About Us | Chapters | Advertising | Join
The Legal Department articles are not intended to serve as legal advice and are offered for educational purposes only. The information provided should not be used as a substitute for independent legal advice and it is not intended to address every situation that could potentially arise. Please be aware that laws, regulations and technical standards change over time. As a result, it is important to verify and update any reference or information that is provided in the article.
This article offers reminders and tips for LMFTs who find themselves subject to the 21st Century Cures Act and who seek further guidance on how to handle patient requests for access to electronic health information and electronic health records.
Sara Jasper, JD
In May of 2020, the Office of the National Coordinator for Health Information Technology (ONC) and the Centers for Medicare & Medicaid Services (CMS) issued Final Rules for implementation of the 21st Century Cures Act. The Final Rules were established to improve electronic health information (EHI) interoperability and to assist patients with gaining access to their health records. The Act, and the rules that followed, have raised questions and caused concern among LMFTs who are unsure about how their work will be impacted.
The ONC Final Rule
The ONC Final Rule updates certification requirements for health IT developers and includes new guidelines for effective and seamless communication by health care providers using certified health IT.1
Note: Most LMFTs do not use certified health IT in their practice. For example, SimplePractice is not a certified health IT product.
The ONC Final Rule also finalizes new standards to prevent “information blocking” practices. This is the portion of the rule that affects most healthcare providers.
While the list of healthcare providers set forth in the ONC’s Final Rule does not include Licensed Marriage and Family Therapists, LMFTs who are working in certain healthcare settings that maintain Electronic Health Records (EHR) may ultimately be required to comply with aspects of the rule. For an introduction to the 21st Century Care Act, specifically why and how LMFTs may be required to comply, read Ann Tran Lien’s article titled, “The 21st Century Cures Act Final Rules: What LMFTs Need to Know.” As a follow-up to that introductory article, this article offers reminders and tips for LMFTs who find themselves subject to the Act and who seek further guidance on how to navigate patient requests for access to EHI and EHR.
The 21st Century Cures Act does not require all LMFTs to maintain EHI/EHR.
While legal and ethical standards require LMFTs to maintain clinical records for their psychotherapy patients, neither law nor ethics require LMFTs to keep their clinical records electronically.2 This means unless work settings or business contracts require the creation and maintenance of EHR, LMFTs may maintain handwritten clinical records or clinical records in hard copy form. Neither the passage of the 21st Century Cures Act or the subsequent final rules establish a blanket requirement for the use of electronic records.
The 21st Century Cures Act only applies to Electronic Health Information (EHI)/ Electronic Health Records (EHR).
Providers who do not maintain EHI and EHR as part of their practices or as a result of their business contracts/relationships are not subject to the 21st Century Cares Act.
The Health Insurance Portability and Accountability Act (HIPAA) and California law already give patients’ rights of access to records and rights to request release of their EHI/EHR. The 21st Century Cares Act and related final rules are designed to improve patients’ access to health information.
Laws that establish and support patients’ right of access to medical records existed prior to the passage of the 21st Century Cares Act. Federal3 and California laws4 allow patients to review and receive copies of their medical records, including mental health records.
Summary of Patients’ Right of Access :
Federal Law (HIPAA)
Under HIPAA, a patient generally has a right to inspect and obtain a copy of individual “protected health information (PHI)” with a few exceptions. PHI includes, but is not limited to, information created or received by a health care provider that relates to the past, present, or future physical or mental health or condition of an individual, including payment of services, that identifies the patient; or information that can be used to identify the patient. PHI also includes demographic information collected from the patient.5 For more information about patients’ general rights to access their mental health records in accordance with HIPAA, read Ann Tran-Lien’s article titled, “A Patient’s Right to Access Mental Health Records Under HIPAA.”
Summary of Patients Right of Access :
Under sections of the California Health and Safety Code any adult patient, a minor patient authorized by law to consent to his or her own treatment, or the patient’s legal representative, (i.e., a parent, guardian, conservator, or personal representative of a deceased patient) has a right to access the clinical record.6
To read more about patients’ rights to access mental health records under California law review Alain Montgomery’s article titled, “Patient Records Under California Law the Basics.”
Patients’ right to access and review records are not absolute. Consistent with HIPAA, the 21st Century Cures Act and the ONC Final Rule includes some exceptions to these rights.
The U.S. Department of Health and Human Services (HHS) created eight exceptions for when “Actors” (a.k.a. providers) can refuse to allow access, exchange or use of patient EHI. Perhaps the most relevant to the practice of LMFTs is a “Preventing Harm Exception.” This exception is consistent with HIPAA’s right of access exception. Under this exception, an Actor is allowed to engage in practices that are reasonable and necessary to prevent harm to a patient or another person, provided certain conditions are met. In order to apply the exception, an Actor must hold a reasonable belief that the practice will substantially reduce a risk of harm. The harm must be reasonably likely to endanger the life or physical safety of the patient or another person.
For a full list of eight exceptions and conditions visit https://www.healthit. gov/sites/default/files/cures/2020-03/ InformationBlockingExceptions.pdf.
The first step for providers working in a healthcare setting potentially subject to the 21st Century Cures Act and the ONC Final Rule is to talk to their employers or the business entities they contract with.
LMFTs working in certain healthcare settings that maintain EHI/EHR and meet the definition of “Healthcare Provider,” because of the type of setting and/or because of the types of healthcare providers working within the setting, should discuss with their employers and/or hiring business entities how the Act applies to their practices. For example, those working for Licensed Psychologists or Licensed Clinical Social Workers, in Community Mental Health Centers, in hospitals, and in Federally Qualified Health Centers that maintain EHI/EHR would be subject to the Act given that these providers and settings fall within the Act’s definition of Healthcare Provider. Settings will offer further guidance about how to comply. To see if an organization meets the definition of “Healthcare Provider,” review the ONC Fact Sheet: https:// www.healthit.gov/cures/sites/default/files/cures/2020-08/Health_Care_Provider_Definitions_v3.pdf.
Providers can learn more about compliance by accessing a free, on-demand webinar that explains key provisions of the final rule, including the provisions related to information blocking.
The American Health Information Management Association (AHIMA) offers a free webinar that explains the provisions, certification and compliance requirements of the recently finalized rules on information blocking and interoperability.
You can access the free, on-demand webinar titled, “21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program Final Rule” presented by Elise Sweeney Anthony, Executive Director, and Elisabeth Myers, Deputy Director, Office of Policy at the Office of the National Coordinator (ONC) for Health IT by going to https:// my.ahima.org/store/product?id=66140.
Regularly communicate with patients about recordkeeping and be transparent about the information contained in patient records.
LMFTs can reduce the need for records requests and manage patients’ concerns about the content of clinical records by regularly communicating with patients about their records. As part of their initial discussions about treatment, LMFTs should inform patients that they are legally and ethically required to maintain a clinical record.7 Clinicians should also discuss their ethical obligations to provide comprehensive information so that their patients can understand treatment decisions.
Invite patients to ask questions or raise concerns about their records.
Transparency is an important way to proactively address patient concerns about the contents of their mental health records. Psychotherapists have an ethical obligation to fully inform and collaborate with their patients around treatment decisions.8 The clinical record is merely a reflection of the treatment provided to patients. Therefore, patients should have a general awareness about the contents of their treatment records.
When patients disagree with/or are upset about the content of their health records, remind them they are not powerless. HIPAA’s Correction Principle and the California Correction Rule enable them to offer amendments and addendums to their health records.
HIPAA’s Correction Principle
Under HIPAA’s Privacy Rule, patients have the right to ask covered entities to amend their PHI for as long as the entity maintains the records.9 Providers must act on patients’ requests for amendments within 60 days.10 Providers who need it may have a 30-day extension if they give patients a written statement of the reasons for the delay and the completion date. 11 Providers shall identify the record to be amended and either append the amendment to the record or offer a link to the amendment. 12 Patients may provide an amendment up to 250 words. 13Providers must notify patients that the amendment has been made and gain consent to share the amendment with those who received the record. 14
Providers can deny requests for amendment if the provider believes the record is accurate and complete. 15 Providers are not required to amend records they did not create.16 In cases of disagreement, providers may write a rebuttal, but give a copy to their patients. 17
California’s Correction Provision
California’s Correction provision closely follows HIPAA’s, but categorizes patient’s statements as addendums. California’s statute specifically states that patients may add a written addendum with respect to any item or statement in health records that patients find to be incomplete or incorrect.18 Any addendum that includes defamatory or other unlawful language shall not, in and of itself, subject the health care provider to liability.
CAMFT has resources for providers who are concerned that their recordkeeping practices do not meet the legal requirements and ethical standards and/ or are not in-line with recordkeeping best practices.
CAMFT Staff Attorney Michael Griffin’s article titled, “On Writing Progress Notes,” offers information about the legal and ethical standards for recordkeeping practices. CAMFT’s On-Demand education library includes continuing education courses on recordkeeping, including a course called “An Overview of Progress Notes as They are Utilized in Documenting Mental Health Treatment Records” that was recently developed for CAMFT’s chapters. CAMFT also encourages therapists to regularly review their settings’ policies and procedures for recordkeeping.
Ever since its adoption, rumors of the Act’s widespread application have run rampant. In reality, most LMFTs will not be subject to the new law. Those few who must comply due to their workplace requirements or contractual obligations, are likely to find their practices minimally altered. LMFTs should talk with their employers or the hiring business entities they contract with to discuss if or how their documentation practices and responses to records requests may be impacted by The Act. For additional information, consult the following resources:
Sara Jasper, JD, CAE, is a staff attorney for CAMFT. Sara is available to answer member calls regarding legal, ethical, and licensure issues.
1 The Office of the National Coordinator for Health Information Technology (ONC) oversees the Health IT Certification Program for health IT modules — including electronic health record sysems (EHR). Certified systems are those that have undergone scrutiny and been evaluated using health IT standards, implementation specifications, and certification criteria. The ONC Health IT Certification Program provides assurance to purchasers and other users that a system meets the technological capability, functionality, and security requirements adopted the U.S. Department of Health and Human Services (HHS). As mentioned above, few psychotherapists use certified health IT products in their practice. For example, Simple Practice is not a certified health IT product.
2 Cal. Bus. & Prof. Code §4982; Sections 3.12 and 5.3 of the CAMFT Code of Ethics.
3 The Health Insurance Portability and Accountability Act (HIPAA) 45 C.F.R. §164.254.
4 California Health and Safety Code Sections 123100 through 123130.
5 45 C.F.R. §160.103.
6 Cal. Health and Safety Code §§123100 and 123110.
7 Cal. Bus. & Prof. Code §4982; Sections 3.12 and 5.3 of the CAMFT Code of Ethics.
8 CAMFT Code of Ethics Section 3.1.
9 45 C.F.R. §164.526.
10 45 C.F.R. §164.526(b)(2)(i)
11 45 C.F.R. §164.526(b)(2)(ii)
12 45. C.F.R. §164.526(c)(1)
13 45 C.F.R. §164.526(d)(2)
14 45 C.F.R. §§164.526(c)(2) and 164.526(c)(3)
15 45 C.F.R. §164.526(a)(2)(iv)
16 45 C.F.R. §164.526(a)(2)
17 45. C.F.R. §164.526(d)(3)
18 Cal. Health and Safety Code §123111
This article is not intended to serve as legal advice and is offered for educational purposes only. The information provided should not be used as a substitute for independent legal advice and it is not intended to address every situation that could potentially arise. Please be aware that laws, regulations and technical standards change over time. As a result, it is important to verify and update any reference or information that is provided in this article.