by: Ann Tran-Lien, JD,
Staff Attorney
The Therapist
September/October 2014
Originally published September/October 2014, Updated 2022
Ann Tran-Lien, JD, Managing Director of Legal Affairs

---

Patients have an array of rights with respect to accessing their mental health records, and these rights differ under California law and federal law. If you receive a records request from a patient, the first step is to determine whether you have to comply with California law or the federal law known as the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). It is important for mental health professionals to know the difference. You must comply with HIPAA if you are a therapist who electronically transmits confidential information in connection with certain covered administrative and financial transactions. This article will discuss a patient’s right to access their confidential mental health information under HIPAA.¹

HIPAA was passed to establish national security and privacy standards for health care information. The law contains many complex provisions and requirements. If HIPAA applies to your practice, it is essential that you familiarize yourself with your patients’ rights to their protected health information and your legal obligations under this federal law.

Covered Entities
HIPAA applies only to covered entities and business associates.² The law defines “covered entities” as health plans, health care clearinghouses, and health care providers that transmit health information in electronic form in connection with certain administrative and financial transactions.³

Covered administrative and financial transactions include: health care claims or equivalent encounter information; health care payment and remittance advice; coordination of benefits; health care claim status; enrollment and disenrollment in a health plan; eligibility for a health plan; health plan premium payments; referral certification and authorization; first report of injury; health claims attachments; and other transactions that the Secretary of Health and Human Services may prescribe by regulation. For therapists, these transactions may include billing a health plan electronically, checking a patient’s eligibility and health benefits by using a health plan’s website, and receiving confidential patient information from health plans via email.

Bear in mind that actions such as emailing or texting your patients, storing electronic records, and providing therapy services electronically are not covered transactions under HIPAA. Accordingly, these practices alone will not render you a covered entity.

Therefore, to determine if you are a covered entity and must comply with HIPAA laws, ask yourself the following questions:

1. Are you a health care provider (all mental health professionals are considered health care providers under HIPAA)?
2. Do you transmit health information electronically?
3. Is the information you transmit in connection with one or more of the administrative and financial transactions listed above?

If you answer “yes” to all three of these questions you must comply with HIPAA. Also, it’s important to note that HIPAA regulations apply to your practice as a whole and not only to those patients for whom and with whom you engage in covered transactions.

If a covered entity engages a business associate, such as a billing assistant, to help carry out its health care activities and functions, the covered entity must have a written contract with the business associate. This agreement must establish what the business associate has been contracted to do and require the business associate to comply with HIPAA. Additionally, business associates must comply with certain HIPAA provisions.

Patient’s Right of Access
Under HIPAA, a patient generally has a right to inspect and obtain a copy of their individual protected health information (PHI), with a few exceptions. PHI includes, but is not limited to, information created or received by a health care provider relating to the past, present, or future physical or mental health or condition of an individual, including payment of services, that identifies the patient or can be used to identify the patient. PHI also includes demographic information collected from the patient.4 In other words, a patient’s mental health record would be considered PHI.

There are certain circumstances where you may deny a patient’s right to inspect or obtain PHI. In some instances, you must provide the patient with an opportunity to have your decision reviewed by another licensed practitioner. The review procedure is discussed later in this article.

Provider’s Denial Rights
In the following circumstances, you may deny a patient’s right to inspect or obtain certain types of information, and you are not required to provide the patient with an opportunity to review the denial⁵:

• A patient does not have the right to access “psychotherapy notes” (this term is defined below).

A patient does not have the right to access information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.

• If you work for a correctional institution, you may deny an inmate patient’s request to obtain PHI if granting it would jeopardize the health, safety, security, custody, or rehabilitation of the patient or other inmates, or the safety of any officer, employee, or other person who works at the correctional institution or is responsible for transporting the inmate.
• If the PHI is obtained from someone other than a health care provider under a promise of confidentiality and the access requested is reasonably likely to reveal the source of the information, you may deny the request.

Psychotherapy Notes
A patient does not have the right to inspect or obtain a copy of their psychotherapy notes. HIPAA defines “psychotherapy notes” as “notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record.” Essentially, psychotherapy notes are what therapists refer to as “process notes.”

On the other hand, psychotherapy notes as defined by HIPAA do not include “medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.”⁶ This definition effectively summarizes what therapists identify as “progress notes.” Accordingly, if you keep psychotherapy notes or process notes separate from the patient’s progress notes or the rest of the patient’s clinical file, patients do not have the right to inspect or obtain a copy of them. However, patients have the right to access their progress notes, unless you have a reason to deny that request, as discussed in this article.

In the following circumstances, you may deny a patient’s right to inspect or obtain a copy of their PHI, but you are required to provide the patient with an opportunity to review the denial⁷:

• You have determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the patient or another person.⁸
• The PHI makes reference to another person, and you have determined, in the exercise of professional judgment, that the access requested is reasonably likely to cause substantial harm to that person (unless that person is a health care provider).
• The request for access is made by a personal representative of the patient such as a parent, legal guardian, or conservator, and you have determined, in the exercise of professional judgment, that the provision of access to this representative is reasonably likely to cause substantial harm to the patient or another person.

Procedures for Responding to a Patient’s Request for Records
Once you receive the request from a patient, you have five (5) working days to allow for the patient’s inspection of the records or fifteen (15) calendar days to provide the patient with a copy of the PHI. The patient has a right to receive a copy of their PHI in the form, format, and manner requested, if readily producible in that way, or as otherwise agreed to by the individual. For example, if you maintain patient PHI electronically, and the patient requests that you email it, they have the right to receive their PHI in that readily producible format.⁹ It is important to note that, contrary to California law, you may only provide a summary of treatment if the patient agrees in advance to receive a summary and to pay the fee charged for it. If a summary is to be provided, you have ten (10) working days from the receipt of the request to provide it.¹⁰

HIPAA allows a one-time extension of up to thirty (30) days to respond to the request. To obtain the extension, you must provide the patient with a written statement specifying the reasons for it and the timeframe that they can expect your response. In addition, you may require patients to submit a written request for access to PHI but only if you first inform them of such a requirement. For a sample Request to Inspect & Receive a Copy of PHI form, visit the HIPAA section in the Resource Center on the CAMFT website.

Procedures for Denying a Request for Records
If you choose to deny the request, in whole or in part, based on the reasons stated above, HIPAA puts forth specific procedures that you must follow. First, after excluding the PHI that you have denied access to, you must, to the extent possible, provide the patient with access to any other PHI requested. Second, you must provide the patient with a written statement within thirty (30) days of receipt of the request. The statement must be in plain language and include the following information:

1. The basis for the denial;
2. The patient’s review rights (if the patient has the right to review the denial, as stated above); and
3. A description of how the patient may complain to the covered entity or the Secretary of Health and Human Services. You must provide the name or title and telephone number of the contact person responsible for the development and implementation of the practice’s HIPAA policies and procedures. For sole practitioners, the contact person is the practicing therapist.

Note that HIPAA provides that only licensed psychotherapists may make the determinations referenced above. Therefore, pre-licensed therapists should consult with their supervisors to determine whether to allow a patient’s access to PHI.

Review Rights
If a patient requests a review of your denial, check the two lists above to see if you are required to provide one. If so, you must do the following:

The following CAMFT sample practice forms address the protocols for responding to records requests under HIPAA:

1. Designate a licensed health care professional to act as a reviewing official and promptly refer the review request to that person. The designated reviewing official cannot have participated in the original decision to deny the patient’s access. (For example, if you consulted with a colleague, and the colleague agreed that you should deny the patient’s access, that same colleague cannot also be the reviewing official.)
2. The designated reviewing official must determine, within a reasonable period of time, whether to allow access. The designated reviewing official has the final say. Thus, you must allow or deny access in accordance with that determination.
3. Once given a determination, you must promptly provide written notice of the determination to the patient and carry out any action prescribed by the designated reviewing official.
   • Response to Request to Inspect & Copy Protected Health Information,
   • Request for Review of a Decision Denying Inspection & Copying of Protected Health Information
   • Notification of Designated Reviewer’s Decision.
4. Fees You may charge a reasonable cost-based fee for making copies or providing a treatment summary. The fee can only include the costs of: 1) the labor required for copying or the time spent preparing the summary, 2) the supplies for creating the copies, and 3) postage. The reasonable cost-based fee for copies can be based either on actual costs or on an average cost.¹¹

   Conclusion
   If you are a covered entity, being knowledgeable about patients’ rights and your legal obligations under HIPAA is fundamental to maintaining a lawful and ethical practice. The following resources provide useful information regarding HIPAA:

 

For articles and legal forms related to HIPAA, visit CAMFT’s website at https://www.camft. org/Members-Only/Insurance-Corner/HIPAA. For case examples and enforcement actions, visit the Department of Health and Human Services website at https://www.hhs.gov/hipaa/forprofessionals/ compliance-enforcement/examples/ index.html. The Office for Civil Rights, which is the governmental body that enforces HIPAA rules, has taken enforcement actions ranging from issuing a resolution agreement to levying civil monetary penalties against covered entities for failure to follow HIPAA rules regarding patients’ access to records.

For more information about HIPAA and the Office for Civil Rights, visit https://www.hhs. gov/hipaa/index.html.

---

Ann Tran-Lien, JD, is a staff attorney and the Managing Director of Legal Affairs at CAMFT. Ann is available to answer member calls regarding legal, ethical, and licensure issues.

---

Endnotes
¹ For further reading on a patient’s right to access clinical records under California law, see “Patient Records Under California Law: The Basics” by CAMFT Staff Attorney Alain Montgomery, JD.
² For further reading on covered entities under HIPAA, see “Are You a Covered Entity” by former staff attorney Dave Jensen, JD.
³ 45 C.F.R. § 160.103.
⁴ Id.
⁵ 45 C.F.R. § 164.524(a)(2).
⁶ 45 C.F.R. § 164.501.
⁷ 45 C.F.R. § 164.524(a)(3).
⁸ It’s important to note that California law differs in this regard. California law allows a provider to deny access if they determine there is a substantial risk that the patient will suffer significant adverse or detrimental consequences if they see or receive a copy of the records. (Cal. Health & Safety Code § 123110.) Hence, California law does not require that the adverse physical or psychological consequences to the patient be life-threatening or amount to physical endangerment, whereas HIPAA requires that these consequences must be likely to endanger a person’s life.
⁹ 45 C.F.R. § 164.524(c)(2)(ii). Even if records are maintained in a paper format, if the patient requests them electronically, the therapist is required to provide an electronic copy if it’s readily producible (e.g., by scanning the paper records into electronic format).
¹⁰ 45 C.F.R. § 160.203(b); Cal. Health and Safety Code § 123110.
¹¹ 45 C.F.R. § 164.524(c). Please note that charging patients a per-page fee for the production of electronically stored PHI is not considered reasonable under HIPAA.

---

This article is not intended to serve as legal advice and is offered for educational purposes only. The information provided should not be used as a substitute for independent legal advice and it is not intended to address every situation that could potentially arise. Please be aware that laws, regulations and technical standards change over time. As a result, it is important to verify and update any reference or information that is provided in this article.