Avoiding Liability Bulletin – December 2017
While mental health treatment records are owned by the practitioner (assuming a private practitioner/sole proprietorship), patients have certain rights with respect to accessing their treatment records. These rights are typically specified by state statute, but for those who are “covered entities” under HIPAA these rights are found in the federal regulations known as the Privacy Rule. Patients or clients may gain access to their records by either obtaining a copy of the records or by inspecting the records. From the practitioner’s standpoint, a request to inspect or obtain copies may be non-threatening in some cases, but in many if not most, the request may be a sign of impending trouble. The request or demand may come suddenly and without prior warning. A thorough and nuanced understanding of the many laws that deal with patient access to records is essential in order to deal effectively (and lawfully) with such requests.
As is apparent from the questions and information found below, there are many aspects to the topic. I have written about some of them before – both in this CPH Avoiding Liability Bulletin and elsewhere. These questions (there are many more that can be posed or that may arise in one’s practice) are raised to help you assess the degree of facility and certainty you have with respect to the topic. I hope these questions provoke thought and perhaps some research. While practitioners are expected to know the laws and regulations that affect their profession, there are some practical limitations and nuances (like vague and ambiguous laws, or conflicts between federal and state law) that essentially prevent or hamper practitioners from knowing everything that they should. Because a request to access records can arise unexpectedly, and because the response must be timely, it is important for practitioners to be prepared or generally familiar with the topic and to know how to quickly find the answers to these and other questions.
*At what age, and under what conditions, does a minor client have the right to demand and receive a copy of his or her treatment records or to prevent the parents from obtaining access?
*What if there is joint legal custody by the parents of a ten year old client and one parent requests a copy of the child’s records, but the other parent does not want a copy of the records to be released – what should the practitioner do?
*Must the request for records be made in writing, or may it be made orally or in person?
*Does the state in which you practice give the patient greater rights of access than the federal government does under the HIPAA regulations (the Privacy Rule)?
*Is a violation of HIPAA regulations related to access to records something that the federal government can and will pursue?
*When and under what circumstances may you provide a summary of the records to the patient rather than provide the full record?
*If a summary is provided, can you charge the patient for the costs of producing the summary? Are there statutory limits on the amount that can be charged?
*When should you comply with a parents’ request for a copy of the child’s records and when must you deny a request for a copy of the records?
*What if you are treating a couple and a request to inspect the records is made in writing by only one of the patients- does state law allow you to deny the request?
State laws treat the subject matter of access to records differently, sometimes (often?) in fine nuance! One such area of disparate treatment occurs with respect to the right or option of the therapist or counselor to provide a summary of the records in lieu of providing the actual copies. While providing copies may be easiest and somewhat routine, situations may arise where the practitioner would be wise or may desire (for a variety of reasons) to provide a summary and to withhold the actual records. It is important to know whether the provision of a summary is entirely within the discretion of the practitioner or whether the summary can only be provided under certain conditions – and if so, what those conditions are. Sometimes, after thoughtful discussion and reasoning, patients may consent to a summary. At other times, the patient may think you are hiding something and a claim or lawsuit may seem imminent.
Under HIPAA regulations (the Privacy Rule), a summary can only be provided if the patient agrees in advance to a summary and to the reasonable, cost-based fee imposed, if any, by the practitioner for preparation of the summary. For those governed by state law, more latitude may be given to the practitioner. In California, for example, a summary of the records may be provided in the discretion (hopefully, the sound discretion) of the practitioner. There are no findings that first have to be made and no conditions that first have to be met (California may be alone in this regard). When provision of a summary is permitted, whether in the sole discretion of the practitioner or under specified conditions, it is important to know whether there is specific content that must be contained in the summary and what that content is. In California, the relevant statute lists at least eight specific things that must be included in a summary of the records.
Knowledge of the time within which the practitioner must act is critical to avoiding a violation of law. The time within which the practitioner must act (permit inspection, provide a copy, provide a summary, or deny access) may be different depending upon the nature of the request and the response to the request. Time frames may differ between the applicable state law and HIPAA regulations (the Privacy Rule). Does the time begin to run upon receipt of a written request for inspection or for a copy of the records, or does the time start to run upon additional conditions being met (e.g., payment of certain costs or fees related to production of the records)? In California, for example, a written request for a copy of the records must be presented, together with a fee to defray the cost of copying (there are statutory limits), in order for the clock to start running. A written request might not be necessary under the Privacy Rule – an oral request for access may start the clock running under certain circumstances. However, the Privacy Rule allows “covered entities” (e.g., sole practitioners who meet the definition) to require patients to use the entity’s (practitioner’s) own supplied form, provided use of the form does not create a barrier to or unreasonably delay the patient from obtaining access to the records.
Under specified circumstances, access to the records either may or must be denied. The grounds for a denial may vary when state law is compared to the Privacy Rule. In order to deny access in California, the practitioner must determine that there is a substantial risk of significant adverse or detrimental consequences to a patient in seeing or receiving a copy of the mental health records requested by the patient. The law then specifies several other actions that the practitioner must take, including what content must be entered into the records. For those who are covered entities under HIPAA, the standard for denial is worded differently (e.g., but not limited to, where access is reasonably likely to endanger the life or physical safety of the individual or another person). Some denials of access by the practitioner (under HIPAA) are not reviewable (e.g., denial of access to “psychotherapy notes”), while other denials are reviewable. When denying access under the Privacy Rule, the practitioner must, among other things, provide a timely, written denial that contains the basis for the denial and information regarding the review rights for the individual seeking access.
With respect to parental access to a minor’s records, California law specifies that the representative of a minor “shall not be entitled to inspect or obtain copies of the minor’s patient records” under two circumstances. One circumstance is where the minor could have consented to the treatment alone (e.g., most of those who are twelve or older). The other circumstance gives broad discretion to the practitioner – such as, but not limited to, where the practitioner determines that access to the records of the minor would have a detrimental effect on the practitioner’s professional relationship with the minor or the minor’s psychological well-being. This law also protects the practitioner from liability when making the decision to deny access, provided that the decision is not found to have been made in bad faith. What is the law regarding parental access in your state of practice?