About Us | Chapters | Advertising | Join
The Legal Department articles are not intended to serve as legal advice and are offered for educational purposes only. The information provided should not be used as a substitute for independent legal advice and it is not intended to address every situation that could potentially arise. Please be aware that laws, regulations and technical standards change over time. As a result, it is important to verify and update any reference or information that is provided in the article.
A Patient's Right to Access Mental Health Records Under HIPAA Ann Tran-Lien, JD, discusses a patient's right to access his or her confidential mental health information under the Health Insurance Portability and Accountability Act of 1996.
by: Ann Tran-Lien, JD, Staff Attorney The Therapist September/October 2014 Originally published September/October 2014, Updated 2022 Ann Tran-Lien, JD, Managing Director of Legal Affairs
Patients have an array of rights with respect to accessing their mental health records, and these rights differ under California law and federal law. If you receive a records request from a patient, the first step is to determine whether you have to comply with California law or the federal law known as the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). It is important for mental health professionals to know the difference. You must comply with HIPAA if you are a therapist who electronically transmits confidential information in connection with certain covered administrative and financial transactions. This article will discuss a patient’s right to access their confidential mental health information under HIPAA.1
HIPAA was passed to establish national security and privacy standards for health care information. The law contains many complex provisions and requirements. If HIPAA applies to your practice, it is essential that you familiarize yourself with your patients’ rights to their protected health information and your legal obligations under this federal law.
Covered Entities HIPAA applies only to covered entities and business associates.2 The law defines “covered entities” as health plans, health care clearinghouses, and health care providers that transmit health information in electronic form in connection with certain administrative and financial transactions.3
Covered administrative and financial transactions include: health care claims or equivalent encounter information; health care payment and remittance advice; coordination of benefits; health care claim status; enrollment and disenrollment in a health plan; eligibility for a health plan; health plan premium payments; referral certification and authorization; first report of injury; health claims attachments; and other transactions that the Secretary of Health and Human Services may prescribe by regulation. For therapists, these transactions may include billing a health plan electronically, checking a patient’s eligibility and health benefits by using a health plan’s website, and receiving confidential patient information from health plans via email.
Bear in mind that actions such as emailing or texting your patients, storing electronic records, and providing therapy services electronically are not covered transactions under HIPAA. Accordingly, these practices alone will not render you a covered entity.
Therefore, to determine if you are a covered entity and must comply with HIPAA laws, ask yourself the following questions:
If you answer “yes” to all three of these questions you must comply with HIPAA. Also, it’s important to note that HIPAA regulations apply to your practice as a whole and not only to those patients for whom and with whom you engage in covered transactions.
If a covered entity engages a business associate, such as a billing assistant, to help carry out its health care activities and functions, the covered entity must have a written contract with the business associate. This agreement must establish what the business associate has been contracted to do and require the business associate to comply with HIPAA. Additionally, business associates must comply with certain HIPAA provisions.
Patient’s Right of Access Under HIPAA, a patient generally has a right to inspect and obtain a copy of their individual protected health information (PHI), with a few exceptions. PHI includes, but is not limited to, information created or received by a health care provider relating to the past, present, or future physical or mental health or condition of an individual, including payment of services, that identifies the patient or can be used to identify the patient. PHI also includes demographic information collected from the patient.4 In other words, a patient’s mental health record would be considered PHI.
There are certain circumstances where you may deny a patient’s right to inspect or obtain PHI. In some instances, you must provide the patient with an opportunity to have your decision reviewed by another licensed practitioner. The review procedure is discussed later in this article.
Provider’s Denial Rights In the following circumstances, you may deny a patient’s right to inspect or obtain certain types of information, and you are not required to provide the patient with an opportunity to review the denial5:
A patient does not have the right to access information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.
Psychotherapy Notes A patient does not have the right to inspect or obtain a copy of their psychotherapy notes. HIPAA defines “psychotherapy notes” as “notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record.” Essentially, psychotherapy notes are what therapists refer to as “process notes.”
On the other hand, psychotherapy notes as defined by HIPAA do not include “medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.”6 This definition effectively summarizes what therapists identify as “progress notes.” Accordingly, if you keep psychotherapy notes or process notes separate from the patient’s progress notes or the rest of the patient’s clinical file, patients do not have the right to inspect or obtain a copy of them. However, patients have the right to access their progress notes, unless you have a reason to deny that request, as discussed in this article.
In the following circumstances, you may deny a patient’s right to inspect or obtain a copy of their PHI, but you are required to provide the patient with an opportunity to review the denial7:
Procedures for Responding to a Patient’s Request for Records Once you receive the request from a patient, you have five (5) working days to allow for the patient’s inspection of the records or fifteen (15) calendar days to provide the patient with a copy of the PHI. The patient has a right to receive a copy of their PHI in the form, format, and manner requested, if readily producible in that way, or as otherwise agreed to by the individual. For example, if you maintain patient PHI electronically, and the patient requests that you email it, they have the right to receive their PHI in that readily producible format.9 It is important to note that, contrary to California law, you may only provide a summary of treatment if the patient agrees in advance to receive a summary and to pay the fee charged for it. If a summary is to be provided, you have ten (10) working days from the receipt of the request to provide it.10
HIPAA allows a one-time extension of up to thirty (30) days to respond to the request. To obtain the extension, you must provide the patient with a written statement specifying the reasons for it and the timeframe that they can expect your response. In addition, you may require patients to submit a written request for access to PHI but only if you first inform them of such a requirement. For a sample Request to Inspect & Receive a Copy of PHI form, visit the HIPAA section in the Resource Center on the CAMFT website.
Procedures for Denying a Request for Records If you choose to deny the request, in whole or in part, based on the reasons stated above, HIPAA puts forth specific procedures that you must follow. First, after excluding the PHI that you have denied access to, you must, to the extent possible, provide the patient with access to any other PHI requested. Second, you must provide the patient with a written statement within thirty (30) days of receipt of the request. The statement must be in plain language and include the following information:
Note that HIPAA provides that only licensed psychotherapists may make the determinations referenced above. Therefore, pre-licensed therapists should consult with their supervisors to determine whether to allow a patient’s access to PHI.
Review Rights If a patient requests a review of your denial, check the two lists above to see if you are required to provide one. If so, you must do the following:
The following CAMFT sample practice forms address the protocols for responding to records requests under HIPAA:
Conclusion If you are a covered entity, being knowledgeable about patients’ rights and your legal obligations under HIPAA is fundamental to maintaining a lawful and ethical practice. The following resources provide useful information regarding HIPAA:
For articles and legal forms related to HIPAA, visit CAMFT’s website at https://www.camft. org/Members-Only/Insurance-Corner/HIPAA. For case examples and enforcement actions, visit the Department of Health and Human Services website at https://www.hhs.gov/hipaa/forprofessionals/ compliance-enforcement/examples/ index.html. The Office for Civil Rights, which is the governmental body that enforces HIPAA rules, has taken enforcement actions ranging from issuing a resolution agreement to levying civil monetary penalties against covered entities for failure to follow HIPAA rules regarding patients’ access to records.
For more information about HIPAA and the Office for Civil Rights, visit https://www.hhs. gov/hipaa/index.html.
Ann Tran-Lien, JD, is a staff attorney and the Managing Director of Legal Affairs at CAMFT. Ann is available to answer member calls regarding legal, ethical, and licensure issues.
Endnotes 1 For further reading on a patient’s right to access clinical records under California law, see “Patient Records Under California Law: The Basics” by CAMFT Staff Attorney Alain Montgomery, JD. 2 For further reading on covered entities under HIPAA, see “Are You a Covered Entity” by former staff attorney Dave Jensen, JD. 3 45 C.F.R. § 160.103. 4 Id. 5 45 C.F.R. § 164.524(a)(2). 6 45 C.F.R. § 164.501. 7 45 C.F.R. § 164.524(a)(3). 8 It’s important to note that California law differs in this regard. California law allows a provider to deny access if they determine there is a substantial risk that the patient will suffer significant adverse or detrimental consequences if they see or receive a copy of the records. (Cal. Health & Safety Code § 123110.) Hence, California law does not require that the adverse physical or psychological consequences to the patient be life-threatening or amount to physical endangerment, whereas HIPAA requires that these consequences must be likely to endanger a person’s life. 9 45 C.F.R. § 164.524(c)(2)(ii). Even if records are maintained in a paper format, if the patient requests them electronically, the therapist is required to provide an electronic copy if it’s readily producible (e.g., by scanning the paper records into electronic format). 10 45 C.F.R. § 160.203(b); Cal. Health and Safety Code § 123110. 11 45 C.F.R. § 164.524(c). Please note that charging patients a per-page fee for the production of electronically stored PHI is not considered reasonable under HIPAA.
This article is not intended to serve as legal advice and is offered for educational purposes only. The information provided should not be used as a substitute for independent legal advice and it is not intended to address every situation that could potentially arise. Please be aware that laws, regulations and technical standards change over time. As a result, it is important to verify and update any reference or information that is provided in this article.