Behavioral health professionals know that note-taking is an essential component of great patient care. Detailed notes help mental health professionals diagnose and treat patients quickly and accurately. They also help patients make informed decisions about their health.
All healthcare professionals are required to properly document medical information. In the mental health field, counselors, psychologists and other professionals rely on insightful and thorough progress notes and psychotherapy notes to devise treatment plans.
Progress notes and psychotherapy notes are equally important but vastly different. They both must comply with privacy standards in their own way.
In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA) to protect the privacy and safety of health information. The Standards for Privacy of Individually Identifiable Health Information, or the Privacy Rule, was issued to implement HIPAA.
Since 2003, the Office for Civil Rights (OCR) has received over 177, 854 complaints and has made over 884 compliance reviews. Since a HIPAA violation is not something a healthcare practice wants for their reputation or a patient’s well-being, it’s important every healthcare employee is aware of HIPAA standards and the consequences of privacy violations.
In this post, we will explore HIPAA regulations and how they differ between psychotherapy notes and progress notes. We will also look at the different items psychotherapy and progress notes include, and why they are both necessary components of patient care.
What Are Psychotherapy Notes?
Psychotherapy notes, also called process or private notes, are notes taken by a mental health professional during a session with a patient. Psychotherapy notes usually include the counselor’s or psychologist’s hypothesis regarding diagnosis, observations and any thoughts or feelings they have about a patient’s unique situation. After learning more about the patient, the counselor can refer to their notes when determining an effective treatment plan.
These notes are kept separate from medical records and billing information, and providers are not permitted to share psychotherapy notes without a patient’s authorization. The patient does not have the right to access these notes. In general, psychotherapy notes might include:
- Questions to ask supervisors
- Any thoughts or feelings relating to the therapy session
Unlike progress notes, psychotherapy notes are private and are do not include:
- Medication details or records
- Test results
- Summary of diagnosis or treatment plan
- Summary of symptoms and prognosis
- Summary of progress
Psychotherapy notes receive special protection under the Privacy Rule because they contain sensitive information and because they are a therapist’s personal notes. They do not contain information related to a patient’s medical records, treatment or healthcare operations and therefore do not need to be shared with patients or staff. These types of notes are meant to help the therapist do their job the best way they can.
If a counselor sees a reason to share their psychotherapy notes, they must first obtain authorization from the patient. However the following circumstances do not require authorization and, in some cases, a counselor may be required to disclose their notes:
- To use the notes for treatment
- To defend themselves in court
- During a Department of Health and Human Services (HHS) investigation
- As required by law
- To prevent a serious threat to public health or safety
- For the lawful activities of a medical examiner or coroner
Because psychotherapy notes are not a required part of a counselor’s job and are only meant to help a counselor treat a patient, there is no required format a counselor must follow. Therapists can create their psychotherapy notes however they wish. For example, the notes can be written in shorthand and be illegible to others without consequence.
However, it is still the counselor’s responsibility to make sure the notes are not read by anyone else. They must keep the notes secure and confidential at all times. To avoid a HIPAA violation, a mental health professional does not want to keep a notepad filled with private information out in the open, for example.
Psychotherapy notes were not always protected. In the past, healthcare insurers made decisions based on patient information including psychotherapy notes. Now, under the Privacy Rule, patients can, in some cases, refuse to have that type of information released. Psychotherapy notes are not required for insurance purposes.
What Are Progress Notes?
Unlike psychotherapy notes, progress notes are meant to be shared with other healthcare workers who assist with a patient’s treatment plan. Progress notes inform staff about patient care and communicate treatment plans, medical history and other vital information. Without accurate and up-to-date progress notes, healthcare professionals would need to start from the beginning each time they met with a patient. They would waste time and increase the risk of making a medical mistake.
It’s best for progress notes to follow a template, so all staff members document in the same way. Progress notes should be easy to access, clearly written and consistent in style to help minimize mistakes or misunderstandings. Progress notes are also essential documents in regards to billing and reimbursement.
Healthcare providers are required to keep accurate progress notes to legally protect their patients and provide care for patients they see on a daily basis. Each progress note must address the following four components — subjective, objective, assessment and plan (SOAP).
- Subjective: Describes the patient’s current condition as explained by the patient. The “chief complaint” is required. For example, if a patient complains of chest pain and a cough, this would be the chief complaint. A history of the patient’s symptoms is also recorded here in the patient’s own words.
- Objective: Includes findings from a physical examination.
- Assessment: Includes a summary of the patient’s diagnosis.
- Plan: Includes what the healthcare provider will do to treat the patient. The plan portion of a progress note also includes follow-up information, referrals, lab orders and a review of all the medications a patient is taking.
Although progress notes are read by trained staff on a regular basis, they are still protected under the HIPAA Privacy Rule. In general, the following information is protected under HIPAA:
- Any individually identifiable health information relating to the individual’s past, present or future physical or mental health
- The type of healthcare provided to the individual and the reasons for the care
- Information regarding the past, present or future payment for the care and treatment given to the individual
Individual identifiers include information such as name, address, birth date or social security number.
As with most rules, there are a few exceptions. A healthcare provider may disclose or use a patient’s medical information or progress notes when:
- The Privacy Rule permits
- The patient authorizes use or disclosure in writing
In some cases, a healthcare provider is required to disclose patient information. This occurs when:
- The individual requests their information
- The HHS is conducting an investigation and requests the information
- Law enforcement requests the information
Sometimes a healthcare provider is permitted to disclose patient information to protect a patient or the public from harm. The following circumstances do not require a patient’s authorization for disclosure:
- For treatment, payment or healthcare operations
- For public interest and benefits as required by law to prevent or control a disease
- For government authorities in cases of abuse, neglect or domestic violence
- For health oversight agencies during audits or investigations
- For judicial or administrative proceedings
- For law enforcement purposes
- For funeral directors, medical examiners or coroners as needed
- For research purposes
- When there are threats to public health or safety
- For essential government functions
- In regards to workers’ compensation law
When an individual is incapacitated, in an emergency situation or not available, a healthcare professional may use their best judgment in deciding to disclose patient information to family members or personal representatives. In such a case, they could use an informal authorization from the patient if possible.
Under HIPAA law, a healthcare provider must train all employees, volunteers and trainees to comply with privacy policies and procedures, and they must discipline those who violate HIPAA regulations. It is every healthcare provider’s responsibility to make sure all data, like progress notes, is secure at all times, whether they need to shred paper documents or make sure electronic passcodes are set.
Because HIPAA requires highly secure record-keeping, it’s best for healthcare practices to take proper precautions and store records electronically. When progress notes are stored electronically, they can be protected with passwords and virus protection. However, paper documents can be easily damaged, lost, misread or accessed by the wrong people and offer little protection for the patient.
What Are Best Practices for Psychotherapy and Progress Notes?
All protected health information (PHI) must be safeguarded according to the Privacy Rule, whether the information is stored electronically or on paper. The Security Rule, on the other hand, applies only to electronic protected health information (EPHI) and does not apply to information stored on paper or given orally.
Under the Security Rule, the following safeguards must be used to protect electronic information:
- Administrative safeguards: Refers to administrative functions implemented to ensure security, such as security training.
- Physical safeguards: Protecting data storage sources from environmental hazards and intruders by restricting access and having back up computers.
- Technical safeguards: Using automated processes to protect information and control who can access information.
To reduce the risk of a Security Rule violation, healthcare providers need to:
- Assess potential risks: Assess and identify any potential risks to the confidentiality of EPHI and implement plans to reduce risks. For example, security management needs to make sure files are protected by passwords. Likewise, computer workstations should be located in rooms with locks on the doors.
- Develop a sanctions policy: Make sure policies are in place, and employees are aware of the policies, to implement sanctions on those who violate security standards. Each employee must be trained in security standards. For example, employees should know not to share passwords or write down passwords and leave them in the open.
- Develop a data backup plan: Make sure to have a backup plan in case of an emergency like a fire or natural disaster to keep information protected and secure. Plan to have exact copies of retrievable information in an emergency situation.
- Practice business safety: Make sure there are contracts with outside entities to ensure security and HIPAA compliance.
- Consider the environment: All data equipment should be kept in a secure environment that is free of theft or unauthorized access. For example, make sure doors are kept lock or surveillance cameras are in place to provide protection.
- Dispose of information properly: Make sure employees know how to securely dispose of data when no longer in use, like using hardware erasure software.
- Control access: Each database user must have a unique identifier and password. It is also best to utilize automatic logoff capabilities and make sure data is encrypted.
A HIPAA violation can be detrimental to a practice’s reputation and a patient’s trust. Failure to comply can not only cost a healthcare practice thousands of dollars or more in fines, but they could lose clients and damage their name. For example, Fresenius Medical Care North America, a provider of products and services for people with chronic kidney failure, agreed to pay the HHS $3.5 million to settle possible HIPAA violations. Patients can also file lawsuits against healthcare providers. Common violations include:
- Unauthorized use of patient information
- Unsecured patient records
- Patients being unable to have access to their records
- Disclosing information to third parties more than necessary
- Not having any administrative or technological safeguards for EPHI
Most commonly investigated organizations include:
- Private practices
- Outpatient facilities
- Insurance companies
Failure to comply can result in:
- A fine of $100 to $50,000 or more for each violation
- A calendar year cap of up to $1.5 million
- Up to ten years’ imprisonment
Penalties depend on the following factors:
- Date of the violation
- Whether or not the healthcare provider or entity knew or should have known of the failure to comply
- Whether or not a failure to comply was due to willful neglect
To protect your practice, employees, patients and yourself from HIPAA violations, make sure patient data is kept secure at all times — it’s an element of health care not to be overlooked.
The Benefits of EHR Software
HIPAA regulations do not need to cause daily stress in the workplace. Fortunately, there is software available to make security an effortless matter. Electronic health record (EHR) software keeps medical information and billing secure and makes sure HIPAA standards are followed without interrupting workflow.
EHR software protects important, confidential health information with a high level of security and efficiency, keeping progress notes, past medical history and demographics safe from unauthorized users. EHR software also makes information easily accessible for those with permission to use and record information. In general, EHR software helps healthcare professionals provide better patient care by:
- Boosting accuracy and reducing medical error
- Improving communication
- Reducing billing issues
- Consolidating information
- Reducing delays in care
- Helping patients make better decisions
- Improving the quality of care
ICANotes is behavioral health EHR software ensures your electronic health records are HIPAA compliant. With ICANotes you can rest assured that all your data is secure, and you can enjoy more time with patients and less time with paperwork. Our intuitive software helps healthcare staff keep an accurate record of patient information while meeting all HIPAA standards. ICANotes features:
- Full encryption of transmitted data
- Password and username protection
- Private separation of psychotherapy notes
- Integration options
- Intuitive note templates for progress notes, therapy notes, treatment plans and more
- Billing solutions
- Organized scheduling solutions
ICANotes helps behavioral health professionals enjoy:
- Better workflow
- More time with patients
- Accessible documentation
- Greater documentation accuracy
- Secure and HIPAA-compliant data storage
- Comprehensive and customizable note-taking templates
With ICANotes you can spend more time doing what you love to do — caring for your patients. Put the focus back on patient care and enjoy your career with ICANotes. For more information, request a free trial, watch a live demo or contact us today.