Attorney Articles | A Patients Right to Access Mental Health Records Under HIPAA
X

Articles by Legal Department Staff

The Legal Department articles are not intended to serve as legal advice and are offered for educational purposes only. The information provided should not be used as a substitute for independent legal advice and it is not intended to address every situation that could potentially arise. Please be aware that laws, regulations and technical standards change over time. As a result, it is important to verify and update any reference or information that is provided in the article.

A Patients Right to Access Mental Health Records Under HIPAA

In this article, Ann Tran-Lien, JD discusses a patient’s right to access their confidential mental health information under the Health Insurance Portability and Accountability Act of 1996.

A Patient's Right to Access Mental Health Records under HIPAA

The Therapist
September/October 2014
Ann Tran-Lien, JD (CAMFT Managing Director, Legal Affairs)
Reviewed December, 2022 by Bradley J. Muldrow, JD (CAMFT Staff Attorney)


As a therapist, you may occasionally have a patient request access to their clinical records. Patients have an array of rights with respect to their mental health records, but these rights differ under California and federal law. If you receive a request for records from a patient, the first step is to determine if you have to comply with California or federal law, also known as the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). You must comply with HIPAA if you are a practicing therapist who electronically transmits confidential information in connection with certain covered administrative and financial transactions. It is important for mental health professionals to know the difference. This article will discuss a patient's right to access his or her confidential mental health information under HIPAA.1

HIPAA was passed to establish national security and privacy standards in regard to health care information. HIPAA contains many complex provisions and requirements. If HIPAA applies to your practice, it is essential that you familiarize yourself with patients' rights to their protected health information and your legal obligations under this federal law. 

Covered Entities
HIPAA applies only to covered entities and business associates.2 The law defines a "covered entity" as: 1) a health plan; 2) a healthcare clearinghouse; and 3) a health care provider, who transmit health information in electronic form in connection with certain administrative and financial transactions.3

Covered administrative and financial transactions include: health care claims or equivalent encounter information; health care payment and remittance advice; coordination of benefits; health care claim status; enrollment and disenrollment in a health plan; eligibility for a health plan; health plan premium payments; referral certification and authorization; first report of injury; health claims attachments; and other transactions that the Secretary of Health and Human Services may prescribe by regulation. For therapists, these transactions may include, billing a health plan electronically; checking a patient's eligibility and health benefits by utilizing a health plan's website; and receiving confidential patient information from health plans via e-mail. Bear in mind that e-mailing your patients, storing electronic records, or providing therapy services electronically are not "covered transactions" under HIPAA. Accordingly, these practices alone will not render you a "covered entity." 

Therefore, to determine if you are a covered entity and must comply with HIPAA laws, ask yourself the following questions: 1) Are you a health care provider (all mental health professionals are considered a health care provider under HIPAA); 2) do you transmit health information electronically; and 3) is the information in connection with one or more of the listed administrative and financial transactions above? If you answer "yes" to these three questions, you must comply with HIPAA. If a covered entity engages a business associate to help it carry out its health care activities and functions, such as a billing assistant, the covered entity must have a written business associate contract with the business associate. The business associate agreement must provide what the business associate has been contracted to do and requires the business associate to comply with HIPAA. Additionally, business associates must comply with certain HIPAA provisions. 

Patient's Right of Access
Under HIPAA, a patient generally has a right to inspect and obtain a copy of his or her individual "protected health information (PHI)" with a few exceptions. PHI includes, but is not limited to, information created or received by a health care provider that relates to the past, present, or future physical or mental health or condition of an individual, including payment of services, that identifies the patient; or information that can be used to identify the patient. PHI also includes demographic information collected from the patient.4

There are certain circumstances where you may deny a patient's right to inspect or obtain PHI. In some instances, you must provide the patient with an opportunity to have your decision reviewed by another licensed practitioner. The review procedure will be discussed later in this article. 

Provider's Denial Rights
In the following circumstances, you may deny a patient's right to inspect or obtain the following, and you are not required to provide the patient with an opportunity to review the denial5:

  • A patient does not have the right to access "psychotherapy notes" (this term is defined below); 
  • A patient does not have the right to access information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding; 
  • If you work for a correctional institution, you may deny an inmate patient's request to obtain PHI if doing so would jeopardize the health, safety, security, custody, or rehabilitation of the patient or other inmates, or safety of any officer, employee, or other person at the correctional institution or responsible for transporting the inmate; 
  • The PHI is obtained from someone other than a health care provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information. 

Psychotherapy Notes
A patient does not have the right to inspect or obtain a copy of his or her "psychotherapy notes." HIPAA defines "psychotherapy notes" as "notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual's medical record. Essentially, "psychotherapy notes" are what therapists refer to as "process notes." 

On the other hand, "psychotherapy notes" as defined by HIPAA do not include "medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date."6 This definition effectively summarizes what therapists identify as "progress notes." 

Accordingly, if you keep "psychotherapy notes" or process notes separate from the rest of the patient's clinical file or progress notes, patients do not have the right to inspect or obtain a copy of such notes. However, patients have the right to request progress notes, unless you have a reason to deny that request, as discussed in this article. 

In the following circumstances, you may deny a patient's right to inspect or obtain a copy of his or her PHI, but you are required to provide the patient with an opportunity to review the denial7:

  • You have determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the patient or another person8
  • The PHI makes reference to another person (unless such other person is a health care provider) and you have determined, in the exercise of professional judgment, that the access requested is reasonably likely to cause substantial harm to such other person. 
  • The request for access is made by the patient's personal representative, such as a parent, legal guardian, or conservator, and you have determined, in the exercise of professional judgment, that the provision of access to such personal representative is reasonably likely to cause substantial harm to the patient or another person. 

Procedures for Responding to a Patient's Request for Records
Once you receive the request from a patient, you have five (5) working days from the receipt of the request to allow for inspection, or fifteen (15) calendar days from the receipt of the request to provide a copy of the PHI. A patient has a right to receive a copy of their PHI in the form and format and manner requested, if readily producible in that way, or as otherwise agreed to by the individual. For example, if you maintain patient PHI electronically and a patient requests their PHI be e-mailed they have the right to receive their PHI in that readily-producible format. 9 It is important to note that contrary to California law, you may only provide a summary of treatment if the patient agrees in advance to receive a summary and agrees to the fee charged for the summary. If a summary is to be provided, you have ten (10) working days from the receipt of the request to provide the summary.10

HIPAA allows you a one-time extension of up to thirty (30) days to respond to the request. In order to obtain the extension, you must provide your patient with a written statement specifying the reasons for the extension, as well as the expected time of your response. In addition, you may require patients request access to PHI by submitting a written request, but only if you inform patients of such a requirement. For a sample Request to Inspect & Receive a Copy of PHI visit the HIPAA section in the Resource Center on the CAMFT website. 

Procedures for Denying a Request for Records
If you choose to deny the request, in whole or in part, based on the reasons stated above, HIPAA puts forth specific procedures that must be followed. First, you must, to the extent possible, provide the pratient with access to any other PHI requested, after excluding the PHI which you have the right to deny access. Second, you must provide your patient with a written statement within thirty (30) days of the receipt of the request. The written statement must be in plain language and include the following information:

  1. The basis for the denial;
  2. The patient's review rights (if the patient has the right to review the denial, as stated above);
  3. A description of how the patient may complain to the covered entity, or to the Secretary of Health and Human Services. You must provide the name, or title, and telephone number of the contact person who is responsible for the development and implementation of the HIPAA policies and procedures of the practice. For sole practitioners, the contact person will be the practicing therapist.

Note that HIPAA provides only "licensed psychotherapists" may make the above referenced determinations. Therefore, pre-licensed therapists should consult with their supervisors to determine whether to allow or deny a patient's access to PHI. 

Review Rights
If a patient requests a review of your denial, check the two lists above to see if you are required to afford the patient with an opportunity to review the denial. If so, you must designate a licensed health care professional to act as a reviewing official and promptly refer the request for review to that person. The designated reviewing official must not have participated in the original decision to deny the patient's access. The designated reviewing official must determine, within a reasonable period of time, whether or not to allow or deny access. The designated reviewing official has the final say. Thus, you must provide or deny access in accordance with the determination of the reviewing professional. Once given a determination, you must promptly provide written notice to the patient of the determination and carry out any action that has been concluded by the designated reviewing official. 

The following CAMFT sample practice forms address the protocols for responding to records requests under HIPAA: 1) Response to Request to Inspect & Copy Protected Health Information; 2) Request for Review of a Decision Denying Inspection & Copying of Protected Health Information; and 3) Notification of Designated Reviewer's Decision

Fees
You may charge a reasonable, cost-based fee for making copies or providing a summary. The fee may include only the cost of: 1) labor for copying or time for preparing the summary; 2) supplies for creating the copy; and 3) postage. The reasonable, cost-based fee for copies can be based either on actual costs or an average cost.11

Conclusion
If you are a covered entity, being knowledgeable about patients' rights and your legal obligations under HIPAA is fundamental in maintaining a lawful and ethical practice. The Office for Civil Rights, the governmental body that enforces HIPAA rules, have taken enforcement actions, ranging from issuing a resolution agreement to civil monetary penalties, against covered entities for failure to follow HIPAA rules regarding patients' access to records. 


Resource
The following resources provide useful information regarding HIPAA:

  1. For articles and legal forms related to HIPAA, visit CAMFT's website at https://www.camft.org/Members-Only/Insurance-Corner/HIPAA  
  2. For case examples and enforcement actions, visit the US Department of Health and Human Services website at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/index.html  
  3. For more information about HIPAA and the Office for Civil Rights visit https://www.hhs.gov/hipaa/index.html  

Endnotes

1 For further reading on a patient's right to access clinical records under California law, see "Patient Records Under California Law: The Basics", By Alain Montgomery, J.D., (CAMFT Staff Attorney). 

2 For further reading on covered entities under HIPAA, see "Are You a Covered Entity" by Dave Jensen, J.D., Staff Attorney at www.camft.org

3 45 C.F.R. § 160.103. 

4 Id. 

5 45 C.F.R. § 164.524(a)(2). 

6 45 C.F.R. § 164.501. 

7 45 C.F.R. § 164.524(a)(3). 

8 It is important to note that California law differs in this regard. California law allows providers to deny access if the provider determines there is a substantial risk of significant adverse or detrimental consequences to a patient in seeing or receiving a copy of the records. (Cal. Health & Safety Code § 123110.) Hence, California law allows either adverse physical or psychological consequences to the patient, and does not require those consequences to be life-threatening or amount to physical endangerment. Whereas, HIPAA requires likelihood of physical endangerment or psychological endangerment that could reasonably lead to endangerment of a person's life. 

9 45 CFR § 164.524(c)(2)(ii). Even if records are maintained in a paper format and the patient requests the records electronically, therapists are required to provide the patient with the electronic copy if the copy is readily producible electronically (e.g., by scanning the paper records into electronic format). 

10 45 C.F.R. § 160.203(b); Cal. Health and Safety Code § 123110. 

11 45 CFR § 164.524(c). Please note that charging patients a per-page fee for the production of electronically-stored PHI is not considered reasonable under HIPAA.