Addressing Privacy Concerns of Using Mental Healthcare via Telehealth

October 03, 2022 | Maggie Davis, Evan Han

A senior woman using a laptop for a telehealth appointment, ASTHO Health Policy Update banner in the upper-left cornerAccess to mental healthcare was already in short supply prior to the COVID-19 pandemic and unprecedented demand continued to surge during the response. Global prevalence of anxiety and depression increased by 25% within the first year of the pandemic, a rate nearly double its 13% increase from 2007 to 2017. As of Sept. 20, 2022, the U.S. Preventive Services Task Force is recommending screening adults younger than 65 for anxiety for the first time. The implementation of social distancing to curb the spread of COVID-19 led to expanded use of telehealth practices to meet healthcare needs where possible.

Identifying a sufficient number of licensed mental health professionals to meet the higher demand for services has been a challenge for state and territorial public health leaders. Some states have joined interjurisdictional licensing compacts that allow a mental healthcare provider licensed in one state to provide care in another state—without needing to gain licensure in multiple states. With states working to rapidly expand the available pool of providers, these agreements also offer guidance on patient privacy for services rendered remotely or from out-of-state.

Current Privacy Protections for Mental Healthcare

There are several policy challenges related to meeting increased demand for mental healthcare, one of which is to protect patient privacy. Some people do not seek needed services because they are concerned that their confidential mental health information may be leaked. A recent White House brief noted that in 2020, 12% of people did not get the mental healthcare they needed because of privacy-related concerns.

The Health Insurance Portability and Accountability Act (HIPAA) allows healthcare providers to share protected health information (PHI) with other providers to assist in a patient’s treatment. However, providers may only share the “minimum necessary” information to achieve the intended goal. Healthcare providers are prohibited from disclosing PHI—such as whether a person is receiving mental health services or what a patient shares with a provider during a session—to employers, family members, friends, or others not involved in the patient’s care in a professional capacity. Providers that violate the HIPAA Privacy Rule—either knowingly or accidentally—can face civil and criminal penalties.

One consideration for minimizing accidental disclosure of PHI for telehealth services are cybersecurity measures that protect PHI from being accessed by third parties. Prior to the COVID-19 pandemic, there was a limited number of technical platforms that complied with the security standards established under the HIPAA Privacy Rule. To expand access to telehealth services during the pandemic, HHS’s Office for Civil Rights declared a Notification of Enforcement Discretion for Telehealth on March 17, 2020 that relaxed HIPPA enforcement to allow healthcare providers to use popular technology services like FaceTime and Zoom to provide telehealth services.

Although providers are temporarily allowed to use these technologies, professional organizations have strongly encouraged them to take additional precautions to ensure that PHI is not inadvertently disclosed. Some of the recommendations to prevent inadvertent PHI disclosure using telehealth include ensuring that patient conversation occurs in a private place and adjusting security and advertising settings of the platforms to restrict disclosures of patient contact information to advertisers.

In addition to federal protections, some state laws require healthcare providers to take additional steps to ensure patient privacy and confidentiality. These additional protections can include requiring written protocols for secure storage, transfer, and access to patient records.

Clarifying Interjurisdictional Privacy Challenges

The Psychology Interjurisdictional Compact (PSYPACT) is one of several long-term or permanent interstate telemedicine compacts to provide mental healthcare. Not only does it allow licensed psychologists in participating (i.e., “home”) states to provide telepsychology to individuals in other participating (i.e., “receiving”) states, it also clarifies how each state’s laws will affect an interstate telepsychologist. Mental healthcare providers in these PSYPACT states are required to follow the laws of the state in which the patient resides.

To practice telepsychology under PSYPACT, providers must be certified by the Association of State and Provincial Psychology Boards and authorized to practice by the PSYPACT Commission. Once authorized, the psychologist’s telepsychology practice is also under the scope of practice of the receiving state.

Disciplinary actions against authorized practitioners can occur when statutes and regulations from either the home state or receiving state are violated. The home state can take disciplinary action against a psychologist’s license, while the receiving state can take disciplinary action on a psychologist’s authorization to practice.

Currently, there are 31 PSYPACT-participating states. In 2022, three states (Connecticut, South Carolina, and Rhode Island) enacted legislation to join PSYPACT. Additionally, three states (New York state, Michigan, and Massachusetts) and the Commonwealth of the Northern Mariana Islands considered legislation during the 2021-2022 sessions to join PSYPACT.

State Health Privacy Laws in PSYPACT States

A 50-state survey of healthcare information privacy laws shows that at least 13 of the 31 PSYPACT states (Arizona, Delaware, District of Columbia, Indiana, Maine, Minnesota, New Hampshire, New Jersey, Pennsylvania, Texas, Washington, West Virginia, and Wisconsin) have state privacy laws in addition to HIPAA privacy protections. Telehealth providers serving patients located in a state with additional privacy protections are required to comply with the privacy laws in the state of the patient receiving care. For example, some states require providers to maintain records on who has accessed a patient’s record.

As more states join PSYPACT, the number of psychologists authorized to practice under it will likely increase. This growth makes it more important for practitioners to be aware of state health privacy laws as they consider whether they should provide telepsychology to patients in certain states.

Other Ways State Legislatures Expand Telehealth Access

Beyond joining agreements like PSYPACT, some states enacted laws to expand access to mental and behavioral telehealth services in the future. In March 2022, Ohio enacted HB 122, which prohibits health insurance plans from charging higher co-pays for telehealth services than services provided in-person. The new law also expressly allows school psychologists to provide care to students via telehealth.

In April 2022, Maine enacted LD 1758, which enabled licensed mental health and behavioral health facilities in the state to gain informed consent from potential patients through verbal, electronic, or written means—rather than requiring an in-person appointment—during public health emergencies.

In August 2022, the California General Assembly passed AB 2089 to clarify that mental health mobile apps are subject to the California Confidentiality of Medical Information Act. If passed, this bill would strengthen privacy protections for residents who use commercial services to support mental healthcare but are not providers covered by HIPAA.

ASTHO will continue monitoring important policy developments in this area.