Document his or her assessment of suicide risk and steps taken to prevent suicides.

Identify the most frequent allegations made by plaintiffs in lawsuits involving suicide and improve documentation to protect against those allegations.

State the current recommendations on record retention.

Discuss the application of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules to covered and noncovered entities.

Describe general guidelines for release of patient information.

Suicide: The Importance of Assessment and Documentation
Jacqueline M. Melonas, RN, MS, JD, Vice President of Risk Management, Professional Risk Management Services, Inc, Arlington, VA

Introduction: suicide low-frequency event, but of high severity from risk perspective; clinician not expected to predict and prevent suicide, but is expected to meet standard of care, which encompasses variety of options and requires clinician’s professional judgment (ie, suicide cannot be predicted, but risk for suicide might be foreseeable); foreseeability related to whether clinician performed adequate assessment and implemented appropriate safety measures based on that assessment

Assessment: identify and evaluate suicide risk indicators and protective factors; develop reasonable treatment plan based on assessment of patient’s clinical needs; implement treatment plan appropriately and modify as needed, based on patient’s clinical needs; keep current with professional standards for assessment and treatment of patients with suicidal behaviors; document adequately to support that appropriate care (ie, assessment, treatment, and ongoing monitoring of patient) was provided

Allegations: theories of liability on which plaintiff’s attorney will base lawsuit; categories of allegations include inadequate assessment, inadequate development of treatment plan, inadequate implementation of treatment plan, lack of professional currency in suicide assessment and prevention, and poor documentation

Inadequate assessment: allegations may include failure to—obtain adequate history; contact previous physician; obtain history from family; determine which treatments previously failed; review previous medical records; communicate with other providers involved in patient’s care; recognize seriousness of patient’s condition; perform full mental-status examination; properly evaluate and record patient’s risk for suicide; make rational diagnosis based on careful examination and history of patient; diagnose medication intoxication and/or dependence; risk management advice—assess patients at significant points in treatment, document those assessments, and consider possible comorbid addiction issues; try to obtain previous records (document efforts if not obtainable); obtain collateral information from family and significant others; communicate with other treatment providers (physicians and nonphysicians), read their documentation, and address conflicting information or assessments; communicate with covering psychiatrist about concerns about patient’s suicidality; when covering, keep written record of calls and consultations; document decision-making process; whichever methodology one chooses to use for assessing suicide risk should be used consistently

Inadequate development of treatment plan: risk management advice—be familiar with criteria for involuntary hospitalization; perform ongoing assessment and adjust treatment plan; ensure that facility’s policies and procedures are in place and followed; provide proper level of observation; ensure safe environment (to extent possible); involve and educate family and significant others when appropriate; stress responsibility to patients and their families; document communication with patient’s family and significant others

Communication: with other health care professionals; with patient’s family and significant others; patient safety is exception to confidentiality; alert patient’s family and significant others to suicide risk without patient’s authorization when— risk is significant; they (patient’s family and significant others) do not seem to be aware of risk; they might contribute to patient’s safety; document all

Inadequate implementation of treatment plan: risk management advice—obtain consultation as needed; do not rely solely on “no harm contracts” (they have no legal force, but may be included as part of comprehensive treatment plan); assess patient before discharge; vulnerable time for suicide immediately after discharge, so make sure there is good safety plan for that period; include patient in discharge planning; consider clinical basis for type and dosage of medication prescribed; obtain informed consent for medications; avoid telephone refills without patient reassessment; document treatment prudently

Lack of professional currency: risk management advice—be familiar with most current American Psychiatric Association (APA) Practice Guidelines for the Assessment and Treatment of Patients With Suicidal Behaviors (http://www.psychiatryonline.com/pracGuide/pracGuideTopic_14.aspx); access other information on latest statistics, trends, and risk groups

Poor documentation: risk management advice—ensure that documentation accurate, timely, and complete; document decision-making process; prepare documentation as close as possible to time when care rendered; documentation standards can be found in APA website mentioned earlier; refer to Simpson and Stacy article in “Suggested Reading” (J Psychiatr Pract 10:185, 2004) for comments on documentation from plaintiffs’ attorneys

Confidentiality and the Health Insurance Portability and Accountability Act (HIPAA)
Donna Vanderpool, MBA, JD, Assistant Vice-President, Risk Management, Professional Risk Management Services, Inc, Arlington

Key concept: disregard statute of limitations on record retention (too many exceptions); retain all records as long as possible (speaker cites case in which patient filed complaint with medical board 18 yr after treatment; physician had kept records all that time, and medical board was able to resolve complaint quickly)

Health Insurance Portability and Accountability Act (HIPAA): confidentiality issues covered under “Administrative Simplification Provisions”; covered entities under HIPAA must comply with all Administrative Simplification Provisions; in terms of liability, Privacy and Security Rules of most concern; “covered entities” limited to health care providers, their employees, and their representatives who electronically transmit listed transactions to, or receive electronic transmissions from, health plans; if no health plan involved or if transactions not transmitted electronically, provider usually not “covered”; however, there are exceptions

HIPAA Privacy Rule: noncovered entity may be subject to HIPAA Privacy Rule if 1) new federal laws (eg, Medicare Prescription Drug Program) make them covered, 2) state laws make them covered by, eg, requiring that all claims be submitted electronically to health plans (eg, as has occurred in Minnesota), or 3) health plans require claims to be submitted electronically (eg, United Healthcare)

Preemption: HIPAA’s Privacy Rule does not automatically preempt state laws that conflict with it; general rule—“a Privacy Rule provision that is contrary to a state law provision preempts state law unless an exception applies”; exceptions include 1) United States Department of Health and Human Services (HHS) determines that state law not preempted, 2) state has reporting requirements for, eg, child abuse, disease or injury, 3) state law more stringent than Privacy Rule; general guidelines—follow law that provides greater access and other rights to patient, allows HHS access, and restricts access by parties other than patient and HHS; follow mandatory disclosures under state law

Enforcement of HIPAA Privacy Rule

Civil enforcement: by HHS Office of Civil Rights (OCR), which has authority to administer Privacy Rule, make decisions on how to interpret, implement, and enforce Privacy Rule, determine when state laws not preempted by HIPAA, and impose civil penalties for noncompliance; OCR provides assistance on website (www.hhs.gov/ocr/hipaa) or in regional offices (states in each region and telephone numbers can be accessed via website mentioned above); complaints—anyone can file complaint by mail, fax, or e-mail (documentation crucial for defense against complaint); complaints should be sent to OCR’s regional office; filing deadline is 180 days from time of event, but can be extended under certain circumstances; in reviewing complaints, “reasonableness standard” used (ie, covered entities must make “reasonable” efforts to protect confidentiality and security of protected health information [PHI]); enforcement approach is to seek voluntary compliance; enforcement triggered by complaints or events brought to attention of OCR (eg, through news media); civil penalties ≤$100 per violation or ≤$25000 per calendar-year; however, exception can be made for reasonable diligence (ie, individual who violated rule did not know and did not have reason to know that his or her act was a violation; to date, OCR has never imposed civil monetary penalties for privacy violation); as of September 30, 2008, >39500 complaints received, with most frequent complaints being impermissible disclosure of PHI, lack of safeguards, failure to provide access to patient, disclosure of more than minimally necessary information, and failure to obtain valid authorization; private practices most frequent entities against which complaints lodged; 82% of complaints resolved by OCR; 436 cases referred for criminal prosecution; risk management advice—to avoid complaints, do not surprise patient (anticipate patient’s request); be able to comply with all of patient’s rights; allow requests for amendment of record; allow patient access (with limited exceptions); respond to complaints; be aware of and monitor employees’ behaviors (“do your employees know not to put on their MySpace page all of the stories they’re dealing with in their place of employment?”); good-faith efforts and documentation essential

Criminal enforcement by United States Department of Justice (DOJ): “the United States Attorney’s Office believes that the criminal provisions of HIPAA apply to everyone, not just covered entities”; key area of interest for DOJ prosecutors is trading or selling individually identifiable health information for financial gain; employees and agents of covered entities can be criminally prosecuted, even if those entities (eg, hospitals) cannot; criminal penalties include fines ≤$250000 and/ or jail time of ≤10 yr; criminal investigation starts in OCR, then referred to HHS Office of Inspector General (OIG) or to Federal Bureau of Investigation (FBI); DOJ has litigating authority (ie, if DOJ asks OCR for their opinion, DOJ can still prosecute if OCR recommends against it)

State enforcement: no private right to sue under HIPAA, so breach-of-confidentiality lawsuits brought under state laws may be most significant (and widely felt) enforcement; confidentiality protections of HIPAA Privacy Rule becoming national standard by which all clinicians will be judged; Privacy Rule may bolster existing or create new theories of liability under state law

Court enforcement: courts increasingly using standards of Privacy Rule as standard of care to impose liability on providers for breach of confidentiality; Privacy Rule used to decide cases involving entities not covered under HIPAA; various courts have 1) required all authorization forms to be HIPAA compliant, and 2) ruled that disclosure of even patient names not permitted; courts have raised Privacy Rule on their own to decide cases; filing lawsuit not automatic waiver of confidentiality privilege; in New York, eg, all subpoenas and court orders must be accompanied by patient authorization; Privacy Rule preempts state laws that allow ex parte communication; however, different courts deciding same issues differently; consistency will not be achieved until appellate court decisions handed down

HIPAA Security Rule: requires covered entities to protect against reasonably anticipated improper use or disclosure of electronic PHI

Disclosing patient information: to release patient information, need 1) written authorization from patient or patient’s representative, 2) valid subpoena, or 3) valid court order; exceptions include statutory requirement (eg, laws that require reporting of child abuse) and safety of patient or third party

Subpoena duces tecum: request for written information (eg, records); not a court order, although authority of court behind it; subpoena alone often not sufficient to compel release of psychiatric records (state laws differ); provider may be required to respond to invalid subpoena, even if no information released (state may require provider to acknowledge that subpoena received); Privacy Rule requires “satisfactory assurances” of notice to patient or qualified protective order, and may be preempted by more stringent state law; upon receiving subpoena duces tecum, contact risk manager for advice on how to proceed

Subpoena for testimony: also not a court order, but also has authority of court behind it; usually sufficient to compel clinician to appear at deposition or court hearing at required time and place, but seldom sufficient to compel disclosure of psychiatric information; do not contact attorney who issued subpoena, but contact risk manager immediately

Court order: can be difficult to differentiate from subpoena; issued by judge after one or both parties have moved for some action (eg, release of records) to be taken; almost always sufficient to compel release of specified information, even if patient does not want information released; “however, be sure to release only what is actually ordered; no more”; prudent to call risk manager before releasing information

Requests from investigators: accept only written requests, in which investigator cites authority for release (ie, “what allows you to disclose this information?”); under HIPAA Privacy Rule, disclosure to law enforcement permissible, but not mandatory; only mandatory disclosures are to patient and to HHS for enforcement; “never ever” release original record, release only copies; patient confidentiality survives patient’s death, and state law determines who controls release of patient’s records (contact risk manager)

Information created by other providers: if records provided by other caregivers have been incorporated into your record, they are considered part of your record and should be released; if provider prefers not to release records from others, released information should indicate that (eg, “I’ve released my record, but not copies of the hospital record; those can be obtained directly from the hospital”); however, if requesting party insists, release of others’ records may be mandatory; consult risk manager

Publishing or presenting patient information: may constitute breach of confidentiality or patient exploitation; APA and American Medical Association (AMA) ethics opinions indicate that “presenting case material requires that patient identity be hidden; if this is not possible (for example, the patient or a video is presented), then fully informed consent is required”