expressly states that “The health information organization shall follow all current and future laws relative to medical information privacy,”71 and the disclosure it authorizes is quite narrow. While it will likely remake how PHI is shared, it is not likely to remake its protected status.
Exceptions to the Confidentiality of Mental Health Records
There are two types of exceptions to mental health record confidentiality: permissive exceptions and mandatory exceptions. Permissive exceptions allow mental health institutions and personnel to disclose mental health records and information to third parties in certain limited circumstances. Mandatory exceptions require mental health institutions and personnel to disclose mental health records under certain limited circumstances to qualifying third parties, usually a government agency. The key distinction between the two is that permissive exceptions allow the mental health institution personnel discretion in determining whether to grant access.
If any doubt or ambiguity exists in determining whether or not to grant a third party access to mental health records under a permissive exception, access should not be given because there is no penalty for failing to turn them over. Mandatory exceptions, on the other hand, frequently provide a penalty for failure to disclose.
1. Permissive Exceptions to Confidentiality
a. Person living with or caring for someone with a mental illness
A person living with or providing direct care to a client with a serious or chronic mental illness may be provided information concerning diagnosis, admission to or discharge from a treatment facility, functional assessment, prescribed medications and side effects, behavioral and physical manifestations of the failure to take medications, treatment plans and goals, and behavior management strategies.72
Prior to disclosure, the facility must request, in writing, the client’s written consent. If the client declines to consent, they must be notified in writing of the name of the person requesting and receiving the information, the specific information requested and furnished, and the purpose of the request.73 Regardless of the client’s consent, information may still be disclosed if the appropriate requests and notices have been provided.
b. Involuntary emergency admission
A receiving facility admitting a patient pursuant to an involuntary emergency admission under RSA 135-C:27-54 may request medical information from any previous health care provider.74 Information which may be provided is limited to prescribed medication, known medication allergies, or other information essential to the medical or psychiatric care of the client being admitted.75 Before providing the information, it is advisable for the medical provider to verify the receiving facility’s attempts to obtain consent in writing from the client.
2. Mandatory Exceptions to Confidentiality
a. Child abuse
Any person, including psychiatrists, psychologists, therapists, and counselors, who suspects a child has been abused or neglected, must report such abuse.76 The person reporting the abuse does not have to give notice to the client. Further, any health care professional or social worker having reason to believe an incapacitated adult is being subjected to physical abuse, neglect, or exploitation, must report the abuse to the Bureau of Elderly and Adult Services.77 The counselor does not have to provide notice of the disclosure to the client.
b. Violent acts
Any physician,78 nurse,79 or mental health professional80 licensed to practice under New Hampshire law has a duty to warn, or take reasonable precautions to provide protection, from a client’s violent behavior when the client has communicated a serious threat of physical violence against a reasonably identifiable victim or a serious threat of substantial damage to real property.81 These laws adopt the holding of the landmark California case Tarasoff v. Regents of University of California, before which it was generally the law that no such duty existed. Note that the professional does not have to obtain consent from the client or notify the client of the impending disclosure.
c. Disclosures to Law Enforcement
1. Gunshot wounds or injuries suspected to be caused illegally
A medical provider who knowingly treats or assists a person for any injury possibly caused by a criminal act and who fails to notify a law-enforcement official of all relevant information concerning the injury is guilty of a misdemeanor.82 A narrow exception to this rule exists when the treated person is at least 18 years of age and a victim of sexual assault or abuse, and objects to the release of the information.83 However, the exception does not apply if the assault or abuse includes a gunshot wound or other serious injury.84
The legislature appears to have adopted a policy that the privilege should not protect criminal conduct of any sort.
2. Drug Seeking Activity
New Hampshire RSA 318-B:2185 permits the release of information communicated to a provider in an attempt to procure a controlled drug or unlawfully to procure the administration of such drug. However, the provider must receive enough information from the officer to understand that the client is suspected of seeing other physicians to obtain the same drug, and although the client appears ill, is drug seeking. The provider may only release information pertaining to the particular visit or visits at issue. No records should be provided without authorization unless a search warrant is issued.
3. Blood Alcohol Tests
RSA 329:26 excepts from the protection of the privilege blood samples collected in the course of an investigation into driving under the influence. In 2010, the New Hampshire Supreme Court addressed the tension between the patient-physician privilege and criminal prosecutions in light of RSA 329:26. In In re C.T., the police responded to a single car accident that appeared to be caused by the driver’s intoxication. The driver was taken to the hospital where a blood sample was taken in connection with his treatment. The investigating officer obtained a search warrant for the driver’s blood samples, toxicology reports, and medical records which the officer served upon the hospital.
The hospital produced the requested information but challenged the procedure for future cases. Relying upon the following statutory exception, the Court held that test results – but not medical records – are subject to disclosure in response to a duly issued search warrant:
This section shall ... not apply to the release of blood or urine samples and the results of laboratory tests for drugs or blood alcohol content taken from a person for purposes of diagnosis and treatment in connection with the incident giving rise to the investigation for driving a motor vehicle while such person was under the influence of intoxicating liquors or controlled drugs. The use and disclosure of such information shall be limited to the official criminal proceedings.86
In other words, blood and urine samples taken as part of a patient’s treatment regimen are potentially subject to disclosure.
4. Communicable Diseases
Upon the appearance of any communicable disease listed by the commissioner of Health and Human Services,87 any physician, superintendent, or other person in charge of any hospital, health care facility, or any other person having under his care or observation of a person affected, or who has reason to believe that a person was or might have been afflicted with a communicable disease at the time of death, shall report their observation to the commissioner immediately, and shall provide such additional information and periodic reports as required under RSA § 141-C:9, I.88 The report must include basic information such as the name, age, address, occupation, and place of occupation of the infected person.89
In 2012, the much publicized outbreak of Hepatitis C at Exeter Hospital tested the limits of RSA 141-C. Exeter Hospital made a required report to N.H. D.H.H.S. after noticing a cluster of Hepatitis C occurrences there. D.H.H.S. launched an investigation. D.H.H.S. officials were given access to patient medical records via computer terminals located within the hospital. After several months, Exeter Hospital began requesting that D.H.H.S. share with the Hospital the information it had learned. When D.H.H.S. refused, Exeter Hospital filed a Motion for Declaratory Judgment and sought a Protective Order from the state Superior Court.
While this case involved the interplay of many of the principles discussed in these materials, the Court’s ruling focused on two broad areas. First, the Court ruled that the D.H.H.S. investigation was authorized by law and appropriately tailored to achieve its objective. In other words, D.H.H.S.’s requests were not overbroad but were instead needed to further its investigation. Second, the Court rejected the Hospital’s argument that confidentiality requirements and applicable privileges prevented the Hospital from releasing the requested information. The Court noted that the privileges are not absolute and that there is a statutory exception to confidentiality where the recipient is authorized by law to receive the records. In this case, RSA 141-C grants that authorization.
5. Drug and Alcohol Abuse
Facilities receiving federal assistance (including Medicare providers) are prohibited by federal law from disclosing information, recorded or not, relating to the treatment of a client in an alcohol or drug program without the client’s consent. In limited circumstances, exceptions to the general prohibition of release apply. These circumstances include internal communications, qualified service organizations agreements, crimes committed on the program premises, crimes committed against program personnel, child abuse or neglect reporting, certain medical emergencies, scientific research, audits and evaluations of the program, and court orders.90
New Hampshire law generally prohibits the state’s discovery of information, records, and reports of alcohol or drug abuse treatment in criminal proceedings unless specifically ordered by the court.91 The information contained in records relating to alcohol or drug abuse treatment may not be used for any purpose other than rehabilitation, research, statistical, or medical purposes unless the client consents in writing.92
6. AIDS/HIV
The results of a human immuno-deficiency virus test shall only be disclosed to:
i. The physician who ordered the test;
ii. The commissioner of Health and Human Services;
iii. The client tested;
iv. The parents or legal guardian if the client tested positive and is under 18 years of age or incompetent;
v. The facility holding the client by court order or the mental health facility to which the client is committed, if the client tested positive, the results shall be disclosed to the medical director or chief medical officer of such facility;
vi. The administrator in charge of the facility where the patient is held by court order or committed to, in order to provide the necessary data to properly assign, treat or manage the infected client;
vii. The other individuals that require such information to properly assign, treat or manage the infected client in the facility;
viii. To third party authorized by the positive client; and
ix. To blood banks, blood centers, plasma centers or other agencies receiving blood donations.93
Additionally, upon learning of a positive HIV test, a professional may have an obligation to inform emergency response and public safety personnel who may have been exposed to an infectious disease.94 HIV testing is required for persons convicted of sexual assault. The results must be disclosed to both the convicted person and the office of victim/witness assistance, which is then authorized to disclose the results to the victim.95
7. Discretionary Disclosure
A person living with or providing direct care to a client with a serious or chronic mental illness may be provided information concerning diagnosis, admission to or discharge from a treatment facility, functional assessment, prescribed medications and side effects, behavioral and physical manifestations of the failure to take medications, treatment plans and goals, and behavior management strategies.96
Prior to disclosure, the facility must request the client’s written consent.97 If the client declines to consent, they must be notified in writing of the name of the person requesting and receiving the information, the specific information requested and furnished, and the purpose of the request.98 Regardless of the client’s consent, information may still be disclosed if the appropriate requests and notices are provided.
B. Consequences of Improper Disclosure
1. Litigation Seeking Damages
A patient aggrieved by the disclosure of records may bring a lawsuit for breach of confidentiality of mental health records against the medical provider and/or the institution that disclosed the information. The lawsuit may seek money damages and/or injunctive relief prohibiting additional disclosures. However, disclosures made in good faith under (1) RSA 330-A:35, Duty to Warn; (2) RSA 135-C:19-a II, Information Provided for Involuntary Emergency Admissions; (3) RSA 169-C:29, Child Abuse and Neglect Reporting; (4) RSA 161-F:46, Adult Abuse and Neglect Reporting; and (5) RSA 141-G:4, Notification of Emergency Response Workers After Exposure to Infectious Disease, cannot give rise to civil liability.99
In contrast, information provided without a patient’s consent to persons living with or caring for someone mentally ill pursuant to RSA 135-C:19-a, I, is not protected from civil
liability. Thus, a client aggrieved by what they perceive as an improper disclosure may bring an action in such a case.
The HITECH Act now enables the Department of Health & Human Services (“HHS”) to impose significantly increased civil penalties when it discovers violations of HIPAA.100 For violations occurring prior to February 18, 2009, the civil penalties include fines ranging from $100 to $25,000. 101 For violations occurring after February 18, 2009, the tiered civil penalties include fines ranging from $100 to $1.5 million per calendar year.102 These penalties vary based on the mens rea involved and whether the violations have been corrected.
The HITECH Act also authorizes state attorneys general to sue covered entities that violate HIPAA when the violations threaten harm to or adversely affect citizens of that state.103
More specifically, an attorney general may seek injunctive relief or statutory damages in federal district court.104 If the attorney general is successful, the court is authorized to award attorneys’ fees to the state.105 If HHS has already instituted an action against a covered entity, a state attorney general may not proceed with its suit during the pendency of that action.106
The Connecticut Attorney General’s Office filed the first lawsuit under the provisions of the HITECH Act on January 12, 2010 in the United States District Court for the District of Connecticut.107 The covered entity is alleged to have lost a portable disk drive containing unsecured protected health information for nearly 500,000 Connecticut residents. The covered entity is alleged to have waited nearly six months to even begin notifying the individuals of the breach. On July 6, 2010, the case settled for $250,000 with an additional $500,000 contingent payment due to the state if it is determined that the disk drive was accessed and information was used illegally.108
Similarly, in 2012, the Minnesota Attorney General’s Office sued Accretive Health, Inc., for losing a laptop containing the PHI of approximately 23,500 patients. The complaint alleges that Accretive also mined the data without disclosing such action to the affected patients. This case is significant because it is thought to be the first application of the HITECH act to a business associate of a covered entity.109 On July 30, 2012, the case settled with significant penalties for Accretive. The company was forced to stop doing business in Minnesota for two years and to pay the state approximately $2.5 million, some of which will go to compensate patients whose data was compromised.110
2. Professional Discipline
In addition to, or instead of civil liability, a patient aggrieved by a disclosure may wish to file a complaint of professional misconduct with the Board of Mental Health Professionals,111
Nursing Board,112 or Board of Medicine113 depending on the licensing qualifications of the individual disclosing the information. A finding of misconduct by a professional board compels an employer to terminate or otherwise discipline the employee who violated the rules. The failure of any employer to act appropriately creates additional civil liability for the mental health care facility.
Mental health institutions are also subject to disciplinary proceedings for the improper disclosure of mental health records.114 An aggrieved client may file a client rights violation with the Division of Behavioral Health or in Superior Court.115 A finding of a client rights violation may result in a fine, an injunction and/or corrective action.116 To the extent that a mental health institution receives funding for a program from a state or federal agency, a finding of a client rights violation may lead to sanctions by the agency, including loss of funding.
3. Criminal Violations
As briefly discussed above, the failure to report child abuse or incapacitated adult abuse is punishable as a misdemeanor.117 Improper disclosure of AIDS/HIV results pursuant to RSA 141-F may result in punishment as a misdemeanor.118
The HITECH Act authorizes increased criminal penalties for wrongful disclosure of individually identifiable health information (“IIHI”). A person who knowingly: (1) uses or causes to be used a unique health identifier; (2) obtains IIHI relating to an individual; or (3) discloses IIHI to another person can face tiered levels of penalties depending on the offense.119 A person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information if the information is maintained by a covered entity and the individual obtained or disclosed such information without authorization.120 The maximum criminal penalty is a fine of up to $50,000 and/or imprisonment of up to one year.121 If the offense was committed with the intent to sell, transfer, or use IIHI for commercial advantage, personal gain, or malicious harm, the offender can be fined up to $250,000, imprisoned not more than 10 years, or both.122
4. Affirmative Defenses
The new HIPAA omnibus rule provides “affirmative defenses” that can be invoked by persons or entities accused of violations where civil penalties are sought. The covered entity or business associate must establish that the violation is not due to willful neglect, and is corrected during either (i) the 30-day period beginning on the first date of the covered entity or business associate liable for the penalty knew or, by exercising reasonable diligence, would have known that the violation occurred; or (ii) such additional period as the Secretary determines to be appropriate based on the nature and extent of the failure to comply.123 The Secretary of Health & Human Services may also waive penalties for violations that were not timely corrected if “the penalty would be excessive relative to the violation.”124
5. Breach Notification
Under the recent HIPAA rule changes, there is now a presumption that a breach of PHI must be reported unless “the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:
(i) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
(ii) The unauthorized person who used the protected health information or to whom the disclosure was made;
(iii) Whether the protected health information was actually acquired or viewed; and
(iv) The extent to which the risk to the protected health information has been mitigated.125 HIPAA now requires that patients be notified, in writing, by first-class or electronic mail (if they have agreed to receive notices that way) when a breach of unsecured PHI has occurred.126 A breach has been defined as the unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.127 Notice of the breach must be sent to the patient within sixty (60) days of discovery of the breach.128 Note that breach notification rules only apply to unsecured protected health information.129 Unsecured protected health information is essentially PHI that is not protected by an encryption program that complies with technical standards published by HHS.130
In addition to individual notice to the patient, breaches involving more than five hundred (500) residents of a state or jurisdiction require immediate notification to HHS and to prominent media outlets in the jurisdiction where the breach occurred within sixty (60) days of the discovery of the breach.131 Covered entities that have breaches involving more than five hundred (500) individuals are also required to be listed on the HHS website.132 Initially, HHS did not post the names of all covered entities. On April 16, 2010, HHS announced that it would begin posting the names of the covered entities on its website. It is interesting to note that many of the entities listed on the website are there because a laptop or smartphone containing unsecured PHI was lost or stolen. 133
If a breach involves fewer than five hundred (500) individuals, the covered entity is required to keep a log of the breaches and provide this log to HHS at the end of the calendar year.134 Following discovery of a breach by a covered entity’s business associate, the business associate must notify the covered entity within sixty (60) days of the discovery of the breach.135 The covered entity is then responsible for notification of the individual, HHS or media outlet, as appropriate.136