4. Confidentiality Protections and Consent to Share

HIPAA is a federal law that sets standards for the privacy and security of patient health information. HIPAA applies to all healthcare providers, including mental health, pediatric, and school-based health center clinicians, and governs the sharing of patient information.
HIPAA’s Privacy Rule (45 CFR, Parts 160 – 164) creates national standards to protect patients’ individually identifiable health information, referred to as protected health information (PHI). PHI is any information that relates to:

1. The individual’s past, present, or future physical or mental health or condition;
2. The provision of healthcare to the individual; or
3. The past, present, or future payment of health care to the individual.

In short, a healthcare provider cannot disclose PHI unless an exception applies or the patient consents.

Permitted PHI disclosures allowed by HIPAA without patient consent include those that:

• Prevent imminent harm – A healthcare provider may release PHI as necessary to prevent a serious imminent threat to the health or safety of a person or the public. However, the provider should disclose the minimum amount of information necessary and only disclose PHI to someone capable of reducing the risk of harm, such as the target of the harm or law enforcement personnel.
• Facilitate treatment, payment, and healthcare operations – A provider can disclose PHI for treatment, payment, and healthcare operations purposes. For example, a physician can discuss a patient’s treatment with other healthcare providers also involved in the patient’s care, share patient information with health insurance companies or third-party payers to facilitate billing and payment for services rendered or to justify procedures or treatments for insurance reimbursement purposes, as well as to conduct quality assessment and improvement activities within a healthcare facility.
• Are required by law, including specific state regulations or court orders that mandate disclosure of PHI – For example, a healthcare provider must release protected health information if there is reasonable suspicion or evidence of child abuse or neglect, when a patient poses a serious risk of harm to themselves or others, when receiving a valid subpoena for particular data, and if certain communicable diseases are diagnosed. In circumstances such as these, the state agency or court to receive the PHI is specified.

It is important to note that while HIPAA allows for the disclosure of PHI for the purposes listed above, there are strict guidelines and requirements to safeguard patient privacy and ensure data security. Covered entities and business associates must comply with HIPAA regulations to protect patients’ sensitive information. Additionally, obtaining patient consent or ensuring the data is properly de-identified may be necessary in some situations to maintain compliance.

A healthcare provider must obtain the patient’s written authorization for any disclosure of protected health information that is not for treatment, payment or healthcare operations. For example, if the information is to be used for any purpose that falls outside the scope of routine health activities, e.g., making employment decisions.

All authorizations must be in plain language and contain the specific information to be disclosed, the person(s) disclosing and receiving the information, the expiration date of the authorization, and the right to revoke in writing.

Additionally, under HIPAA, behavioral health providers (like other healthcare professionals) must adhere to specific restrictions when releasing process notes, also known as psychotherapy notes. Process notes are distinct from regular medical or treatment records, as they are the personal notes taken by the behavioral health provider during therapy sessions and are often used for their own reference. The release of such notes requires explicit written patient consent. Unlike other PHI, patient authorization is required even for sharing these notes with other healthcare professionals involved in the patient’s care. In brief, psychotherapy notes should not be used for treatment, payment, or healthcare operations purposes.

This federal regulation governs the confidentiality of substance use disorder treatment records. It applies to federally-assisted substance use disorder treatment programs and places stringent restrictions on the disclosure and use of patient records related to substance abuse treatment. 42 CFR Part 2 offers more stringent protections than HIPAA, requiring specific and written patient consent for disclosure.

Connecticut behavioral health providers must follow the statutes and regulations governing their practice, ensuring compliance with Connecticut laws and protecting their clients’ confidentiality rights. In general, profession-specific guidance is interpreted as requiring a higher standard of protection than does HIPAA, with restrictions imposed on the disclosure of behavioral health information unless explicit patient consent is granted, or disclosure is otherwise mandated.

• Licensed Social Workers: C.G.S. § 52-146q
• Licensed Marriage and Family Therapists: C.G.S. § 52-146p
• Licensed Psychologists: C.G.S. § 52-146c

If uncertain about the specifics of your discipline’s confidentiality and disclosure requirements, please refer directly to official sources of Connecticut state law or consult with legal professionals specializing in the state’s healthcare laws.

Typically, anyone under eighteen is considered a minor and cannot legally exercise their rights under HIPAA. Instead, HIPAA considers the minor’s parent or guardian to be their “personal representative.” The Privacy Rule authorizes a personal representative to exercise the minor’s HIPAA rights on their behalf. Thus, for the most part, parents have access to their minor children’s medical records, and turning over a minor’s confidential health information to a parent is generally not a violation of HIPAA laws.

Exceptions exist, however, as CT has specific laws related to minor consent for certain types of healthcare treatment and services. These laws allow minors to consent to particular healthcare treatments without parental or guardian involvement under certain circumstances, and therefore, the right to consent to or decline the release of protected health information.

Laws in CT addressing the consent rights of minors:

1. Emancipated Minors (C.G.S. § 46b-150)
2. Treatment for Sexually Transmitted Infections and HIV (C.G.S. § 19a-581)
3. Pregnancy and Reproductive Health Services (C.G.S. § 19a-425)
4. Drug and Alcohol Abuse Treatment: Minors who are at least 16 years old can consent to drug and alcohol abuse treatment without parent/guardian involvement. (C.G.S. § 17a-685)
5. Mental Health Treatment: CT law allows minors aged 16 years and older to consent to outpatient mental health treatment without parent/guardian consent. (C.G.S. § 17a-701 and §19a-14c)
6. Contraception Services (C.G.S. § 19a-41)

“Minor” is defined differently in the laws referenced above.

Find a full list of Connecticut laws related to the rights of minors at the Connecticut Judicial Branch’s Law Library.

FERPA is a federal law that protects the privacy of student education records and gives parents and eligible students (students who are 18 years of age or older or attending a postsecondary institution) certain rights regarding the access and disclosure of records. The law applies to educational agencies and institutions that receive federal funding, including schools and colleges.

FERPA aims to strike a balance between protecting student privacy and allowing the appropriate sharing of information for legitimate educational purposes.

Here are some key aspects of FERPA that specify protections for student record privacy:

1. Consent Requirement: FERPA requires educational institutions to obtain written consent from parents or eligible students before disclosing personally identifiable information from a student’s education records to third parties, except in specific situations where disclosure is allowed without consent.
2. Right to Inspect and Review: Parents and eligible students have the right to inspect and review the student’s education records maintained by the school. This includes records such as transcripts, attendance records, and disciplinary records.
3. Control over Directory Information: FERPA allows educational institutions to designate certain information about students as directory information. However, parents and eligible students must be given the opportunity to opt-out of the disclosure of directory information.
4. Limited Exceptions to Consent: FERPA permits disclosure of education records without consent in certain circumstances, such as to school officials with legitimate educational interests, to comply with judicial order or subpoena, or to protect the health or safety of the student or others.
5. Record Security and Maintenance: Educational institutions are required to implement appropriate measures to safeguard the confidentiality and security of education records and prevent unauthorized access.
6. Parental Rights for Dependent Students: FERPA grants certain rights to parents of dependent students. For students who are dependents for tax purposes, the rights under FERPA typically belong to the parents.

C.G.S. 10-220 is a part of the Connecticut Education Law and outlines the confidentiality of student records, including health records, held by educational institutions. It ensures the privacy and security of student information and establishes guidelines for the release and handling of student records by schools, including written consent of a student’s parent or legal guardian before the school can disclose the student’s health records/sensitive health information to external entities.

Understanding the differences in the requirements imposed by FERPA and HIPAA is important for all those caring for children and youth with mental health challenges. To learn more, see: Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to Student Health Records, from the U.S. Department of Health and Human Services and the U.S. Department of Education, 2019.

School-Based Health Centers are licensed through the Department of Public Health and thus abide by HIPAA requirements but also tend to the requirements set forth by FERPA. To learn more, see: Gudeman, R., & English, A. Information Sharing and Confidentiality Protection in School-Based Health Centers: A Resource Guide to HIPAA and FERPA. School-Based Health Alliance; 2023.

• Individuals with Disabilities Education Act (IDEA)
• Connecticut Statutes and Regulations Related to Special Education; specific privacy-related statutes include C.G.S. § 10-15b and R.C.S.A. § 10-76d-18
• U.S. Department of Education Student Privacy Office
• U.S. Office of Special Education and Rehabilitative Services (OSERS)
• FERPA/HIPAA Descriptions and Distinctions (from HHS)
• Connecticut State Department of Education Staff Directory
• Connecticut State Department of Education Bureau of Special Education
• CT Special Education Procedures and Practices Manual
• A Parent’s Guide to Special Education in Connecticut