Search Terms



About LER Mental Health Professionals need quick access to a reliable, inexpensive resource hub where law and ethics information can be found, its reliability verified, and questions asked without having to shoulder expensive legal fees. Click on California Laws to see some of the areas covered or see Sample Pages. You can also just click on Subscribe.

Welcome Students to the Law & Ethics Resource.
There is a vast amount of information on the web related to the laws and ethical standards affecting the mental health profession, but it is often difficult to verify what is current, accurate, and applicable to your practice. For that reason, LER connects you to continuously updating official statements of the law, making it a trusted legal resource.

Subscribing to LER gives you a year of continuously updating information with links to the official statements of the laws that affect your practice.


Are Your Business Associate Agreements Up to Date? 

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced that a Rhode Island hospital had paid $150,000 to resolve claims that it had disclosed patient information to its business associate, without obtaining satisfactory assurances required under HIPAA.  Women & Infants Hospital of Rhode Island disclosed protected health information (PHI) to Care New England (CNE) Health System which provided technical support and information security for the hospital’s information systems. During the course of an investigation by OCR into the loss of backup tapes containing PHI, OCR found that the hospital’s business associate agreement with CNE had not been updated since March 15, 2005, and thus did not incorporate revisions required under the 2013 HIPAA Omnibus Final Rule. In addition to the underlying breach of PHI, OCR found that the hospital failed to implement appropriate safeguards related to the handling of the PHI contained on the backup tapes and failed to provide timely notification to the affected individuals. 

Mental Health Professionals, with rare exceptions, are "covered entities" under the Privacy Rule. Prior to sharing PHI with a business partner such as a contractor or billing or copy service, a properly executed business associate agreement is required. The degree to which a Mental Health Professional must have a privacy program in place may vary significantly with the size of the MHP's practice. However, the OCR statement makes clear that there is no excuse for not having at least a "standard template business associate agreement" in place.  Model business associate agreement provisions can be found at OCR's page here.

Lack of Business Associate Agreement Costs Provider $750,000 

A Raleigh, North Carolina Orthopedic Clinic has agreed to pay $750,000 to settle charges that it potentially violated the HIPAA Privacy Rule by disclosing PHI to a potential business partner without first executing a business associate agreement.  The failure to have an agreement in place left the health information of more than 17,000 patients vulnerable to misuse or improper disclosure, and violated 45 C.F.R. 164.502(e).  OCR warned in the HHS announcement published April 19, 2016 that "HIPAA's obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise." "It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected." 

CMS Releases Final Rule On Return of Overpayments.

The Centers for Medicare & Medicaid Services ("CMS") released its final rule today (Feb. 12, 2016) on the return of overpayments. The final rule requires providers and suppliers receiving funds under the Medicare/Medicaid program to report and return overpayments within 60 days of identifying the overpayment, or the date a corresponding cost report is due, whichever is later. Failure to comply with the rule may lead to False Claims liability.  As published in the February 12, 2016 Federal Register, the final rule clarifies the meaning of overpayment identification, the required lookback period, and the methods available for reporting and returning identified overpayments to CMS. Click here for the final rule. 

Identification. The point in time in which an overpayment is identified is significant because it triggers the start of the 60-day period in which overpayments must be returned. CMS originally proposed that an overpayment is identified only when “the person has actual knowledge of the existence of the overpayment or acts in reckless disregard or deliberate ignorance of the overpayment.” The final rule changes the meaning of identification, stating that “a person has identified an overpayment when the person has or should have, through the exercise of reasonable diligence, determined that the person has received an overpayment and quantified the amount of the overpayment. The change places a burden on healthcare providers and suppliers to have reasonable policies and programs in place which monitor the receipt of Medicare/Medicaid payments.

6-Year Lookback Period. The final rule also softens the period for which health care providers and suppliers may be liable for the return of overpayments.  As the rule was originally proposed, CMS required a 10-year lookback period, consistent with the False Claims Act. Now, overpayments must be reported and returned only if a person identifies the overpayment within six years of the date the overpayment was received. 

Guidance in Reporting and Returning Overpayments. The final rule provides that providers and suppliers must use an applicable claims adjustment, credit balance, self-reported refund, or other appropriate process to satisfy the obligation to report and return overpayments.  If a health care provider or supplier has reported a self-identified overpayment to either the Self-Referral Disclosure Protocol managed by CMS or the Self-Disclosure Protocol managed by the Office of the Inspector General (OIG), the provider or supplier is considered to be in compliance with the provisions of this rule as long as they are actively engaged in the respective protocol.

What's Wrong With Waiving Patient Copays?

The U.S Department of Health and Human Services' Office of the Inspector General ("OIG") published its list today of recent provider self-disclosure settlements. Included was the finding that Kentucky based Trilogy Health Services, LLC (Trilogy) and PCA-Corrections, LLC (PCA), improperly induced Medicare beneficiaries to fill their drug prescriptions at PCA locations by waiving Medicare Part D prescription drug copayment amounts without conducting an individualized determination of financial need for residents at 50 skilled nursing and assisted living facilities owned and/or serviced by Trilogy or PCA. Self-Disclosure refers to the self-reporting of violations under health care financing laws in order to avoid sharper financial penalties. Even so, Trilogy and PCA were required to pay $80,526 for allegedly violating the Civil Monetary Penalties Law provisions applicable to beneficiary inducements and kickbacks. Healthcare professionals often waive a patient's share of costs in response to financial hardship. But doing so, without documentation in the record of an individualized assessment as to that patient, may subject a provider to liability including civil monetary penalties. Having a written policy that addresses when and how to waive a patient's share of cost is a true ounce of prevention.

HHS OCR Announces 2016 Push of Patient Access To Records.

While the HIPAA Privacy Rule has always provided individuals with the right to access and receive a copy of their individual health information, the OCR has recently determined that "far too often individuals face obstacles to accessing their health information, even from entities required to comply with the HIPAA Privacy Rule." Therefore, on January 7, 2016, the OCR began a patient outreach and education campaign beginning with the first in a series of Frequently Asked Questions (FAQs) to further clarify individuals’ core right under HIPAA to access and timely obtain a copy of their health information with very few exceptions. 

Mental Health Professionals are reminded that "psychotherapy notes" are not subject to HIPAA's patient access requirement. "Psychotherapy notes" means "the personal notes of a mental health care provider documenting or analyzing the contents of a counseling session, that are maintained separate from the rest of the patient’s medical record. (See 45 CFR 164.524(a)(1)(i) and 164.501.) The OCR's FAQs and other patient information may be found at the OCR’s website here.

Mental Health Professionals and California's End of Life Options Act.

California's "End of Life Option Act" was signed into law by Governor Jerry Brown on October 6, 2015. The new law will permit a qualified adult with a terminal disease to receive a prescription for an aid-in-dying drug if certain conditions are met.  Conditions include there being two oral requests a minimum of 15 days apart, a written request to the patient's attending physician signed by two witnesses, a referral by the attending physician to a consulting physician for confirmation of the diagnosis and the patient's capacity to make medical decisions, and a  referral of the patient, if indicated, to a mental health specialist.  Although the bill was initially introduced to the Senate as SB 128 and later withdrawn, it was resurrected in the Assembly in August 2015 as ABX2-15.  After passing the Assembly on September 9, 2015, it moved to the California Senate where it passed on September 11, 2015. The new law goes into  effect June 9, 2016. Read more here.

Health Care Group Settles HIPAA Violation for $750,000.00.

Cancer Care Group, P.C., (CCG) one of the nation's largest radiation oncology private physician groups, recently agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules for $750,000.00 after a computer storage device was stolen from an employee's car. The theft resulted in the loss of unencrypted health information related to approximately 55,000 patients. CCG employs 13 radiation oncologists serving hospitals and clinics throughout the state of Indiana. 

The U.S. Department of Health and Human Services, Office of Civil Rights (OCR), which conducts federal investigations into alleged privacy breaches, found that CCG was in widespread non-compliance with the HIPAA Security Rule prior to the breach. CCG had not conducted a systemwide risk analysis prior to the breach, and it did not have a written policy in place specific to the removal and handling of storage devices containing electronic Patient Health Information (ePHI).  

While most Mental Health Professionals do not transport the ePHI of 55,000 patients, it is still commonplace for providers to carry electronic devices including mobile phones, containing ePHI between their offices, cars, homes, and other worksites. Worse, they may still carry paper files to the copier at the local business service center. In justifying the significant fine imposed against CCG, the OCR noted the significant time that has passed since the April 21, 2005 compliance date under the HIPAA Security Rule.  The decision signals that outpatient health care providers risk substantial penalties for failing to conduct adequate risk assessments, and failing to have policies in place that protect ePHI in their control. 

California Residents Registered as Sex Offenders in Other States Must Continue to Register in California Even After Their Home State Has Terminated Registration

On August 26, 2015, the California Court of Appeal for the Second District determined that the obligation to continue life long registration in California may continue, even after the registrant's obligation to register in another state has ceased. In Crofoot v. Harris, Charles Crofoot was sentenced under Washington State law for communicating with a child for immoral purposes of a sexual nature, and required to register as a sex offender in that state prior to relocating to California. A post judgment order by the court in Washington released Mr. Crofoot from the requirement to register in that state after 10 years. Mr. Crofoot then brought a petition in the California courts claiming he should be released from the registration requirement in California as well.   The Crofoot court held that while the state of Washington may have a less stringent state law and policy, California is not required to adopt the Washington statute as its own.  The court emphasized that sex offender registration is for a different purpose than punishment. It is a civil protection law that requires life long registration so that California residents can track the location of convicted sex offenders and take protective measures. 

Limitations On Jessica's Law

On March 2, 2015, the California Supreme Court struck down the law's 2,000 foot restriction of Jessica's Law as it applied to San Diego parolees deciding that on the particular facts of In Re Taylor the restriction was unconstitutional. The Plaintiffs were registered sex offenders on parole in San Diego County who claimed the law violated their constitutional right to be free of unreasonable, arbitrary, and oppressive official action that bears no rational relationship to advancing the state's legitimate goal of protecting children from sexual predators. 

The Court found that in San Diego, the restriction effectively barred the parolees' access to approximately 97% of available housing, resulting in hundreds of paroled sex offenders being subjected to compelled homelessness.  Because this result interfered with the intent of the law which was to improve monitoring of convicted ses offenders, the 2,000 foot restriction was struck down as it applied to San Diego's efforts to "monitor,supervise and rehabilitate" the parolees.  Read more here.

Psychotherapist's Duty to Report Previously Reported Incidents of Abuse

The intent of CANRA is to impose on psychotherapists an affirmative obligation to report to a child protective agency all known and suspected instances of child abuse so that each incident may be promptly investigated and prosecuted. (People v. Stritzinger (1983) 34 Cal. 3d 505, 512.) This raises the question of whether a psychotherapist must make a report of abuse or neglect of a child that has been previously reported. The answer depends on a number of factors. To learn more, click here.

Copyrighted, 2015.


Powered by Wild Apricot Membership Software