The purpose of this Chapter is to describe when and how PHI can be used and disclosed internally within DMH and when PHI can be disclosed by DMH to others outside of DMH. It also clarifies how PHI can be de-identified so that it is not PHI for purposes of HIPAA.
There are many federal and state laws, regulations, and orders governing the use and disclosure of PHI that impact DMH and its Workforce Members. (See Introduction.) In many situations, state laws and regulations that apply to DMH are more restrictive than HIPAA regarding disclosure of PHI. Under HIPAA, the more restrictive state law will govern if it provides more protection to the PHI or greater rights to the individual who is the subject of the PHI. In other situations, HIPAA permits disclosure where state law and regulations require disclosure, such as in cases of abuse, neglect, or other situations that require disclosure by law. Care needs to be taken when a Workforce Member is responding to a request for PHI from a person or entity that only cites HIPAA as the authority for releasing the PHI without an Authorization. The requestor may not be aware of all the laws and regulations applicable to DMH. Workforce Members may only use and disclose PHI as permitted in this Handbook.
NOTE: This Chapter only addresses when PHI may be used or disclosed and does not address when informed consent for treatment needs to be obtained.
II. GENERAL RULES FOR REQUESTING, CREATING, USING OR DISCLOSING PHI
When requesting, creating, using or disclosing PHI, Workforce Members must observe the rules set forth in this Section II.
A. Protecting the Confidentiality of Individuals. Workforce Members must respect and protect information about, and the records of, applicants and recipients of DMH services and/or case management.
B. Use and Disclosure of PHI Only as Permitted. DMH and its Workforce Members may use or disclose PHI only as permitted by this Handbook.
C. Requesting, Creating, Using and Disclosing Only that Amount of PHI that is Necessary. When requesting, creating, using or disclosing PHI, Workforce Members must make reasonable efforts to limit the amount of PHI requested, created, used or disclosed, to the minimum necessary to accomplish the purpose for which the PHI is being requested, created, used or disclosed. PHI must not be requested, created, used or disclosed if it is not needed. (See Chapter 9, Minimum Necessary Rule.)
D. Administrative, Technical and Physical Safeguards. Workforce Members must follow the administrative, technical and physical safeguards that DMH develops to reasonably protect PHI from unauthorized use or disclosure. (See Chapter 1, Administrative Requirements, Chapter 2, Workforce Members' Responsibilities, Chapter 3, Physical and Technical Safeguards, Chapter 9, Minimum Necessary Rule and Chapter 10, Verification of the Identity and Authority of the Requester.)
E. Data Integrity. Workforce Members must ensure, to the greatest extent reasonably possible, the quality, accuracy, and reliability of the PHI under their control, whether contained in written, electronic, or other format. Workforce Members must protect PHI from unauthorized modification or destruction. DMH has established, where appropriate, mechanisms allowing individuals, and/or their PRs, to review and amend their PHI, as required by state and federal law. (See Chapter 11, Right of Individuals or Personal Representatives to Access Protected Health Information Maintained by DMH and Chapter 13, Right to Amend Protected Health Information.)
F. Research Studies. Workforce Members and others who want to conduct research that requires access to PHI held by DMH must consult with the DMH Research Office of the Division of Clinical and Professional Services and the DMH Institutional Review Board (“DMH IRB”) to determine if the research is permissible and if so, the protocols that must be followed to access the PHI.
G. Uses and Disclosure of Decedents' Records. Generally, the PHI of a decedent is to be treated the same as when the individual was alive. After the death of an individual, the court appointed administrator, executor, or other person authorized by law to act on behalf of the decedent may exercise the rights of the decedent with regard to the decedent's PHI (i.e., the right to authorize its use or disclosure, the right to access the PHI and/or to request an audit trail of disclosures made by DMH, the right to request a confidential communication and/or to restrict the use or disclosure of PHI).
Absent authorization by the court appointed administrator or executor of a decedent’s estate or a court order, family members of a decent and the general public are not entitled to access the decedent’s DMH record.
NOTE: A PR who had authority to authorize release of PHI during the decedent’s life does not automatically become the administrator or executor of a decedent’s estate. A specific court appointment is required.
H. Verification. Prior to disclosing PHI, the identity of the person or entity to which the PHI is to be disclosed and the authority of that person or entity to receive the PHI must be verified in accordance with Chapter 10, Verification of the Identity and Authority of the Requester.
I. Restrictions. Prior to making a disclosure, a Workforce Member must determine if DMH has granted a request to restrict PHI that would preclude such a disclosure. See Chapter 15, Right to Request Restrictions on the Use and/or Disclosure of Protected Health Information.
III. PROHIBITED USES AND DISCLOSURES OF PHI
A. Marketing. Neither DMH nor its Workforce Members shall use or disclose PHI for any Marketing purposes, as that term is defined below. Selling lists of clients'/patients'/applicants' and/or service recipients' names or disclosing PHI to a third party for that party's Marketing activities are strictly prohibited.
B. Fund Raising. Neither DMH nor Workforce Members shall use or disclose PHI for the purpose of raising funds for DMH's or any other person’s or entity's benefit.
C. Directories. DMH operated inpatient facilities or outpatient or community based programs shall not maintain directories for the purpose of providing information to non-Workforce Members.
IV. INTERNAL USE OF PHI BY WORKFORCE MEMBERS
A. Internal Uses Generally (Treatment, Payment, and Health Care Operations. See Section VI below.) Without obtaining an Authorization from the individual who is the subject of the PHI, or the individual's PR, Workforce Members generally may use PHI internally within DMH as long as it is necessary to do their job. This is because almost all work is related to treatment, payment, and health care operations. This Section IV does not address disclosures of PHI to non-Workforce Members. Such disclosures are discussed in Section V.
B. Other Permitted Internal Uses:
1. Research. If a Workforce Member’s job includes research, use of PHI for such purpose requires an individual’s informed consent in most situations. Informed consent for research includes consent to use and/or disclose an individual’s PHI, as set forth in the consent form. The DMH IRB may waive the informed consent requirement for use/disclosure of PHI as part of its approval of a research protocol.
2. To Avert a Serious Threat to Health and Safety. DMH, consistent with applicable law, may use PHI if DMH believes in good faith that the use is necessary to prevent or lessen a serious and imminent threat to the health or safety of an individual or the public and the use is made by/to a person or persons reasonably able to prevent or lessen the threat.
3. Health Oversight Activities. See Section IX, below.
4. Clergy. If an individual or his/her PR agrees verbally or in writing, a limited amount of PHI (i.e., name, address and religious affiliation) may be shared with clergy who are Workforce Members. NOTE: an Authorization is not required.
5. Incidental Uses. Incidental uses are uses of PHI that are secondary, cannot reasonably be prevented, are limited in nature, and occur as an unavoidable result of an otherwise permitted use. (For example, confidential discussions between clinical team members may be overheard by a DMH Workforce Member who is not part of that team.)
 The DMH IRB approval letter must document that it determined that the alteration or waiver of informed consent satisfies certain criteria as set forth at 45 CFR 164.512, 104 CMR 31,and DMH IRB Operating Procedures.
V. DISCLOSING PHI OUTSIDE OF DMH TO NON-WORKFORCE MEMBERS
A. Without Authorization. The general rule is that Workforce Members may not disclose PHI to third parties (outside of DMH to non-Workforce Members) without obtaining an Authorization, unless one of the following exceptions applies:
1. Disclosure to the Individual who is the Subject of the PHI or his/her Personal Representative, if any. PHI may be disclosed to the individual who is the subject of the PHI or, if he/she has a PR, to his/her PR, or, if the individual is deceased, to the court appointed administrator or executor of the individual's estate. In some cases a Minor has the right to control access to his or her PHI, even if he or she has a PR. These would include cases where the PHI is related to treatment to which the Minor has the legal authority to consent and did so consent (e.g. emergency treatment of a Minor.) (See M.G.L. c. 112, §12F.) Additionally, both a Minor and his/her PR have the right to inspect records relating to the admission to a Facility when the Minor voluntarily admitted himself or herself to a Facility pursuant to M.G.L. c.123, §§10 and 11 and 104 CMR 27.06. (See 104 CMR 27.16(8)(e).)
Chapter 10, Verification of the Identity and Authority of the Requester, outlines when a parent, guardian, Rogers monitor, Health Care Agent, DYS or DCF is considered a PR.
DMH, under certain circumstances, may limit the right of individuals and/or PRs to access PHI. See Chapter 11, Right of Individuals or Personal Representatives to Access Protected Health Information Maintained by DMH.
2. Disclosure to the Attorney of an Individual who is the Subject of PHI. See Chapter 10, Verification of the Identity and Authority of the Requester, for a discussion on determining whether an attorney is permitted to access an individual’s PHI.
NOTE: The Exceptions to Use and Disclosure for Treatment, Payment, and Health Care Operations set forth in Section VI. E. below regarding Psychotherapy Notes, Part 2 substance abuse treatment information, and HIV/AIDs and/or genetic test results apply to disclosures to attorneys and therefore require the individual’s Authorization.
3. Disclosures Made Pursuant to a Judicial Order. PHI may be disclosed pursuant to a proper judicial order. "A proper judicial order" means an order signed by a justice or special justice of a court of competent jurisdiction, or a clerk or assistant clerk of such court acting upon instruction of such a justice. A subpoena is not a "proper judicial order." Whenever possible, an individual or the individual's PR, if any, shall be informed of a court order commanding production of the individual's records prior to the production of the records, unless it is clear from the judicial order that the individual or PR was given notice of the judicial proceedings which issued the order and an opportunity to object to the issuance of the order. The PHI released must be limited to that specified in the order. A judicial order for release of WRAP records must contain specific findings required under federal law. (See Chapter 17, Women's Recovery from Addictions Program Restrictions on Disclosures and Use of Individual Identifying Information.)
NOTE: A subpoena is often mistaken for a court order. Unlike a court order, a subpoena requiring the production of records is not sufficient authority to release PHI. A subpoena is a formal request to compel DMH to produce an individual to testify or produce documents in relation to a proceeding in which DMH may or may not be a party to the action. A subpoena may be issued by an attorney or, in some instances, by the court. It is often accompanied by a witness fee. Failure to respond to a subpoena may result in legal sanctions, thus, it should not be ignored even if subpoenas do not provide grounds for disclosing the records.
If a subpoena, motion for a subpoena or court order, or court order is directed to one area, facility, or program of DMH, such subpoena, motion or order shall be sent to that Area’s Legal Office. In addition to notifying the Area Legal Office, judicial orders should be sent to the responsible Designated Record Set Contact Person for processing and response. (See Appendix D, Designated Record Set Contacts.)
If a subpoena, motion or order is directed to DMH, generally, to the WRAP, or to more than one area, facility, or program of DMH, such subpoena, motion or order shall be sent to the Central Office Legal Department. The Central Office Legal Department will send court orders to the responsible Designated Record Set Coordinator for processing and response. (See Appendix D, Designated Record Set Contacts.)
4. Disclosure Made Pursuant to a Best Interest Determination.
The Commissioner or designee, in his/her discretion, may permit the release of PHI, where the Commissioner or designee has made a determination that such disclosure would be in the best interest of the individual who is the subject of the PHI. The disclosure, however, must be of the type that is permissible under HIPAA without an Authorization.
a. Categorical Determinations. The Commissioner by regulation (104 CMR 17.17 and 28.09) has determined that disclosures for one of the following purposes is permissible without Authorization as being in the best interest of the individual and consistent with HIPAA:
- For purposes of Treatment, Payment and Health Care Operations as permitted by the privacy regulations promulgated under HIPAA at 45 CFR parts 160 and 164 (See Section VI, including exceptions, below);
ii. To obtain authority for a legally authorized representative to act on the individual’s behalf, or to obtain a judicial determination of substituted judgment, when a clinical determination has been made that the individual lacks capacity to render informed consent to treatment;
iii. To persons conducting an investigation involving the individual pursuant to 104 CMR 32.00 Investigation and Reporting Process;
iv. To persons engaged in research if such access is approved by the DMH IRB pursuant to 104 CMR 31.00: Human Subject Research Authorization and Monitoring;
v. To make reports of communicable and other infectious disease to the Department of Public Health and/or local board of health consistent with 105 CMR 300.000 et. seq: Reportable Diseases, Surveillance and Isolation and Quarantine Requirements; and
vi. In the case of death, to the coroners, medical examiners, or funeral directors.
The Administrator-in-Charge of the applicable DMH location shall establish for his/her location how and who may decide that the conditions of a categorical best interest determination are met with regard to a particular disclosure.
If the disclosure is made for other than Treatment, Payment, or Health Care Operation purposes, it may need to be logged for audit trail purposes. (See Chapter 12, Right to an Audit Trail of Certain Disclosures of Protected Health Information.)
b. Individual Determinations. The Commissioner or designee, in his/her discretion, may make individual best interest determinations(s) to permit the release of PHI, where the Commissioner or designee has made a determination that such disclosure would be in the best interest of a single individual who is the subject of the PHI. The disclosure, however, must be of the type that is permissible under HIPAA without an Authorization. The applicable federal regulations (Title 45) are:
- Disclosures in an emergency situation to persons involved in the individual's care; when the opportunity to agree or object to the disclosure cannot be practically provided to the individual. 45 CFR 164.510(b). (See also Disclosures to Persons Involved in the Care of the Individual at Section V.A. 10 below.)
- Disclosure for Public Health Activities. 45 CFR 164.512(b).
- Disclosure about victims of abuse, neglect or domestic violence. 45 CFR 164.512(c). (See also Disclosures Required by Law at Section V. A. 5, below.)
- Disclosure for Health Oversight Activities. 45 CFR 164.512(d).
- Disclosures for judicial and administrative proceedings. 45 CFR 164.512(e).
- Disclosure for certain law enforcement purposes. 45 CFR 164.512(f).
- Disclosure to avert a serious threat to health or safety. 45 CFR 164.512(j).
- Disclosure for certain specialized government functions. 45 CFR 164.512(k).
- Disclosures for workers' compensation. 45 CFR 164.512(l).
The disclosure may need to be logged for audit trail purposes. (See Chapter 12, Right to an Audit Trail of Certain Disclosures of Protected Health Information.)
The Administrator-in-Charge of the applicable DMH location shall establish for his/her location how and who may decide that the conditions of an individual best interest determination are met with regard to a particular disclosure; provided, however, a decision that the conditions of the individual best interest determinations have been met can be made only by the Administrator-in-Charge or a licensed health care professional(s) that he/she designates.
5. Disclosures Required By Law. "Required by Law," means a mandate contained in law that compels an entity to make a disclosure of PHI that is enforceable in a court of law. Required by Law includes, but is not limited to, court orders, Medicare Conditions of Participation with regard to Health Care Providers participating in the Medicare program, and statutes or regulations that require the production of information, including statutes or regulations that require such information if payment is sought under a government program proving public benefits. Disclosures that DMH or its Workforce Members are required to make include, but are not limited to, the following:
a. Crimes Committed Upon Persons in care of Mental Health Facilities. MGL c.19, §10
b. Transfer Notices. M.G.L. c.123, §3
c. Periodic Review Notices. M.G.L. c.123, §4
d. Commitment Petitions/Appeals. M.G.L. c.123, §§7, 8, 9, 15 and 16
e. Petition for Medical Treatment Orders. M.G.L. c.123, §8B
f. Emergency Hospitalizations. M.G.L. c.123, §12
g. Forensic Reports. M.G.L. c123, §§15, 16, 17, 18
h. Guardian or Conservator Appointments. M.G.L c.123, §25 and M.G.L. c.201, §§6, 6A, 6B, 7, 14, 16B, 17, 21
i. Unclaimed Funds Notice. M.G.L c.123, §26
j. Administration of estate of deceased inpatient or resident by DMH. M.G.L. c.123, §27
k. Violent or Unnatural Death of DMH Clients. M.G.L c.123, §28
l. Unauthorized Absence of DMH Clients. M.G.L. c.123, §30
m. Disclosure for Billing Purposes. M.G.L. c.6A, §16
n. Medication Communications. 104 CMR 28.06
o. Gun Licensing Authority Access to Mental Health Records. M.G.L. c.140, §§129B and 131
p. Mental Health Legal Advisor's Committee access to records. M.G.L c.221, §34E
q. Abuse of Elderly Person. M.G.L. c.19A, §15, 104 CMR 32
r. The Disabled Person Protection Commission. M.G.L. c.19C, §15, 104 CMR 32
s. DCF-Persons required to report Cases of Injured, Abused or Neglect Children. M.G.L c.119, §§ 51A and 51B
t. Persons Having Knowledge of Death to Notify Medical Examiner. M.G.L. c.38, §13, 104 CMR 32
u. Sex Offender Registry Law. M.G.L. c.6, §§178C through 178Q
v. Disclosures to the U.S. Secretary of Health and Human Services, if required by the Secretary in investigating DMH's compliance with HIPAA. 45 CFR 164.505(a)(2)
w. Protection and Advocacy. 42 USC 10806
x. Executive Office of Health and Human Services. 101 CMR 16.00 (See Appendix 1 to this Chapter 6.)
- A subpoena requiring the production of records is not sufficient authority to release PHI. If a subpoena for PHI is received, the Legal Office should be notified. (See NOTE regarding subpoenas at Section V A. 3, above.)
- See also Section VII, Special Rules Regarding the Reporting of Adult Abuse or Neglect.
- Disclosures required by law may be made only if the conditions as set out in the applicable law are met and only the amount of information required to comply with the law may be disclosed (i.e, minimum necessary).
6. Cadaveric Organ, Eye or Tissue Donation. Pursuant to Commissioner Directive #10, PHI may be used or disclosed to organ procurement organizations or other entities engaged in procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating organ, eye or tissue donation or transplantation.
7. Disclosures for Research. Research means a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge. (See also 104 CMR 31.02). Research requires an individual’s informed consent in most situations. Informed consent includes consent to use and/or disclose an individual’s PHI, as set forth in the consent form. The DMH IRB may waive the informed consent requirement as part of its approval of a research protocol.
8. Limited Data Set. DMH may create, use or disclose a limited data set containing PHI if the requirements as set forth in Section VIII, below are met.
10. Disclosures to Persons Involved in the Care of the Individual. If the individual or his/her PR provides the individual's agreement, whether verbally or in writing, or an appropriate Workforce Member provides the individual with the opportunity to object to the disclosure, and the individual does not express an objection, PHI may be disclosed to a family member, other relative, or any other person identified by the individual, if the PHI directly is relevant to the person's involvement with the individual's care or payment related to the individual's care. It is important for the circumstances agreeing the disclosure be documented by the Workforce Member in the individual’s record. Important information to capture includes: how the person is involved in the care of the individual; if consent was given in writing, oral or by the opportunity to object; date agreement given or otherwise obtained. An individual may withdraw their agreement at any time. If withdrawn this also must be documented in the individual’s record.
NOTE: The WRAP cannot disclose 42 CFR Part 2 information to persons involved with care or payment without an authorization signed by the individual who is the subject of the information.
11. Disclosures Pursuant to MGL. c. 123, §36B Duty to Protect and/or Warn. Disclosures pursuant to this statue may be made only by licensed health care professionals and only if the conditions as set out in the statute are met. The conditions allowing the disclosure and the disclosure must be noted in the individual’s record.
12. Disclosure by Whistleblowers and Workforce Members Who are Crime Victims. A Workforce Member will not be considered to have violated the disclosure restrictions as set forth in this Section if the Workforce Member discloses PHI for whistleblowing or reporting a crime if (1) the disclosure of PHI is necessary to accomplish the intended purpose (e.g., the report could not be accomplished with the use of de-identified information or the use of a code); (2) the amount of PHI that is used is limited only to the amount that is necessary for the intended purpose; and (3) the requirements below are met.
a. Whistleblowers. The Workforce Member must believe in good faith that DMH has engaged in conduct that is unlawful or otherwise violates professional or clinical standards or that the care, services or conditions provided by DMH potentially endangers one or more individuals and the disclosure is made to: (i) a Public Health Authority, Health Oversight Agency, or healthcare accreditation organization authorized to investigate or oversee the conduct at issue: or (ii) an attorney retained by the Workforce Member for the purpose of determining legal options of the Workforce Member with regard to said conduct.
b. Workforce Members Who Are Crime Victims. A Workforce Member, who is an alleged victim of a criminal act committed by an applicant or recipient of DMH services and/or case management, may disclose PHI about the alleged perpetrator to law enforcement. The PHI disclosed must be limited to the following information for the purpose or identifying or locating a suspect or material witness.
i. name and address;
ii. date and place of birth;
iii. Social security number;
iv. blood type (A/B/O) and Rh factor;
v. type of injury;
vi. date and time of treatment;
vii. date and time of death, if applicable; and
viii. a description of distinguishing physical characteristics, including, but not limited to, height, weight, gender, race, hair, eye color, and the presence or absence of facial hair (beard or moustache) scars, and tattoos.
Additionally, a description of the incident may be provided; however, the description may only include the facts and circumstances of the incident itself. The description may not include any information that may appear in the individual’s medical records, such as diagnosis, history, or treatment.
Commissioner’s Directive 14 addresses circumstances in which a Workforce Member wishes to file a criminal complaint against a patient in a DMH inpatient facility.
13. Incidental Disclosures. Incidental disclosures are disclosures of PHI that are secondary, cannot reasonably be prevented, are limited in nature, and occur as an unavoidable result of an otherwise permitted disclosure. (For example, use of a waiting room sign-in sheet that lists only names results in a disclosure of PHI –patient names – to other users of the sign-in sheet.)
Questions as to whether a category of Section V. A. is applicable to a particular disclosure should be addressed to the Area Privacy Coordinator or Privacy Officer.
B. DMH Routine Disclosures - Appendix C of the Handbook. Appendix C of the Handbook lists the routine disclosures of PHI made by DMH and its Workforce Members, with the exception of disclosures made to an individual who is the subject of the PHI and/or his/her PR. For each disclosure listed, the following information is provided: (a) the person or entity to whom the disclosure can be made; (b) the purpose of the disclosure; (c) whether an Authorization, or a best interest determination, is required for the disclosure; (d) the maximum amount of PHI that should be released; and (e) any special requirements regarding the disclosure. In making any of the disclosures listed in Appendix C, Workforce Members are responsible for ensuring that, if required for the disclosure, an Authorization is obtained or a best interest determination has been made, and that only the authorized amount of PHI is disclosed.
C. Disclosures Requiring an Authorization. A disclosure of PHI not specified as permitted without Authorization in this Chapter 6 or Appendix C, requires an Authorization. The Authorization must comply with all of the requirements set forth in Chapter 8, Authorization for Use and Disclosure of Protected Health Information. The disclosure made must be consistent with the terms of the Authorization.
 The DMH IRB approval letter must document that it determined that the alteration or waiver of informed consent satisfies certain criteria as set forth at 45 CFR 164.512, 104 CMR 31,and DMH IRB Operating Procedures.