Skip to ContentGo to accessibility pageKeyboard shortcuts menu
OpenStax Logo
Psychiatric-Mental Health Nursing

10.1 Client Rights and Protections

Psychiatric-Mental Health Nursing10.1 Client Rights and Protections

Learning Objectives

By the end of this section, you will be able to:

  • Explain the importance of upholding HIPAA rules within the mental health practice setting
  • Describe the protections put in place by the Patient Protection and Affordable Care Act

Mental health clients are potentially a vulnerable population and therefore need to be protected from exploitation or abuse. There are federal and state statutes that lay out these protections as well as organizational policies and procedures intended to protect client rights. Client rights include concepts like confidentiality of protected health information, covered by the Health Insurance Portability and Accountability Act (HIPAA), and the right to purchase health insurance, covered by the Patient Protection and Affordable Care Act (PPACA). States can issue laws that offer additional protections, as long as they uphold the federal protections.


The federal government has enacted multiple legal protections so that protected health information remains private and protected. This has become very important in the digital age where health information is easier to access by health-care providers and clients, but also by those who would use the information for secondary gain.

In 1996, President Bill Clinton signed the Health Insurance Portability and Accountability Act (HIPAA) into law (U.S. Department of Health and Human Services, 2022b). This federal law (and accompanying regulations that implement the law) protects sensitive client health information from being disclosed without the client’s consent or knowledge. This law covers clients’ protected health information (PHI), information included in a medical record that can be used to identify an individual and that was used, created, or disclosed in the process of providing a health-care service. Until 1996, confidentiality in medical records was minimally protected, though the records were harder to access since they were primarily paper-based (U.S. Department of Health and Human Services, n.d.). HIPAA gives clients more control over their health information by setting boundaries on and requiring written consent for the use and release of health records. At the time of the first visit to a provider and in the mail from the health plan, providers must offer clients a HIPAA notice—which must be signed acknowledging receipt—that describes how the health information is shared and includes health privacy rights. If a client refuses to sign the acknowledgment, this must be documented.

HIPAA requires covered health-care entities to provide training to staff to ensure understanding of HIPAA rules and regulations. Covered health-care entities are defined by the HIPAA rules as health plans, health-care clearinghouses, and health-care providers, but only if they transmit information related to financial or administrative activities related to health care. During HIPAA training, employees should be made aware of the possible penalties for HIPAA violations. Figure 10.2 lays out the three rules of privacy, security, and breach notification for HIPAA compliance.

Chart listing Three rules for HIPPA Requirements (Privacy Rule, Security Rule, and Breach Notification Rule) along with explanations.
Figure 10.2 The three rules of HIPAA compliance are the Privacy Rule, the Security Rule, and the Breach Notification Rule (Centers for Medicare and Medicaid Services, 2023). (attribution: Copyright Rice University, OpenStax, under CC BY 4.0 license)

Real RN Stories

Nurse: George B.
Years in Practice: Eight
Clinical Setting: Mental health inpatient facility
Geographic Location: Oregon

George is a nurse in a mental health inpatient facility in an affluent area that sometimes has wealthy people admitted for drug, alcohol, or psychiatric treatment. Recently, the facility admitted a celebrity; rumors spread among the staff, but they kept it quiet. George was not involved in this client’s care and was not assigned to that unit during their stay. However, he was unable to avoid the temptation of looking into the person’s medical record despite them being under an alias. He had undergone HIPAA training and knew it was wrong, but thought that he would not share the information, so what is the harm? After the client was discharged, regulators audited the chart and found that not only George, but four others who were not involved in this person’s care had accessed the chart without appropriate cause, reason, or permission. George and the four others were fired for HIPAA violations and George was reported to his state board of nursing and is awaiting a determination of disciplinary action. All health-care professionals must be aware that they leave a “footprint” whenever they enter the records of a client.

HIPAA compliance rules apply to hospitals as well as a variety of other types of health-care treatment settings. There are four potential outcomes that may result from HIPAA noncompliance: (1) the employer may deal with the violation internally, (2) the violator could be terminated, (3) the violator could face sanctions from professional boards, and/or (4) the violator could face criminal charges, including fines and imprisonment.

Five common HIPAA violations include:

  • the loss of a device, such as the theft of a computer that contains client information
  • downloading a computer virus on a health-care agency computer that allows personal client information to be accessed or leaked such as through portable media or email
  • employee dishonesty while accessing files, such as a nurse who accesses client information that they do not have the authority to see
  • improper filing and disposing of documents, such as a nurse who throws lab results that include client-identifying information into the public trash receptacle at the nurse station
  • releasing client information after the authorization to release period expires (Intraprise Health, 2023)

The Affordable Care Act

The Patient Protection and Affordable Care Act (PPACA) or Affordable Care Act (ACA) was signed into law in 2010 by President Barack Obama and continues to be a politically charged topic. Its original premise, which continues, is to expand access to health insurance to uninsured Americans. The main points of the law were to expand Medicaid eligibility, create a Health Insurance Marketplace, and prevent insurance companies from denying coverage due to preexisting conditions. The ACA also requires insurers to cover a list of essential health benefits. It was also designed to reform the insurance industry to reduce the costs of coverage and to include premium tax credits and cost-sharing reductions to help lower expenses for lower-income families and individuals. According to the Affordable Care Act (ACA), employers must provide health insurance to their employees. Certain small firms that meet the requirements can get tax credits. To assist consumers and small businesses in obtaining insurance, the law established insurance exchanges that are headquartered in multiple states. By the ACA law, young adults are allowed to remain on their parents’ insurance policies until the age of 26. ACA creates state rate reviews for insurance premium increases, forbids lifetime financial ceilings on insurance coverage, and restricts the use of yearly caps. It forbids insurance companies from terminating or withdrawing coverage, as well as from refusing to cover children with preexisting conditions. The ACA improved access to insurance and health care for many Americans; it also added coverage for preventative care and preexisting conditions that was lacking in many existing prior plans. Some of the downsides include increases in premiums, new taxes to support costs, a limited enrollment period, and reduced hours of employees to avoid providing medical insurance (U.S. Department of Health and Human Services, 2022a).


This book may not be used in the training of large language models or otherwise be ingested into large language models or generative AI offerings without OpenStax's permission.

Want to cite, share, or modify this book? This book uses the Creative Commons Attribution License and you must attribute OpenStax.

Attribution information
  • If you are redistributing all or part of this book in a print format, then you must include on every physical page the following attribution:
    Access for free at
  • If you are redistributing all or part of this book in a digital format, then you must include on every digital page view the following attribution:
    Access for free at
Citation information

© Jun 12, 2024 OpenStax. Textbook content produced by OpenStax is licensed under a Creative Commons Attribution License . The OpenStax name, OpenStax logo, OpenStax book covers, OpenStax CNX name, and OpenStax CNX logo are not subject to the Creative Commons license and may not be reproduced without the prior and express written consent of Rice University.