Privacy, consent, and the electronic mental health record: The Person vs. the System.

As electronic health record systems become widely adopted and proposals are advanced to integrate mental health with general health systems, there is mounting pressure to include mental health information on the same basis as general health information without any requirement for active, individual patient consent to do so. A prime example is the current effort to change the Mental Health Information Act of the District of Columbia, which has, up till now, stood as a model for protection of the privacy of patients with mental illness, the requirement of informed consent for disclosure of health information, and delimitation of minimum necessary disclosure. Mental health information is exceptionally sensitive and potentially damaging if privacy is breached, which makes patients reluctant to seek treatment if they cannot be assured of confidentiality. In addition, there have been spectacular breaches of the security of large electronic health record databases. A subtle but more likely threat is the possibility that mental health information in networks could be fully accessible to all of the patient's providers in a network, not just those for whom it would be necessary to the patient's care. In the 1996 Supreme Court decision in Jaffee v. Redmond, the high court recognized that confidentiality is essential for patients to engage in effective psychotherapy, and HIPAA maintains that special status in the protection of psychotherapy notes as well as explicitly stating that it defers to state laws that are more protective of confidentiality than is HIPAA itself. Highly sensitive information also exists in mental health records aside from psychotherapy notes. Any change in the laws that govern informed consent for disclosure of mental health information must take these factors into account. Specifically, the author opposes any change that would assume tacit consent to release mental health information through an electronic health information exchange in the absence of a patient-initiated request to "opt out"; the requirement that the patient give active, informed and non-coerced consent to disclose information--"opt in"--must be preserved.