Hello, and welcome to this CME presentation, How Mitigating Risk Can Help You. The content in this presentation is intended solely to provide general information concerning developments in the area of risk management. It is not intended as legal or medical advice, nor does it offer or solicit for offers with respect to any insurance product. Legal or medical advice should be obtained from qualified legal counsel or other professionals to address specific facts and circumstances and to ensure compliance with applicable laws and standards, and listeners should consult their own insurance advisors for information pertinent to the purchase of any insurance product. This content may not be reproduced or redistributed in whole or in part without the prior written consent of Allied World. This activity has been planned and implemented in accordance with the accreditation requirements and policies of the Accreditation Council for Continuing Medical Education through the joint providership of the American Psychiatric Association and Allied World. The APA is accredited by the ACCME to provide continuing medical education for physicians. The APA designates this enduring activity for a maximum of one AMA PRA Category 1 credit. Physicians should claim only the credit commensurate with the extent of their participation in the activity. No one in a position to influence course contents has anything to disclose. I'm Alison Funicelli, Assistant Vice President at AWACS Services, a member company of Allied World. I provide risk management services to Allied World's medical professional liability policyholders and insured psychiatrists, psychologists, psychiatric nurse practitioners, and physician assistants. So what are our objectives in this presentation? So we're going to cover explaining the role of risk management in a psychiatry practice, describe the types of claims most commonly brought against psychiatrists, understand general legal and risk issues when using technology and social media in the practice of psychiatry, and acquire tools to mitigate risk in a psychiatry practice. So what is risk management? So Enterprise Risk Management, or ERM, in healthcare promotes a comprehensive framework for making risk management decisions which maximize value protection and creation by managing risk and uncertainty and their connections to the total value. So I just said a lot. So what does that mean? So ERM basically means that providers and facilities should examine all aspects of risk that may affect their office practice or organization and employ best practices and tools to mitigate that risk and reduce the potential for financial and reputational loss. During this presentation, we'll discuss the proper utilization of risk management to mitigate potential damages related to injury liability, financial loss, and regulatory noncompliance. By avoiding or reducing the risk in these areas, we'll additionally help the psychiatrist to avoid a loss of reputation in the professional community. So what are the areas we're going to cover in this presentation? We're going to talk about psychiatric malpractice claims. We're going to talk about treating minors, terminating the provider-patient relationship, requests for information, documentation, office practices and procedures, medical record storage and retention, technology and social media, and confidentiality. So let's start by talking about psychiatry claims. So what are the elements for a plaintiff or patient or a patient's family member on their behalf to bring a medical malpractice claim? The plaintiff in the case must meet all four of the elements of negligence to be successful with their claim. First a duty. The plaintiff must show that a doctor-patient relationship was created, resulting in a duty of the provider to that patient. Next, the patient must prove, usually through expert testimony, a breach in the standard of care occurred, resulting in a causal link between that breach in the care and actual damages. So what is considered the standard of care? So while it can vary from state to state, it generally means that a physician must practice with a degree of care, knowledge, and skill ordinarily possessed by other physicians in the same specialty under similar circumstances. So what are some of the common claims or complaints that are filed against psychiatrists? Now keep in mind psychiatry is one of the lowest sued medical specialties, but if someone was to bring a claim, what is usually the overriding theme of the claim? So it could be patient suicide or violent behavior related. It could be improper diagnosis or improper treatment. There could be vicarious liabilities related to supervising others, lack of conformed consent issues, documentation issues, abandonment, civil commitment issues, or medication related. And most malpractice claims have some combination of these. So let's talk about treating minors. Note, the age of consent for mental health treatment and access to minors' mental health records varies widely by state and circumstances. Minors as young as 12 or as old in some states as 17 or 18 can consent to treatment and or consent to the release of their protected health information. And that includes even their parents. Some states require that a minor of a certain age has the right to tell their parents that they can't see their records without their permission. So it's important to know the state regulations in the states for your license to practice. So let's start with consents. Know the regulations in the state where the minor is located to determine if the minor has the right to consent for mental health treatment on their own. However, in most states, a parent or legal guardian is required to consent to prescribing medications to minors. When parental consent for treatment is needed, determine if the parents are married, divorced, or legally separated or is a single parent. For married parents, one parent needs to consent to treatment. For single parents where there is no custody agreement and the parent bringing the child for care represents that there is no other parent that's participating in the child's life, just document the information and get the consent from that one parent. If the parents are divorced or legally separated, it's best to obtain a copy of the custody agreement and follow the court's order. If the document states both parents have decision-making rights, obtain consent from both parents. If one parent is the sole decision-maker or has full legal custody, then get the consent from that parent. Some custody agreements provide a tiebreaker person when both parents are not in agreement to consent to care. It may be a guardian ad litem, it may be one of the two parents, it could be the child's pediatrician. So again, this document will guide you as to what you need to do. And it will also help to significantly decrease the risk of a claim or a licensing board complaint. Note, if the parent represents that they are the custodial parent, that just means that the child primarily lives with that parent. It does not necessarily take away the right of the other parent to consent to care. And the same is true for the release of medical records. Again, follow the custody agreement, obtain consent from the proper parties, follow your state regs, and determine who is allowed to have access to the records. Black box warnings or off-label use. When prescribing medications to minors, especially in situations of black box warnings or off-label use, make sure the parents and age-appropriate minors understand the risks and benefits of the medication and document thoroughly the discussion. It's recommended to get the parents and, if appropriate, the minor's written consent in these situations. And make sure to defend stronger if something comes up later. It's important, especially for older children, to have a discussion up front with the minor and the parents as to what the minor can discuss and the provider can maintain privately. I mean, of course, situations where the provider feels the minor may be a danger to self or others, that's a situation that's probably going to be discussed with the parents. But discuss with the parents that there may be some information the minor shares that the provider will keep confidential in order to gain trust and increase the chances for a successful outcome in the care so that the minor can speak more openly with the psychiatrist. Boundary issues are important. Minors need to understand when or if it is appropriate to reach out to the psychiatrist directly. Minors need to understand that, for both ethical and confidentiality reasons, providers cannot be friends on social media. Again, when there is a request for release of patient information, determine if the minor is required to consent to the release. Offer a summary of the records, if possible, in lieu of releasing the full records to limit disclosure of information. However, a provider cannot unreasonably withhold a copy of the records or face fines and penalties per the Office of Civil Rights. Parents and minors should be informed that there are circumstances where a provider may need to report abuse and neglect to law enforcement or CPS. This includes, depending on the state, specific circumstances and age of the minor and situations of physical or sexual assault. When faced with a situation of uncertainty, the psychiatrist should consult their personal counsel, who should be specializing in health care law, or a risk management consultant for guidance. Most malpractice carriers provide risk management services to their insureds, as well as most health care facilities have a designated risk manager or general counsel to assist. So let's look at this scenario here. A psychiatrist has been treating a 16-year-old male for a year. The parents are divorced and in the midst of a highly contentious court battle to change the visitation schedule. The mother is the current primary custodial parent. However, the father has visitation two days a week and every other weekend. The mother asks for a copy of her son's records in hopes that the documentation may assist her in gaining full custody of her son or decrease visitation with the patient's father. The patient has discussed with the psychiatrist conflict issues he has with his father. The father is unaware of the records request by the patient's mother and the documentation in the medical record discussing conflicts with the patient and his father. So what should the psychiatrist do in this situation? So first, understand that while you may not like why the mother wants a copy of her son's records, if the mother is entitled to access her son's records, they have to be provided to her. Unless, of course, it states that in this situation, a 16-year-old may be able to have his parent not see the records, but again, that's state-specific. The father, assuming that the custody agreement states he's entitled to his son's records, would also be allowed to have access to them. So to remain neutral in this situation, you could try to provide a summary if the parent says, okay, otherwise you have to give the records if that's what they want. I would recommend you give the records to both parents so that you're not showing favoritism of one to the other. And this way, you can't have a parent accusing you of taking sides, in this case, maybe leaning towards helping the mother. If you feel there is documentation that will be released that will cause harm, so more likely than not, harm will come to the patient, then release the information you feel is safe to release, and then I would consult an attorney or a risk management professional about what to do about the information you have a concern about. In addition, explain to the mother that releasing the full records may be harmful to her son. Unless your role in care is part of the custody evaluation, so like you might be involved with that court-appointed evaluation, but if you're not, then stay out of taking sides or the appearance of taking sides, and first attempt to do what's best for your patient. If you use psychotherapy notes, which are not progress notes, they're kept separate from the main part of the record, either in a separate tab in the electronic medical record or in a separate paper file, you might be able to use that as a way to jot down some information for yourself that might be super sensitive to the minor that doesn't necessarily have to be in the medical record. Certainly, we can't leave out information that's key in the record just to protect the minor. We have to do also our due diligence for documentation, because if the medical records are asked for, you don't give up the psychotherapy notes. But again, if you're in a situation and you're not sure what to do, ask for guidance from another professional. So next, let's talk about terminating the patient-provider relationship. So here's a scenario. A patient that a psychiatrist is treating for bipolar disorder suddenly stops showing up for a scheduled appointment. The psychiatrist tries repeatedly to reach the patient by phone and then by sending letters. The psychiatrist documented each call and maintained copies of the letters in the patient's medical record. Finally, the psychiatrist sent a letter indicating that she could no longer continue to see the patient due to a lack of response by the patient. Eight weeks later, the patient shows up at the psychiatrist's office and demands to be seen at their usual time. The psychiatrist schedules the patient for a new time, which the patient is very unhappy about. In response, the psychiatrist shows the patient the record of attempts to contact him during his absence. So how can the psychiatrist mitigate risk when terminating a patient from their practice? So we're going to go over the steps to take to try to avoid an abandonment claim, or if an abandonment claim is filed against you, hopefully you've taken all the steps necessary to have a strong defense. So perhaps the patient has been in absentee for appointments, like I just gave in that scenario. Perhaps they're not paying for services rendered. Maybe they've chosen to fire your services. Maybe they've transferred care to somebody else. Maybe they've just don't want to seek treatment from anybody. So there's all different reasons. Or maybe their treatment now that's required is outside your scope of what you can manage safely in your practice. So there's all sorts of various reasons why you might terminate care. So you should create office policies and procedures and incorporate them into your new patient paperwork as to how a patient may be terminated from your practice so there's no surprises later. Provide determination in writing. We recommend two copies that you send, two different, so send them one copy one way, one copy another. So you could send one regular mail, one certified mail, one regular mail, one through secure encrypted email. You could send one through a patient portal and one regular mail. So there's different ways to do it, but we recommend sending two copies because it shows you did a due diligence of trying to notify the patient that you try to notify them that they've been terminated. And the same is true like if a patient wants to fire you, just send a letter confirming. This is to confirm you've just, you've elected to transfer care or no longer seek services of care from my office, effective, you know, immediately or whatever it is. Also if you haven't seen a patient, they've been no show and they just kind of disappeared After a period of time, pick a period of time, if they haven't showed for three months, six months, whatever it is, you should have a letter that goes out saying this is to confirm since we haven't seen you in the last say six months. We assume you're receiving care elsewhere, we're closing your file. If appropriate, give the patient a 30 day refill of their meds so that they, that'll bridge them until they find a new provider and then you could offer up as another way to continue to get refills as maybe their PCP will continue to bridge them. Because each time if you keep refilling, refilling, refilling, then you're not really terminating. The other thing too is it's only if it's appropriate, like if you're terminating a patient because they're abusing controlled substances you're prescribing, you may decide you're not going to give them refills. You need to give referrals. Now if they're a problem patient, for example, if they're a problem for you, there'll be probably a problem for someone else. So we want to try to avoid referring our problems to our colleagues specifically. So you can give them places to go to get lists of names of people, maybe through their health insurer if they want to be in network, through maybe Psychology Today has psychiatrists to the County Mental Health Department. There's different ways. Now, if you're terminating because they need a higher level of care, there may be specific programs that you're referring them to and that would make sense. And also by providing lists. If you only give the names of three specific providers and those providers aren't taking your patients or decide they're not appropriate for their practice, you know, a lot of practitioners practices are full right now that they're gonna keep coming back asking for more referrals. So getting in places to go to get lists of names is helpful. They could also Google, you know, a provider for, you know, to find a provider in their area. Offer to provide emergency services for 30 days. Now, unless you have to immediately terminate somebody because they're exhibiting violence or threats against you and your safety is concerned and you need to contact say law enforcement or whatever, then you would do an immediate termination. But otherwise you wanna offer at least 30 days of emergency care. So this way they could call you if there's an emergency and then you can at least refer them to the ED or do a wellness check or whatever it is that you need to do. We don't want them to feel abandoned during that transition process. Again, handling immediate termination, you know, that's always a good thing to consult with an attorney or a risk professional when you're gonna do that. But again, you know, don't feel that, if you have a patient that's threatening or you have a safety concern for you or your office staff or something, you know, then you don't need to continue to associate with that person. You need to document the medical record with all the details related to the termination, including keeping a copy of the letter. It's also a good idea when you send the termination letter to attach a release of information form that the patient can sign if they want a copy of their records transferred to a new provider. And then you always wanna make sure you follow your state regulations. And again, you see on there, you're gonna hear me say a lot about, you know, consulting with a healthcare practice attorney or a risk manager because, you know, we're here to help you. And not just because you have a problem or an issue or concern, it could also just be because you have general questions or you have, you know, how do I go about doing something? How do I create policies and procedures, things like that. You know, use your other professionals to help and guide you so that you don't, I don't want you to feel alone, like you're on an island all deserted alone and there's no one there to help. Let's talk about documentation next, right? I wouldn't be a good risk manager if we didn't talk about documentation. So documentation is one of the key ways to help defend a malpractice case or licensing board complaint. Improper or lack of documentation are key ways for a plaintiff to use against you and show that there's like holes in the care because the old adage, you know, of if it wasn't documented, it wasn't done, you know, kind of applies. You know, certainly you could talk about what you customarily do, even if it wasn't documented, you know, and also you don't, you know, but again, it's stronger when you have stuff documented, at least important key things, you know, a memory state, so it's hard to remember if someone brings a claim years later, what you actually talked about. And it also kind of loses some credibility when you claim you remember a specific conversation five years ago in such intimate detail, right? Like, I mean, that wasn't documented considering the number of patients you're seeing. And so again, no, documentation just needs to be, it needs to be concise and yet sort of thorough, right? So we don't need the next American greatest novel where every time we see a patient, we're documenting pages upon pages of information, but we also don't want just a few sentences. We need to document appropriately, you know, based on whatever the office visit was about. So what is the plaintiff looking for regarding documentation? So a plaintiff attorney is looking if there's gaps or omissions in the records, conflicts and contraindications, especially when there's multiple people on the treatment team, you know, are they conflicting with each other with what they're documenting? Are there admissions of potential liability, altered records? I cannot stress this enough. It is nothing more frustrating than having a defensible case and now it has to be settled because the records were altered because the credibility of that provider goes out the window. It is better for the claims professional and defense attorney to have scant records than altered records. And we certainly want to try to avoid scant records, but we definitely want to avoid altered records. The other thing too is some malpractice policies may deny coverage for the claim if the records are altered. So be aware. And if it's really, really egregiously altered, there are sometimes criminal actions. Legibility issues, right? They're looking to see, can the records be, can you understand what the provider wrote? Are there unclear orders or orders not followed? Is there an invalid or improper consent? And then late entries. So you can have late entries in a record if it makes sense. If you remember something minor, sometimes it's better to leave it out if it doesn't really matter. We never want to go back and start adding stuff after a request for records comes in. Before we start changing things in records, it's always, again, good to talk to a risk management professional or an attorney. And if you're going to add something that is key that you realize you forgot or you realize you documented something incorrect, like maybe you wrote in the wrong patient's record something, then don't start scribbling stuff out or deleting stuff in an electronic record. You just put a brand-new note with the current date and time and reference the other note saying, in addition to what happened on Monday, here's some additional information related to that visit. Or correction, the note on Monday at 4.52 p.m. belonged incorrectly to, accidentally to the wrong patient. Here's the correct record. However, but again, you might want to consult with somebody before you start making changes to the records. So legal case for documentation, right? So it is necessary to have medical records because the documentation must support the billing for services, the patient's care that was provided and substantiate that it was good patient care. It may be needed for quality assurance reasons, especially if you work in a facility. There are regulatory requirements and legal requirements that you must document. You're not allowed to not have records for patients. And it is, as I said before, essential in defending a malpractice claim or licensing board complaint. So documentation specific in psychiatry. So what should be documented? The diagnosis and treatment. Suicide or, and, or, you know, and I'm going to do the next two together, suicide risk assessment and violence towards others, right? Document a few sentences to support the suicide assessment you did in lieu of just documenting no SIHI for no suicidal or homicidal ideation. Just jot a couple of sentences down as to why you feel that, right? Because someone's going to ask you, if something happens later and a patient attempts or complete suicide or lashes out against somebody, you know, you want to be able to substantiate why you thought at the time when you saw them, they were not a suicide or violent risk. You know, again, having detailed contemporaneous documentation is important. Document medications prescribed and the risks, alternatives, and benefits discussed with the patient, you know, that informed consent. When prescribing controlled substances or medications used for off-label use or have black box warnings, use a medication consent form with the patient. Have them sign off that they understand. Include in the records the patient's adherence or lack thereof to the treatment plan. If you have formal consultations in collaborative care, those should be documented. I'm not talking about those informal consultations where you might say, hey, Joe, you know, I got a situation, like what do you do in these situations, right? Like that's sort of more informal. It doesn't have to be documented, but when you have a formal documentation or collaborative care, there should be records related to that. The record should contain all medical tests performed, the results, and the proof that the results, whether they were benign or there was something positive that came out of them, should be that they were conveyed to the patient. We want to convey even benign results. We want to get away from sort of the old school approach of, oh, no news is good news, because sometimes we can fall into a trap with that. And a patient assumes by hearing nothing that their, say their blood work was fine, and in fact, it wasn't. Document any boundary issues and how the situation was handled. As discussed earlier, document when you terminate a patient from your practice and when the patient terminates with you. So let's do another scenario. So a psychiatrist treated a patient with depression for two years. He prescribed medication and scheduled to see the patient monthly. The psychiatrist documented a lack of side effects with most visits. The patient died, and the cause of death was toxicity caused by the prescribed medication. The psychiatrist last saw the patient in his office two days before she died, and did no objective documentation as to whether or not she was experiencing any side effects. The patient's family filed a lawsuit, and one of the primary allegations was that the psychiatrist did not appreciate the patient's presentation of toxicity during that last visit. And had he done so, she would have been referred for immediate medical treatment and her death would have been prevented. The psychiatrist indicates that he remembers examining the patient and there were no side effects, even though he didn't document it. The family contends that in the days leading up to her death, the decedent complained of visual disturbance, slurred speech, and some unsteadiness when walking. So as you can see in this scenario, the scenario becomes one of he said, they said between the provider and the family. If the provider documented a discussion with the patient regarding how she was feeling on the medication, and what if any side effects she was feeling, the case would be more defensible as opposed to relying on his memory. The physician relying on the position if the patient in fact had these side effects, he would have clearly been evident during the visit, and he would have documented it is not a strong defense. Because maybe the symptoms were intermittent. Maybe they didn't exist at all. But either way, we can't just rely on, well, if that's what the family says, and that's how she presented to me, I would have obviously said something or done something. So again, we wanna have good documentation to provide a good, strong defense. So next, let's talk about office practices, policies, and procedures. So what kind of policies and procedures should a practice have? And again, you may have different ones and how in-depth they are, depending on if you're a solo practitioner with no staff, or if you have staff, or you own or run a clinic, or you have a large group practice. So some of these may be more comprehensive. So we wanna show in our policies and procedures that there's a consistency in the practice, that we're setting patient and staff expectations, that we're supporting professional reputation, and when followed, can assist with the defense of claims and licensing complaints. We don't wanna create a policy and procedure and then never follow it. Because if we are sued, or we have a complaint, and then we say, yeah, well, I have them, but I don't follow them, it's not gonna help you. Then what's the point of having them? So what are some of the policies and procedures you should consider? So supporting and maintaining patient confidentiality and privacy, including staff signing a confidentiality agreement. Documenting telephone calls, and emails, and text exchanges with patients, with staff, as well as the provider, needs to be done. Because any kind of communication with a patient counts as something that should be documented. The patient always has the option to opt in or out of electronic communications. So if they opt in, they later have the option to opt out if they choose. The process for requests for release of protected health information, including medical records. The practice should also follow the state requirements for maintaining, storing, and retaining medical records. HIPAA requires medical records to be maintained for at least six years after the patient was last seen. Some states require longer retention periods, especially for minors. And then you should also have a policy for how and when records will be destroyed. Patients should be aware of the expectation for medical and lab testing that the provider may require, including the type and frequency of testing. Patients need to know that lack of compliance may result in termination from the practice or non-renewal of their medications. Every practice in today's day and age should have a social media policy for the providers, staff, and patients to follow. Providers and staff should not friend patients on social media, nor should staff be posting information about the office practice publicly without the consent of the owner of the practice. The office practice should have a policy of the importance of compliance with care for patients and the compliance with the office staff policies with staff as well. Lastly, in practices with supervisory situations, both the supervisors and the supervisees need to have a supervisor policy including, for example, when the supervisees are required to consult their supervisor, the sign-off expectations by the supervisor, documentation expectations, periodic auditing of the charting, et cetera. Remember, practice attorneys and risk management professionals are well-suited to assist providers with creating and reviewing office policy practice and procedures. So, I just touched a little bit on this, but we're going to now talk a little more in detail about medical record retention and storage. So, it's important to create a policy and procedure for the maintenance and storage of medical records. Paper records should be maintained in a secure area with access to only those staff that need access to perform their job function. The same is true for electronic medical records. Each staff member should have their own logon credentials and only be able to access information necessary for their job. If a provider keeps psychotherapy notes, they must be maintained separate from the main portion of the record in a separate paper or electronic folder and should only be accessed by the provider creating them. By doing so, highly sensitive information can be kept extra protected and does not need to be released with medical record requests. I want to refer you to the HHS.gov website. You can just Google, you know, HHS.gov psychotherapy notes, and it'll explain the extra protections provided you follow the rules. As mentioned earlier, keep the medical records for as long as required by state statute or HIPAA, whichever is longer. Keep in mind that the medical malpractice statute limitations for both adults and minors in your state, as that might be the longest time necessary. So whatever is the longest period of time is what you should say, do. HIPAA is six years. If you have a state statute that's longer, you want to keep it that long. If you have a statute limitations that's even longer, you want to keep it for that. So make sure you keep the records as long as any of, you know, whatever is the longest of any of those. If the records are ready for destruction, contact a HIPAA-compliant vendor and obtain a business associate agreement with the vendor, stating the vendor will comply with HIPAA, or if you are destroying the records yourselves, make sure that they are burned or cross-shredded and completely destroyed. Cross-shredding meaning it comes out looking like confetti in the shredder, not those long skinny pieces that technically could be taped back together. For electronic records, consult your EMR vendor or an IT professional certified in healthcare information systems for electronic records, because they also may not be actually destroyed. You think you might have deleted them, but you did not. Records should not be stored in areas accessible to others and should not have access, you know, to places like in your home where you have people coming and going and can access the information, like say they're just in a box in the closet. There are medical record storage companies that can store records for you as well. And again, if you use one, obtain a business associate agreement, which you are required to get under HIPAA, but also it protects you. So if they are the ones that cause a breach in HIPAA, then they should be indemnifying and defending you in that situation. So again, just to sum up with record retention, HIPAA requires you keep records at least six years, some states longer, and be mindful of what the statute of limitations is. Because if you're treating minors and it says you have to keep them say like two or three years after they each reach the age of majority and you're treating an eight or nine-year-old, that's a long time. You want to make sure you keep them that long because if you get sued for malpractice, you want to make sure you have those records available and not destroy them prematurely. I also recommend you keep a destruction log or ask a vendor to do so, which basically states if you have like a medical records company that's going to be destroying them after housing them for you, is to write down like the patient's name, their first and last date of treatment, the date the records were destroyed, and the manner in which they're destroyed. So this way if somebody does ask for records after they're destroyed, you can affirmatively say they were destroyed by looking at a list as opposed to saying, well, I can't find them, therefore they must have been destroyed because they're old, because then you could get hit with a missing document charge and you want to avoid that. So next let's talk about the release of mental health information. So medical records are required to be kept confidential. Mental health records in particular contain highly sensitive information. In most situations, a patient needs to sign a release of information form stating what they want released, to whom, and how, such as mailed or sent through a secure portal or through encrypted email. If a patient asks for their records to be sent by an unencrypted email, ask the patient to sign a form stating that they accept the risk of sending HIPAA protected information in an unprotected manner. Ask your patient to sign a request for information form even if they want the records for themselves. This way it's very clear what they want. The request of information form should specifically state the consent is to be releasing mental health records, not just medical records. First off, a summary of the records might be appropriate, so you may want to offer that. But again, remember, you can't unreasonably withhold the actual records from the patient, so if they want the actual records, you need to release them. Now for couples counseling, this is a different situation. For couples counseling, they need to know up front, if either party decides they want a copy of the records, both of them have to sign consent. Now if you're also seeing them each separately and you want to give them their part of those separate records, that's fine, but the joint records, they both need to consent to release them. And they should know that up front. For minors, determine if the minor has the right to consent to release the records. And again, if the parents are signing the request for information form, determine if they're divorced, who has the consent to release it, and are they entitled to that information or not. If you receive a subpoena, court order, or other legal document demanding records or testimony related to records, immediately report it to your medical malpractice carrier, because they can assist you in properly responding. If the patient is deceased, for minors, the parents are typically entitled to the records. For adults, if the patient consented to have a particular family member, while they were alive, to have that particular family member access their records, then you can give it to that particular family member. However, if the patient did not consent for access to their mental health information while they were alive to a particular family member, and that family member wants the information, you need to ask that family member to show proof through a document provided by the probate court, not the will, but a document provided by the probate court stating that they are in charge of that patient's estate. And once they provide that proof that they are allowed to access the information, then you can release it. Again, anytime you're in these situations and you're not sure what to do, ask for help. So next, let's talk about psychiatry, technology, and confidentiality. So when using technology in an office practice, you need to consider confidentiality, professional reputation, boundary issues, and following the standard of care. So let's start with confidentiality. So this needs to be considered when communicating with patients as well as about patients to others. Use of email and text. So emails and texts may be private, but they're not confidential. And we use those terms interchangeably a lot, but they actually mean two different things. So keeping someone's information private means that you're not going to share it with others. However, confidentiality refers to the privacy of maintaining the data about that person and their protected health information. So when communicating with patients regarding their protected health information, or as we refer to call it PHI, use encrypted email software such as a patient portal or other HIPAA-protected program. Email and text information should be maintained in the medical records. And for this reason, you should limit text. If you're using texting in your practice, really, patients should understand it's only for the purposes of like confirming and, you know, maybe confirming and canceling appointments and stuff like that. You shouldn't be having discussions in texts with patients. And then how are you going to get that information accurately into the medical record? And plus, when someone's texting you, you don't have to know what they're saying. And plus, when someone's texting you, you don't even know if you're technically even talking to that person. You know, people can pick up people's phones and have communications. And again, you want to obtain consent from your patient when using email and text. And remember, the patient always has the option to opt out. So what are some of the best practices related to emailing and texting? So your best practices includes creating, again, an office practice policy and procedure. And every time I say this, it doesn't mean it has to be like a 10-page document. It can be even a short document that just explains to patients and to staff how this is going to work. Use HIPAA-compliant software. Again, obtain a business associate agreement from the vendor to protect in case of a HIPAA breach. Use out-of-office messaging that tells patients when you're available and not available. Set patient expectations of when to use and not use email or text and when the patient can expect a response. Like, for example, you may say, I respond to emails and texts within 24 hours, 48 hours, whatever it is, and that they certainly should not be using that form of communication for emergencies. If you have an email system that has a read receipt option, if you want to send something important and you want to make sure your patient sees it and you have a read receipt, then what that does is the system will then tell you that they've opened the email. Again, consider a patient portal. You may have one available through your EMR vendor if you're not already using one. Again, use those good documentation techniques. Let's talk for a minute about mobile devices. In today's world, most people are communicating and using devices like laptops and tablets and cell phones. Remember to maintain control of your device. You want those devices to have encrypted data. Make sure they're secure, they're password protected. Now, don't use easily figured out passwords. Like, avoid using family members' names and the word password and pets' names and stuff like that. Avoid using public hotspots because they're not secure internet connections, and you'd be surprised how somebody could be sitting at a table next to you and they're hacking you if you're using that open Wi-Fi. Check your device's connection settings. It usually says that you can disable unsecure Wi-Fi, and you want to set your Bluetooth devices to non-discoverable. That means, I've had it personally where I've been on a plane, I go to put my cordless Bluetooth headphones, I want to connect to my tablet to watch something on my tablet, and it's picking up devices around me. I make my devices so that the people sitting around me can't see my Bluetooth device. I've enabled that so that it can't be discoverable to others. Look at that. Again, if you're not sure what to do, consult a healthcare certified IT professional. These are folks that specifically work with the healthcare industry. You want to make sure your data is backed up. If you have a device that is lost or stolen, and your data is backed up somewhere, like you have a server or something, or HIPAA compliant cloud services, then your IT professional can wipe the device remotely once you realize it's been lost or stolen, so you still have the data housed somewhere else, but now somebody's taken possession of that technology, that mobile device, that if they do break into it, they're not going to find anything because it's been wiped remotely. When accessing websites or texts or emails with embedded links, avoid clicking on anything that's suspicious. If you're not sure if it's the person that's sending it to you, is that person, in fact, that you think they are, or there's something that has an embedded link, that's a perfect way that hackers get in. You click on a link, and once you realize your mistake, it's too late. It's too late. They're already in. Check the security of the apps you're using. Make sure all the software is being kept up to date on your devices. You know, hackers, many times, will access information, will be able to do it because your software is outdated, your firewalls, your, you know, these different protection devices are not being kept up to date. Don't share usernames and passwords, and lastly, obtain informed consent from a patient when you're asking them to access anything like an app or software or your portal, etc. So let's do a scenario. We're going to switch now to online reviews. So online reviews. So we get calls on a regular basis on our helpline from psychiatrists concerned about reading a negative review about them. So I'm going to give you, here's examples of a couple of investigations that were done by the Office of Civil Rights through Health and Human Services where providers got fined because they violated HIPAA by responding to an online review. So the first one, the claim was, this investigation was concluded on June 5, 2023, when the Department of Health and Human Services posted a settlement agreement with a New Jersey psychiatrist whose practice was fined $30,000 for disclosing patient information in response to a negative online review. The settlement was resolving a claim that was originally filed in April of 2020, and it alleged that the healthcare provider impermissibly disclosed protected health information in response to the review. So following an OCR investigation, potential violations of the HIPAA privacy rule included impermissible disclosure of PHI in response to that review and failure to implement policies and procedures with respect to protected health information. And the response to the review that this provider, the psychiatrist put in that review included issues related to the patient's diagnosis and treatment for a mental health condition. The second one is a North Carolina dentist that was just fined $50,000 by OCR for impermissibly disclosing a patient's PHI also in response to a negative review. In this case, not only did the dentist put protected health information open to the public, but it also was ignoring subpoenas that they were receiving from OCR, and so that made the fine even larger. So you can see responding to online reviews, even if the patient provides their name and other PHI, can result in significant consequences for the provider. A patient does not waive their right to privacy just because they've posted information about themselves. So what do we do in responding to these? So, ignore the post if possible. Consider not Googling yourself, and so you're not even going to know that there's negative reviews about yourself. But if you do feel a need to respond, do not respond to the specific review. Only provide a generic statement. For example, let's say if someone gives you a one-star review stating that you were led to believe you were taking new patients, but then you were told their practice was full. But in reality, the provider screened the potential patient out as just not appropriate fit for their services. So in this case, you know, the psychiatrist could just generally post, you know, we are accepting new patients. We don't want to post something like, we're accepting appropriately screened patients, because now it suggests that person was screened out for some reason. If the review is something that you feel you need to address directly with the patient, you know, do it offline and discuss it with them directly. But remember, you know, what is your motive for doing so? Is it just because your feelings are hurt, or is there a real reason that you need to talk to the patient about it? Because we also want to respect the patient's privacy, and we don't want to make them feel uncomfortable. If a current or former patient writes something threatening, then capture the image of the post and contact authorities before it maybe potentially gets taken down. Because you might need that as evidence that someone is threatening you. And remember, we have the freedom of speech in this country, so including that someone technically could lie. So providing, I mean, I'm sorry, proving a defamation case is very expensive and is very hard to prove. So having the evidence that supports actual financial detriment to your practice, specifically related to that negative review, is hard to prove. So while reviews may hurt our opinions and feelings, people are free to post what they want about us. So again, before we respond or do anything with a post, you might want to get some professional assistance and advice. First, again, from a health care attorney or a risk management professional. Let's go over use of social media. You know, when using social media, it goes without saying, you know, providers and patients should respect each other's privacy and create and maintain proper boundaries. The psychiatrist should avoid creating dual relationships. It's important to maintain your professional reputation and protect your privacy as well. Do not allow your personal social media information be open to the public, and it can only be viewed by individuals that you specifically accept as friends. The personal nature of the relationship between a psychiatrist and their patient results in a high standard of professional behavior. So when engaging in social media, including for personal use, it's important to be mindful of how your interactions on social media reflect your personal and your professional reputation. Data breaches and cybersecurity. We kind of talked about some of this already, but to decrease your risk for a data breach or a cyber attack, use encryption, as we mentioned earlier. Understand and comply with the HIPAA privacy rule. You know, you want to avoid potential fines through OCR and licensing implications with the Board of Medicine. When data is or appears to have been compromised, immediately consult your personal attorney or risk management professional. You may need to notify affected patients. Report the event to a professional or cyber or both liability carriers. If you don't have cyber liability coverage, you might want to consider it. It's cheap because it provides a lot of different services that go well beyond what you may be provided through a medical professional policy. And again, you may need to consult with an IT professional. So let's go sum up what we talked about today. We want to adhere to accepted standards of practice. Assess and document actual or potential patient self-harm and violence towards others. Monitor medication reactions and make sure you document them. Again, use sound documentation principles. Safeguard patient privacy. Obtain informed consent. Respect boundaries. Patients should respect your boundary. You should respect theirs. Avoid those dual relationships. Maintain your professional reputation. Protect your privacy. And again, consult an attorney or risk management professional. And it doesn't have to be after you think you have an issue. It can be in a preventative manner or you just have questions about how you can put best practices into place. And a final word. Remember, utilize utilizing good risk management techniques decreases poor outcomes, improves patient satisfaction, decreases the chance of a medical malpractice claim, and increases your chances for a successful defense. Here are some resources if you want to do some additional reading that may assist you in these areas that we talked about today. And finally, thank you for listening to the CME presentation. Remember, in addition to one CME, if you are insured through the APA-endorsed program with American Professional Agency, you can also receive one risk management credit towards the three credits you need for risk management discount on your renewal premium. Thank you. Thank you.

risk management

psychiatry

claims against psychiatrists

technology in practice

enterprise risk management

medical malpractice claims

documentation

defending against malpractice claims

patient confidentiality