*An earlier version of the article did not include a statement that the definition of a “covered entity” was applicable to Texas Mental Health Professional guidelines. Texas has expanded the definition of covered entity to include any provider who receives, transmits or stores PHI in electronic format for any reason or purpose.  Any email or text messaging that a Texas MHP participates in will cause a Texas MHP to be a covered entity for Privacy Rule purposes.

I have spoken with literally thousands of mental health professionals (mhps) during my career as a lawyer that have been faced with a request for records.  I wish I had five dollars for the number of times I was told by a mhp, “I never give out copies of my records, I only provide summaries.”  I have had a difficult time convincing many of them that their clients were entitled to obtain copies of their records.

The US Department Of Health and Human Services has published guidelines for individuals’ right under HIPAA to access their health information (45 CFR §164.24).  The thinking behind the Department’s regulations and guidelines is to provide individuals with easy access to their health information to empower them to be more in control of decisions regarding their health and well-being.  This will allow individuals to better monitor their conditions, adhere to treatment plans, find and fix errors in their health records, track progress in wellness or disease management programs, and directly contribute their information to research.  The goal is to put individuals in the driver’s seat with respect to their health as we move toward a more patient-centered health care system.

The bottom line is that individuals have a right to review and obtain copies of their records.  Summaries can only be provided if the client requests one or agrees to accept the summary in lieu of the copies. “Records” means any item, collection or grouping of information that includes protected health information (PHI) and is maintained, collected, used, or disseminated by or for a covered entity.  I have had many mhps tell me that they are not a covered entity because they keep paper records so they do not have to worry about HIPAA.  I then ask them if they have you ever communicated with a client by email or text messaging.  I have never had any one tell me they have not.  Those electronic communications with your clients make you a covered entity.

A mhp is allowed to withhold psychotherapy notes from review by a client.  These are defined as notes a mhp records in a separate file from the client’s clinical file about the communications shared between the client and the provider that are for the provider’s use only.  Many mhps tell me that they will not turn over their notes thinking the psychotherapy note exception applies.  When I ask them if they keep these notes in a separate file I am often told that they do not.  If not, then they are not psychotherapy notes as defined by the regulations.   In some states, such as California and Minnesota, clients are allowed under state law to access psychotherapy notes and they cannot be withheld from a client.  Generally, where a state law provides better privacy protection or greater access to records” state law will supersede federal law.

The regulations allow a mhp to also withhold information under the following circumstances:

  • If any portion of the requested record is reasonably likely to endanger the life or physical safety of the individual or another person.  This ground for denial does not extend to concerns about psychological or emotional harm (e.g., concerns that the individual will not be able to understand the information or may be upset by it).
  • If any portion of the requested record is reasonably likely to cause substantial harm to a person (other than a health care provider) referenced in the PHI.
  • If a personal representative (i.e. parent) has requested access and any portion of the requested record is reasonably likely to cause substantial harm to the individual (i.e. child) or another person (i.e. the other parent).

These rules are game changers for mhps in states like Texas that that allow for denial of information based on professional judgment that disclosure would be harmful to the patient’s physical, mental, or emotional health.  Under the Federal regulations and guidelines concern for emotional health would not constitute a basis unless the mhp could tie it to some risk to life or physical safety like an increased risk of suicide.  It would be important for that risk to be evident from the face of the records themselves in the event a complaint were filed with a state licensing board or the Office of Civil Rights.

Many mhps have shared their sincere concern about allowing a parent to access his or her child’s records on the belief that it will destroy the child’s trust in the therapist and for all future therapists.  Based on the regulations and guidelines now in place that will not constitute a basis for withholding the information from the parent unless the mhp can make a valid connection to endangerment to life or physical safety.

The regulations and guidelines require all other information that is not reasonably likely to endanger life or physical safety be provided.  This would require redacting from the record copy only the information reasonably likely to endanger life or physical safety.

All requests for information must be responded to within thirty (30) days and if a state law requires an earlier response time the state time period will apply.  The thirty (30) day rule is described as the maximum window and if a provider has an electronic record system that allows for quick dissemination of records it would be improper for the provider to withhold the information for the full thirty days.

If the provider cannot comply with the request within 30 days for a valid reason such as offsite storage, then the response period can be extended for no more that an additional 30 days but written notice must be provided within the first thirty (30) day window.

If a covered entity denies access, in whole or in part, to PHI requested by the individual, the covered entity must provide a denial in writing within thirty (30) days (or sixty (60) days if the time period is extended) that:

  • is in plain language;
  • describes the basis for denial;
  • informs the individual of the right to have the decision reviewed and how to request such a review; (denial of psychotherapy notes is not reviewable) and
  • informs the individual he or she may submit a complaint to the covered entity or the HHS Office for Civil Rights.

Other key rules to keep in mind when faced with a records request are:

  • A covered entity may not deny access because a business associate of the covered entity, rather than the covered entity itself, maintains the PHI requested by the individual (e.g., the PHI is maintained by the covered entity’s electronic health record vendor or is maintained by a records storage company offsite).
  • A covered entity may not require an individual to provide a reason for requesting access, and the individual’s rationale for requesting access, if voluntarily offered or known by the covered entity or business associate, is not a permitted reason to deny access.
  • Clients have the right to access all the information maintained in their file even if it was received from a third party (i.e. psychologist report).
  • A covered entity also may provide the individual with a summary of the PHI requested, in lieu of providing access to the PHI, or may provide an explanation of the PHI to which access has been provided in addition to that PHI, so long as the individual in advance: (1) chooses to receive the summary or explanation (including in the electronic or paper form being offered by the covered entity); and (2) agrees to any permitted fees.
  • A client can request electronic or paper copies of records. If the covered entity does not maintain electronic records but has a scanner and can “readily scan the paper record into an electronic format” the covered entity must do so.
  • A covered entity also must provide access in the manner requested by the individual, which includes arranging with the individual for a convenient time and place to pick up a copy of the PHI or to inspect the PHI (if that is the manner of access requested by the individual), or to have a copy of the PHI mailed or e-mailed, or otherwise transferred or transmitted to the individual to the extent the copy would be readily producible in such a manner.
  • A covered entity is not expected to tolerate unacceptable levels of risk to the security of the PHI on its systems in responding to requests for access; whether the individual’s requested mode of transfer or transmission presents such an unacceptable level of risk will depend on the covered entity’s Security Rule risk analysis.  However, mail and e-mail are generally considered readily producible by all covered entities. It is expected that all covered entities have the capability to transmit PHI by mail or e-mail (except in the limited case where e-mail cannot accommodate the file size of requested images), and transmitting PHI in such a manner does not present unacceptable security risks to the systems of covered entities, even though there may be security risks to the PHI while in transit (such as where an individual has requested to receive her PHI by, and accepted the risks associated with, unencrypted e-mail).  Thus, a covered entity may not require that an individual travel to the covered entity’s physical location to pick up a copy of her PHI if the individual requests that the copy be mailed or e-mailed.
  • A covered entity may require individuals to request access in writing, provided the covered entity informs individuals of this requirement.   Covered entities also may offer individuals the option of using electronic means (e.g., e-mail, secure web portal) to make requests for access.  In addition, a covered entity may require individuals to use the entity’s own supplied form, provided use of the form does not create a barrier to or unreasonably delay the individual from obtaining access to his PHI.
  • A covered entity must take reasonable steps to verify the identity of an individual making a request for access.  No particular form of verification (such as obtaining a copy of a driver’s license) is mandated, but rather generally leaves the type and manner of the verification to the discretion and professional judgment of the covered entity, provided the verification processes and measures do not create barriers to or unreasonably delay the individual from obtaining access to her PHI, as described below.
  • A covered entity may impose a reasonable, cost-based fee if the individual requests a copy of the PHI (or agrees to receive a summary or explanation of the information).  The fee may include only the cost of: (1) labor for copying the PHI requested by the individual, whether in paper or electronic form; (2) supplies for creating the paper copy or electronic media (e.g., CD or USB drive) if the individual requests that the electronic copy be provided on portable media; (3) postage, when the individual requests that the copy, or the summary or explanation, be mailed; and (4) preparation of an explanation or summary of the PHI, if agreed to by the individual.  The fee may not include costs associated with verification; documentation; searching for and retrieving the PHI; maintaining systems; recouping capital for data access, storage, or infrastructure; or other costs not listed above even if such costs are authorized by State law.

In summary, it has become more difficult to keep clients from accessing their records.  The regulations and guidelines pose many technical requirements that can trip up a well- meaning mhp when a client seeks access to their records.  It is imperative to document in writing all your communications with clients about their records i and to note and pay attention to dates and time periods.  Mhps should thoughtfully review their policies and practices with respect to content recorded in a client file.  Less may not always be better if one has to defend a denial of information to a client.

Written by Tom L. Hartsell, Attorney at Law

CPH Insurance

Protect yourself with CPH Insurance.

Get a quote & apply online.

About the Author

Avatar photo

Guest Author

Avoiding Liability Bulletin – January 2008

… Suppose that a patient or client makes a proper request to inspect or copy his or her records. Does the therapist or counselor ever (under any circumstances) have a right or is it ever permissible to remove documents or information from the file prior to complying with the request for records? The answer to this question would seem to be “no,” certainly in most circumstances, but there may be times when removal of information or documents is permitted. The law of each state is different, so therapists and counselors must be careful to check the law in their respective states.

One state’s law, for example, provides that psychotherapists and other health practitioners may remove material from the patient’s file if the information was given in confidence to the health care provider by a person other than another health care provider or the patient. Additionally, under HIPAA, the “Privacy Rule” provides that a covered entity (such as, a “covered” licensed health care provider) may deny an individual access to his or her protected health information if the protected health information was obtained from someone other than a health care provider under a promise of confidentiality – provided that the access requested would be reasonably likely to reveal the source of the information.

In addition to requests for records from patients, a therapist or counselor may receive a subpoena for the production of records. Much of the time, the subpoena is from the opposing party in a lawsuit involving the patient, such as a patient’s lawsuit against her former therapist, physician, or employer. While it is imperative that state law be followed with respect to the practitioner’s response to the subpoena, I have generally advised therapists to work closely with the patient’s attorney, and to generally take their marching orders from that attorney. Sometimes, that attorney will instruct (or request) a therapist to remove one or more documents from the file, or will instruct the therapist not to comply, at all, for one or more reasons.

Therapists who comply with the attorney’s direction must be certain that the attorney understands that should there be an inquiry as to why the therapist acted in a certain manner, the therapist will say that he or she was directed or asked to do this by the attorney and that the attorney assured the therapist that what was being asked of the therapist was lawful. The attorney should be willing to state the above in writing, if necessary, or to testify to that effect should there be a proceeding to determine whether the therapist should be held in contempt for removing or withholding certain documents. These proceedings are relatively rare and the results for therapists who have relied upon the attorney “taking the heat” have been positive

Everyone in the process may need to be reminded that the psychotherapist – patient privilege is held by the patient – not the therapist – and that when the patient has an attorney, the therapist has a right to rely upon the representations of the attorney who represents the holder of the privilege. The therapist may be reasonable in believing that the attorney is an “officer of the court” who would not intentionally mislead the therapist into acting in a manner contrary to law.

CPH Insurance

Protect yourself with CPH Insurance.

Get a quote & apply online.

About the Author

Avatar photo

Richard Leslie

Richard S. Leslie is an attorney and acknowledged expert on the interrelationship between law and the practice of marriage and family therapy and psychotherapy. Most recently, he was a consultant to the American Association for Marriage and Family Therapy (AAMFT) and has written articles regarding legal and ethical issues for their Family Therapy Magazine. Prior to his work with AAMFT, Richard was Legal Counsel to the California Association of Marriage and Family Therapists (CAMFT) for approximately twenty-two years. While there, he also served as their director of Government Relations and tirelessly advocated for due process and fairness for licensees and applicants.

Learn more about Richard Leslie