MEMORANDUM
|
TO: |
Interested Persons |
|
FROM: |
Daniel
Brzovic |
|
RE: |
ACCESS
TO AND AMENDMENT OF HEALTH RECORDS |
|
DATE: |
|
You contacted Protection and Advocacy, Inc. (PAI) for
information about your right to review, copy, or amend your patient
records. You have a right to do all of
those things.
Please call PAI if you have a question which is not
answered in this memorandum or if you need additional information.
Both federal law and
For the most part, the
a. Access to
mental health records (except psychotherapy notes).
b. Summaries
of medical records by health care providers in lieu of allowing access to the
records.
c. Amendment
of medical records.
d. Access to
x-rays or EKG, EEG, or EMG tracings.
The rest of this memo explains what the standards are for
you to review, copy, or amend your medical records. The memo also explains whether the standards
that apply are found in the federal HIPAA privacy regulations or in the
California Health and Safety Code.
You or your authorized representative must make a written
request to inspect and/or to receive copies of your records. H&SC
§123110(a), (b). A request for copies must specify the records to be
copied. H&SC §123110(b).
Yes. The health care provider must allow access to the
records during regular business hours within five (5) working days after
receiving the written request. H&SC §123110(a). If
you or your authorized representative makes a request for copies of all or part
of a file, the health care provider must transmit the copies within fifteen
(15) days after receiving the written request.
H&SC §123110(b).
Yes. Both HIPAA and
HIPAA privacy regulations allow a provider to deny access
to mental health records (except psychotherapy notes) only under the following
conditions:
a. A licensed
health care professional has determined, in the exercise of professional
judgment, that the access is reasonably likely to endanger the life or physical
safety of you or another person,
b. The record
refers to another person (unless that person is a health care provider) and a
licensed health care provider has determined, in the exercise of professional
judgment, that the access requested is reasonably likely to cause substantial
harm to that other person,
c. The
request for access is made by your personal representative (e.g. parent,
guardian, conservator or health care agent) and a licensed health care
professional has determined, in the exercise of professional judgment, that
providing access to your personal representative is reasonably likely to cause
substantial harm to you or to another person.
Under the HIPAA regulations, a patient can be denied access only if access is likely to endanger someone’s life or physical safety. This is a hard standard for a provider to meet. On the other hand, access can be denied to a patient’s representative (e.g. parent, guardian, conservator, health care agent) if access is likely to cause someone substantial harm. This means that it is harder for a patient’s representative to access patient records than it is for a patient to access their own records.
NOTE: These
restrictions apply only to access by the patient, or a representative of a
patient who does not obtain an authorization for release of information. There are no such restrictions on release of
information to someone other than a patient if the patient has executed a valid
written authorization.
Under HIPAA privacy regulations, if the provider refuses
to allow access to the records, the provider must provide a written
denial. The written denial must contain
the following information:
a. the basis
for the denial;
b. the right
to review by a licensed health care professional designated by the provider
(including a description of how to exercise the right to review);
c. the right to file a complaint with the provider, and the right
to file a complaint with the Department of Health and Human Services Office for
Civil Rights.
Note: These same
federal requirements for denial of access and notice apply to denial of access
to x-rays and EKG, EEG and EMG tracings by HIPAA-covered providers. This is because HIPAA privacy regulations
provide greater access to these records than
Under California law, the health care provider may decline
to permit inspection or provide copies of
psychotherapy notes to a patient if the health care provider determines
there is a "substantial risk of significant adverse or detrimental
consequences to the patient in seeing or receiving" such psychotherapy
notes. H&SC §123115(b). However, such a refusal is
subject to the following four conditions:
a. the health
care provider must enter into the records a written explanation for refusing to
permit inspection or provide copies of the records, including a description of
the specific adverse or detrimental consequences to the patient that the
provider anticipates would occur if inspection or copying were permitted;
b. the health
care provider must permit inspection by, or provide copies of, the mental
health records to a licensed physician and surgeon, licensed psychologist or
licensed clinical social worker designated by the patient;
c. the health
care provider must inform the patient both of the provider's refusal to permit
access to the requested records and of the patient's right to inspect and
obtain the records; and
d. the health care provider must record whether the patient
requested that another health professional inspect or obtain the requested
records.
H&SC §123115(b)(1)-(4).
Yes. A parent is not entitled to inspect or obtain copies
of a minor's patient records if the minor patient is authorized by law to
consent to medical treatment. H&SC §123115(a)(1). See,
Federal HIPAA privacy regulations allow a provider to
prepare a summary instead of allowing you access to records, but only if you
agree in advance to both a summary and any fees for preparing the summary. 45 C.F.R. § 164.524(c)(2)(ii). (California Health and Safety Code section
123130(a) no longer applies to providers covered by HIPAA privacy regulations
to the extent that it gives providers the option of deciding whether to prepare
a summary instead of allowing access to records. HIPAA privacy regulations give that option to
the patient.)
If the provider prepares a summary instead of allowing
access to the records, the patient's entire record must be summarized unless
the patient limits his or her request to certain injuries, illnesses, or
episodes. H&SC §123130(a). A health care provider may confer with the
patient to clarify what information is sought. If, as a consequence, the
patient requests information about only certain injuries, illnesses, or
episodes, the provider is required to summarize only the injuries, illnesses,
or episodes designated by the patient.
The summary must contain for each injury, illness, or
episode any information included in the record relative to the following:
1. chief
complaint(s), including pertinent history;
2. findings
from consultations and referrals to other health care providers;
3. diagnosis,
where determined;
4. treatment
plan and regimen including medications prescribed;
5. progress
of treatment;
6. prognosis,
including significant continuing problems or conditions;
7. pertinent
reports of diagnostic procedures and tests and all discharge summaries; and
8. objective findings from the most recent physical
examination, such as blood pressure, weight, and actual values from routine
laboratory tests.
H&SC §123130(b)(1)-(8)
No. A health care provider cannot withhold a patient's
records because of unpaid bills for services. Any health care provider who
willfully withholds records because of unpaid bills is subject to sanctions. H&SC §123110(g).
Yes. Before giving copies of records to the requester, a
provider may require the requester to pay: copying costs, not to exceed
twenty-five cent ($.25) per page or fifty cents ($.50) per page for records that
are copied from microfilm, and any additional reasonable clerical costs
incurred in making the records available. H&SC
§123110(b).
Additionally, the health care provider may charge a
"reasonable fee" based on actual time and cost for preparation of a summary
pursuant to a patient's request for access to his or her records. H&SC §123130(f).
However, a provider cannot charge for copies of records
needed to support an appeal for Social Security Disability Insurance (SSDI),
Supplemental Security Income (SSI) or Medi-Cal benefits, if a request for the
records and proof of the appeal is given to the provider in writing. H&SC
§123110(d)(1).
Records must be provided within 30 days of the written request. H&SC §123110(f). Only one copy of relevant portions of the
records must be provided free of charge.
H&SC §123110 (d)(2). “Relevant” records are records beginning on
the date of the initial application for benefits and ending when a final
decision has been made on any appeal.
H&SC §123110(d)(1). A provider does not have to provide records
free of charge if the patient is represented by a private attorney (attorney
other than a nonprofit legal services entity).
H&SC §123110(d)(3). If the appeal is successful, the provider may
bill the patient for the records at the rates specified above. H&SC §123110(e).
For providers covered by HIPAA, amendment of health
records is governed almost entirely by HIPAA privacy regulations. According to those regulations, you must ask
the provider to amend your records. 45
C.F.R. § 164.526(b)(1). The provider can require that your request be
in writing and that it include the reason for the
requested amendment, but the provider must notify you of these requirements
before you make the request. 45 C.F.R. §
164.526(b)(1).
There is no time limit on requesting an amendment. 45 C.F.R. § 164.526(a)(1). You can ask for an amendment for as long as
your records exist. 45 C.F.R. § 164.526(a)(1).
The provider must act on your request within 60 days. 45 C.F.R. § 164.526(b)(2)(i). The provider can
have a 30 day extension if the provider gives you a written statement of the
reasons for the delay and the date by which action will be completed. 45 C.F.R. § 164.526(b)(2)(ii). (
If the provider agrees to amend your records, the provider
must, at a minimum, identify the record to be amended and either append the
amendment to that record or provide a link to the amendment. 45 C.F.R. § 164.526(c)(1). The provider must also notify you that the
amendment has been made, and obtain your consent to inform others who have
received the records in question. 45
C.F.R. § 164.526(c)(2). The provider must provide the amendment to
people that you informed the provider had received the records in question, and
to people that the provider knows have the information and who could rely on
the information to your detriment. 45
C.F.R. § 164.526(c)(3). Providers receiving the amendment must also
amend the records in that provider’s possession. 45 C.F.R. §
164.526(e).
The provider can deny your request for amendment if the
provider believes that the record is accurate and complete. 45 C.F.R. § 164.526(a)(2)(iv). The provider can also deny your request for
amendment if the provider did not create the record in question (unless the
creator of the record is no longer available to act on a request for
amendment); or the provider does not have the record in question; or you do not
have a right of access to the record. 45 C.F.R. § 164.526(a)(2).
If the provider denies your request for amendment of the
records, the provider must give you the denial in writing. 45 C.F.R. § 164.526(d)(1). The written denial must contain the
following:
a. The basis
for the denial (e.g. the provider believes that the records are accurate and
complete).
b. Notification
of your right to submit a statement disagreeing with the denial, and how to
submit the statement.
c. Notification
that if you do not submit a statement disagreeing with the denial, you can
request the provider to submit your request for amendment, and the provider’s
denial, together with any future disclosures of the records.
d. A
description of how you can file a complaint with the provider or with the
Department of Health and Human Services Office for Civil Rights (OCR).
45 C.F.R. § 164.526()(1).
The provider may “reasonably limit the length” of a statement of disagreement, but must allow you to include up to 250 words. 45 C.F.R. § 164.526(d)(2), H&SC 123111(a). (HIPAA privacy regulations specify no minimum length, but H&SC 123111(a) allows you up to 250 words.) The provider may prepare a written rebuttal to your statement of disagreement, but the provider must give you a copy. 45 C.F.R. § 164.526(d)(3). If the provider discloses your medical records, the provider must include your statement of disagreement in the disclosure. H&SC § 123111(b). (Compare HIPAA privacy regulations, which give the provider the option of disclosing a summary of the request for amendment documents. 45 C.F.R. § 164.526(d)(5)).
In addition, notwithstanding HIPAA requirements,
You can file a complaint with the medical services
provider. A provider must have a
complaint process under HIPAA. 45 C.F.R. 164.530(d).
Complaints for violations of federal HIPAA privacy
regulations, which occurred after the effective date of the regulations on
A provider may not retaliate against you for exercising
your rights under HIPAA. 45 C.F.R. 164.530(g).
A health care provider who willfully violates the
California Health and Safety Code requirements may be subject to penalties,
including but not limited to a $100 fine and licensure suspension or
revocation. H&SC §§123110(i)
and (j). In addition, a patient,
or a patient’s representative may sue for access to the records. H&SC § 123120. The prevailing party is entitled to costs and
reasonable attorneys’ fees.
You may also sue for actual damages if a licensed provider
who went out of business abandoned your records. H&SC § 123145(b). (Providers who go out of business must keep
records for a minimum of 7 years and at least until an individual turns age
19. H&SC §
123145(a)). Violations of the