California’s protection & advocacy system
Toll Free 800.776.5746 / TTY 800.719.5798
December 2007, Pub #5112.01
Note: When this memorandum was originally published, we were known as Protection & Advocacy, Inc. (PAI). In October 2008, we changed our name from PAI to Disability Rights California.
You contacted Protection and Advocacy, Inc. (PAI) for information about your right to review, copy, or amend your patient records. You have a right to do all of those things. California Health and Safety Code (H&SC) §123110(a). You also have a right to have someone go with you when you review your records. H&SC § 123110(a). Your personal representative (parent, guardian, conservator, or health care agent) has the same right that you do to review, copy or amend your records (except as explained in this memo). This memo also discusses certain limitations on your rights.
Please call PAI if you have a question which is not answered in this memorandum or if you need additional information.
Both federal law and California law allow patients to review, receive copies of, or ask for amendments of, their health records. The federal standards are contained in The Health Insurance Portability and Accountability Act (HIPAA) privacy regulations. The state standards are contained in The California Patient Access to Health Records Act, California Health and Safety Code sections 123100, and following. Both the federal and California laws are designed to protect your rights, but there are slight differences in the standards. The federal standards apply unless the state standards give you more rights. 45 C.F.R. §§ 160.203(b), 160.202 (definition of “more stringent,” subparagraph (2)). This means that sometimes the federal standards apply, and sometimes the state standards apply. This memo explains when the federal standards apply and when the state standards apply.
For the most part, the California law provides greater rights of access to, or amendment of, medical records than the federal regulations. Therefore, the California law generally covers access to, and amendment of, patient records. However, there are four situations where the federal HIPAA regulations provide greater rights of access or amendment than California law. The federal regulations provide greater rights in the following four situations:
The rest of this memo explains what the standards are for you to review, copy, or amend your medical records. The memo also explains whether the standards that apply are found in the federal HIPAA privacy regulations or in the California Health and Safety Code.
You or your authorized representative must make a written request to inspect and/or to receive copies of your records. H&SC §123110(a), (b). A request for copies must specify the records to be copied. H&SC §123110(b).
Yes. The health care provider must allow access to the records during regular business hours within five (5) working days after receiving the written request. H&SC §123110(a). If you or your authorized representative makes a request for copies of all or part of a file, the health care provider must transmit the copies within fifteen (15) days after receiving the written request. H&SC §123110(b).
Yes. Both HIPAA and California law place some restrictions on access to mental health records. The particular limitations depend on whether or not the records are psychotherapy notes. Psychotherapy notes are notes by a mental health professional from a private counseling session or a group, joint, or family counseling session and that are separated from the rest of your medical record. 45 C.F.R. § 164.501.
HIPAA privacy regulations allow a provider to deny access to mental health records (except psychotherapy notes) only under the following conditions:
Under the HIPAA regulations, a patient can be denied access only if access is likely to endanger someone’s life or physical safety. This is a hard standard for a provider to meet. On the other hand, access can be denied to a patient’s representative (e.g. parent, guardian, conservator, health care agent) if access is likely to cause someone substantial harm. This means that it is harder for a patient’s representative to access patient records than it is for a patient to access their own records.
NOTE: These restrictions apply only to access by the patient, or a representative of a patient who does not obtain an authorization for release of information. There are no such restrictions on release of information to someone other than a patient if the patient has executed a valid written authorization.
Under HIPAA privacy regulations, if the provider refuses to allow access to the records, the provider must provide a written denial. The written denial must contain the following information:
Note: These same federal requirements for denial of access and notice apply to denial of access to x-rays and EKG, EEG and EMG tracings by HIPAA-covered providers. This is because HIPAA privacy regulations provide greater access to these records than California law does.
California law applies to access to patient records if the provider is not covered by HIPAA. In addition, California law applies in all cases to disclosure of psychotherapy notes. This is because federal regulations do not require access to psychotherapy notes at all. Therefore, California law provides greater rights of access than federal regulations. (“Psychotherapy notes” is narrowly defined to mean notes recorded by a mental health professional during a private, group, joint or family counseling session and that are separated from the rest of your medical record.)
Under California law, the health care provider may decline to permit inspection or provide copies of psychotherapy notes to a patient if the health care provider determines there is a "substantial risk of significant adverse or detrimental consequences to the patient in seeing or receiving" such psychotherapy notes. H&SC §123115(b). However, such a refusal is subject to the following four conditions:
California law provides that a provider does not have to allow access to information given “in confidence” to the provider by someone other than another health care provider or the patient. Federal HIPAA privacy regulations provide that this information can only be withheld if disclosure would be “reasonably likely to reveal the source of the information.” 164.524(a)(2)(v).
Yes. A parent is not entitled to inspect or obtain copies of a minor's patient records if the minor patient is authorized by law to consent to medical treatment. H&SC §123115(a)(1). See, Cal. Family Code §§6920-6929. Also, a parent is not entitled access to a minor's patient records if the provider determines that access to the records requested by the parent would have a detrimental effect on the provider's professional relationship with the minor patient or the minor's physical safety or psychological well being. H&SC §123115(a)(2). This restriction of access is specifically allowed under the federal HIPAA privacy regulations. 45 C.F.R. § 164.502(g)(3)(ii)(B).
Federal HIPAA privacy regulations allow a provider to prepare a summary instead of allowing you access to records, but only if you agree in advance to both a summary and any fees for preparing the summary. 45 C.F.R. § 164.524(c)(2)(ii). (California Health and Safety Code section 123130(a) no longer applies to providers covered by HIPAA privacy regulations to the extent that it gives providers the option of deciding whether to prepare a summary instead of allowing access to records. HIPAA privacy regulations give that option to the patient.)
If the provider prepares a summary instead of allowing access to the records, the patient's entire record must be summarized unless the patient limits his or her request to certain injuries, illnesses, or episodes. H&SC §123130(a). A health care provider may confer with the patient to clarify what information is sought. If, as a consequence, the patient requests information about only certain injuries, illnesses, or episodes, the provider is required to summarize only the injuries, illnesses, or episodes designated by the patient.
The summary must contain for each injury, illness, or episode any information included in the record relative to the following:
No. A health care provider cannot withhold a patient's records because of unpaid bills for services. Any health care provider who willfully withholds records because of unpaid bills is subject to sanctions. H&SC §123110(j).
Yes. Before giving copies of records to the requester, a provider may require the requester to pay: copying costs, not to exceed twenty-five cent ($.25) per page or fifty cents ($.50) per page for records that are copied from microfilm, and any additional reasonable clerical costs incurred in making the records available. H&SC §123110(b).
Additionally, the health care provider may charge a "reasonable fee" based on actual time and cost for preparation of a summary pursuant to a patient's request for access to his or her records. H&SC §123130(f).
However, a provider cannot charge for copies of records needed to support an appeal for Social Security Disability Insurance (SSDI), Supplemental Security Income (SSI) or Medi-Cal benefits, if a request for the records and proof of the appeal is given to the provider in writing. H&SC §123110(d)(1). Records must be provided within 30 days of the written request. H&SC §123110(f). Only one copy of relevant portions of the records must be provided free of charge. H&SC §123110 (d)(2). “Relevant” records are records beginning on the date of the initial application for benefits and ending when a final decision has been made on any appeal. H&SC §123110(d)(1). A provider does not have to provide records free of charge if the patient is represented by a private attorney (attorney other than a nonprofit legal services entity). H&SC §123110(d)(3). If the appeal is successful, the provider may bill the patient for the records at the rates specified above. H&SC §123110(e).
For providers covered by HIPAA, amendment of health records is governed almost entirely by HIPAA privacy regulations. According to those regulations, you must ask the provider to amend your records. 45 C.F.R. § 164.526(b)(1). The provider can require that your request be in writing and that it include the reason for the requested amendment, but the provider must notify you of these requirements before you make the request. 45 C.F.R. § 164.526(b)(1). There is no time limit on requesting an amendment. 45 C.F.R. § 164.526(a)(1). You can ask for an amendment for as long as your records exist. 45 C.F.R. § 164.526(a)(1).
The provider must act on your request within 60 days. 45 C.F.R. § 164.526(b)(2)(i). The provider can have a 30 day extension if the provider gives you a written statement of the reasons for the delay and the date by which action will be completed. 45 C.F.R. § 164.526(b)(2)(ii). (California law has no time limit, but this no longer applies.)
If the provider agrees to amend your records, the provider must, at a minimum, identify the record to be amended and either append the amendment to that record or provide a link to the amendment. 45 C.F.R. § 164.526(c)(1). The provider must also notify you that the amendment has been made, and obtain your consent to inform others who have received the records in question. 45 C.F.R. § 164.526(c)(2). The provider must provide the amendment to people that you informed the provider had received the records in question, and to people that the provider knows have the information and who could rely on the information to your detriment. 45 C.F.R. § 164.526(c)(3). Providers receiving the amendment must also amend the records in that provider’s possession. 45 C.F.R. § 164.526(e).
The provider can deny your request for amendment if the provider believes that the record is accurate and complete. 45 C.F.R. § 164.526(a)(2)(iv). The provider can also deny your request for amendment if the provider did not create the record in question (unless the creator of the record is no longer available to act on a request for amendment); or the provider does not have the record in question; or you do not have a right of access to the record. 45 C.F.R. § 164.526(a)(2).
If the provider denies your request for amendment of the records, the provider must give you the denial in writing. 45 C.F.R. § 164.526(d)(1). The written denial must contain the following:
45 C.F.R. § 164.526(d)(1).
The provider may “reasonably limit the length” of a statement of disagreement, but must allow you to include up to 250 words. 45 C.F.R. § 164.526(d)(2), H&SC 123111(a). (HIPAA privacy regulations specify no minimum length, but H&SC 123111(a) allows you up to 250 words.) The provider may prepare a written rebuttal to your statement of disagreement, but the provider must give you a copy. 45 C.F.R. § 164.526(d)(3). If the provider discloses your medical records, the provider must include your statement of disagreement in the disclosure. H&SC § 123111(b). (Compare HIPAA privacy regulations, which give the provider the option of disclosing a summary of the request for amendment documents. 45 C.F.R. § 164.526(d)(5)).
In addition, notwithstanding HIPAA requirements, California law allows you to provide to your health care provider a written addendum with respect to any item or statement in your records that you believe to be incomplete or incorrect. The addendum shall be limited to 250 words per alleged incomplete or incorrect item in your patient's record and must clearly indicate in writing that you want the addendum to be made a part of your record. H&SC § 123111(b).
You can file a complaint with the medical services provider. A provider must have a complaint process under HIPAA. 45 C.F.R. 164.530(d).
Complaints for violations of federal HIPAA privacy regulations, which occurred after the effective date of the regulations on April 14, 2003, can be filed with the federal Department of Health and Human Services Office for Civil Rights (OCR). 45 C.F.R. § 160.306(a). The address is Office for Civil Rights, Department of Health and Human Services, 90 7th Street, Suite 4-100, San Francisco, California 94103, Voice Phone (415) 437-8310. FAX (415) 437-8329. TDD (415) 437-8311.
OCR can provide you with a form for filing a complaint. The complaint form can also be found on the internet at http://www.hhs.gov/ocr/privacyhowtofile.htm; also help with, or questions regarding complaint form can be found by calling (800) 368-1019. Complaints must be filed in writing within 180 days of the date you knew or should have known of the violation. 45 C.F.R. §§ 160.306(a), 160.306(b)(3). The complaint must name the provider that is the subject of the complaint and describe the acts or omissions that violate the regulations. 45 C.F.R. § 160.306(b)(2). OCR can impose civil and criminal fines, but cannot award money damages to an individual. 45 C.F.R. §§ 160.506, 508. Additional HIPAA information can be found at http://www.hhs.gov/ocr/hipaa/.
A provider may not retaliate against you for exercising your rights under HIPAA. 45 C.F.R. 164.530(g).
A health care provider who willfully violates the California Health and Safety Code requirements may be subject to penalties, including but not limited to a $100 fine and licensure suspension or revocation. H&SC §§123110(i) and (j). In addition, a patient, or a patient’s representative may sue for access to the records. H&SC § 123120. The prevailing party is entitled to costs and reasonable attorneys’ fees.
You may also sue for actual damages if a licensed provider who went out of business abandoned your records. H&SC § 123145(b). (Providers who go out of business must keep records for a minimum of 7 years and at least until an individual turns age 19. H&SC § 123145(a)). Violations of the California statute and the federal HIPAA privacy regulations might also give rise to a negligence action against a provider for money damages because the statute and regulations establish a duty of care on the part of medical service providers.
Disability Rights California is funded by a variety of sources, for a complete list of funders, go to http://www.disabilityrightsca.org/