You contacted Disability Rights California for
information about your right to review, copy, or amend your patient
records. You have a right to do all of
California Health and Safety Code
(H&SC) §123110(a). You also have a right to have someone go with you when
you review your records. H&SC § 123110(a). Your personal representative (parent, guardian,
conservator, or health care agent) has the same right that you do to review,
copy or amend your records (except as explained in this memo). This memo also discusses certain
limitations on your rights.
Please call Disability Rights California if you have a question which is not
answered in this memorandum or if you need additional information.
What laws allow me to review, get copies of,
or amend my health records?
Both federal law and California law allow patients to review,
receive copies of, or ask for amendments of, their health records. The federal standards are contained in The
Health Insurance Portability and Accountability Act (HIPAA) privacy
regulations. The state standards are
contained in The California Patient Access to Health Records Act, California
Health and Safety Code sections 123100, and following. Both the federal and California laws are designed to protect
your rights, but there are slight differences in the standards. The federal standards apply unless the
state standards give you more rights.
45 C.F.R. §§ 160.203(b), 160.202 (definition of “more stringent,”
subparagraph (2)). This means that
sometimes the federal standards apply, and sometimes the state standards
apply. This memo explains when the
federal standards apply and when the state standards apply.
For the most part, the California law provides greater rights of
access to, or amendment of, medical records than the federal
regulations. Therefore, the California law
generally covers access to, and amendment of, patient records. However, there are four situations where
the federal HIPAA regulations provide greater rights of access or amendment
law. The federal regulations provide
greater rights in the following four situations:
a. Access to
mental health records (except psychotherapy notes).
b. Summaries of
medical records by health care providers in lieu of allowing access to the
c. Amendment of
d. Access to
x-rays or EKG, EEG, or EMG tracings.
The rest of this memo explains what the standards are for
you to review, copy, or amend your medical records. The memo also explains whether the
standards that apply are found in the federal HIPAA privacy regulations or in
the California Health and Safety Code.
How can I obtain access to my records?
You or your authorized representative must make a
written request to inspect and/or to receive copies of your records. H&SC
§123110(a), (b). A request for copies must specify the records to be copied.
Are there time limits for compliance with a
request to review and/or receive copies of health records?
Yes. The health care provider must allow access to the
records during regular business hours within five (5) working days after
receiving the written request. H&SC §123110(a). If you or your authorized
representative makes a request for copies of all or part of a file, the
health care provider must transmit the copies within fifteen (15) days after
receiving the written request.
Is there any limitation on a patient's right
to access his or her mental health records?
Yes. Both HIPAA
law place some restrictions on access to mental health records. The particular limitations depend on
whether or not the records are psychotherapy notes. Psychotherapy notes are
notes by a mental health professional from a private counseling session or a
group, joint, or family counseling session and that are separated from the
rest of your medical record. 45 C.F.R.
What are the restrictions on access to mental
health records (other than psychotherapy notes)?
HIPAA privacy regulations allow a provider to deny
access to mental health records (except psychotherapy notes) only under the
a. A licensed
health care professional has determined, in the exercise of professional
judgment, that the access is reasonably likely to endanger the life or
physical safety of you or another person,
b. The record
refers to another person (unless that person is a health care provider) and a
licensed health care provider has determined, in the exercise of professional
judgment, that the access requested is reasonably likely to cause substantial
harm to that other person,
c. The request
for access is made by your personal representative (e.g. parent, guardian,
conservator or health care agent) and a licensed health care professional has
determined, in the exercise of professional judgment, that providing access
to your personal representative is reasonably likely to cause substantial
harm to you or to another person.
Under the HIPAA regulations, a patient can be denied
access only if access is likely to endanger someone’s life or physical
safety. This is a hard standard for a
provider to meet. On the other hand,
access can be denied to a patient’s representative (e.g. parent, guardian,
conservator, health care agent) if access is likely to cause someone
substantial harm. This means that it
is harder for a patient’s representative to access patient records than it is
for a patient to access their own records.
restrictions apply only to access by the patient, or a representative of a
patient who does not obtain an authorization for release of information. There are no such restrictions on release
of information to someone other than a patient if the patient has executed a
valid written authorization.
What rights does a patient have if a provider
refuses to allow access to mental health records (other than psychotherapy
Under HIPAA privacy regulations, if the provider refuses
to allow access to the records, the provider must provide a written
denial. The written denial must
contain the following information:
a. the basis for
b. the right to
review by a licensed health care professional designated by the provider
(including a description of how to exercise the right to review);
c. the right to
file a complaint with the provider, and the right to file a complaint with
the Department of Health and Human Services Office for Civil Rights.
Note: These same
federal requirements for denial of access and notice apply to denial of
access to x-rays and EKG, EEG and EMG tracings by HIPAA-covered
providers. This is because HIPAA
privacy regulations provide greater access to these records than California law does.
What are the California law restrictions on a patient's
right to access his or her psychotherapy notes?
law applies to access to patient records if the provider is not covered by
HIPAA. In addition, California law applies in all cases to
disclosure of psychotherapy notes.
This is because federal regulations do not require access to
psychotherapy notes at all. Therefore,
law provides greater rights of access than federal regulations. (“Psychotherapy notes” is narrowly defined
to mean notes recorded by a mental health professional during a private,
group, joint or family counseling session and that are separated from the
rest of your medical record.)
Under California law, the health care provider may
decline to permit inspection or provide copies of psychotherapy notes to a patient if the health
care provider determines there is a "substantial risk of significant
adverse or detrimental consequences to the patient in seeing or
receiving" such psychotherapy notes. H&SC §123115(b). However, such
a refusal is subject to the following four conditions:
a. the health
care provider must enter into the records a written explanation for refusing
to permit inspection or provide copies of the records, including a
description of the specific adverse or detrimental consequences to the
patient that the provider anticipates would occur if inspection or copying
b. the health
care provider must permit inspection by, or provide copies of, the mental
health records to a licensed physician and surgeon, licensed psychologist or
licensed clinical social worker designated by the patient;
c. the health
care provider must inform the patient both of the provider's refusal to
permit access to the requested records and of the patient's right to inspect
and obtain the records; and
d. the health
care provider must record whether the patient requested that another health
professional inspect or obtain the requested records.
Is there any limitation on access to
information in my records provided by someone other than a health care provider?
law provides that a provider does not have to allow access to information
given “in confidence” to the provider by someone other than another health
care provider or the patient. Federal
HIPAA privacy regulations provide that this information can only be withheld
if disclosure would be “reasonably likely to reveal the source of the
Are there any limitations on a parent's right
to access his or her minor child's health records?
Yes. A parent is not entitled to inspect or obtain
copies of a minor's patient records if the minor patient is authorized by law
to consent to medical treatment. H&SC §123115(a)(1). See, Cal.
Family Code §§6920-6929. Also, a
parent is not entitled access to a minor's patient records if the provider
determines that access to the records requested by the parent would have a
detrimental effect on the provider's professional relationship with the minor
patient or the minor's physical safety or psychological well being. H&SC
§123115(a)(2). This restriction of
access is specifically allowed under the federal HIPAA privacy
regulations. 45 C.F.R. §
Does a health care provider have discretion to
provide a summary of, rather than direct access to, a patient's medical
Federal HIPAA privacy regulations allow a provider to
prepare a summary instead of allowing you access to records, but only if you
agree in advance to both a summary and any fees for preparing the
summary. 45 C.F.R. §
164.524(c)(2)(ii). (California Health
and Safety Code section 123130(a) no longer applies to providers covered by
HIPAA privacy regulations to the extent that it gives providers the option of
deciding whether to prepare a summary instead of allowing access to records. HIPAA privacy regulations give that option
to the patient.)
If the provider prepares a summary instead of allowing
access to the records, the patient's entire record must be summarized unless
the patient limits his or her request to certain injuries, illnesses, or
episodes. H&SC §123130(a). A
health care provider may confer with the patient to clarify what information
is sought. If, as a consequence, the patient requests information about only
certain injuries, illnesses, or episodes, the provider is required to
summarize only the injuries, illnesses, or episodes designated by the
The summary must contain for each injury, illness, or
episode any information included in the record relative to the following:
complaint(s), including pertinent history;
from consultations and referrals to other health care providers;
plan and regimen including medications prescribed;
including significant continuing problems or conditions;
reports of diagnostic procedures and tests and all discharge summaries; and
findings from the most recent physical examination, such as blood pressure,
weight, and actual values from routine laboratory tests.
Can a provider withhold records because of
No. A health care provider cannot withhold a patient's
records because of unpaid bills for services. Any health care provider who
willfully withholds records because of unpaid bills is subject to sanctions.
Can a provider require a fee for copying or
summarizing records before releasing the records or summary?
Yes. Before giving copies of records to the requester, a
provider may require the requester to pay: copying costs, not to exceed
twenty-five cent ($.25) per page or fifty cents ($.50) per page for records
that are copied from microfilm, and any additional reasonable clerical costs
incurred in making the records available. H&SC §123110(b).
Additionally, the health care provider may charge a
"reasonable fee" based on actual time and cost for preparation of a
summary pursuant to a patient's request for access to his or her records.
However, a provider cannot charge for copies of records
needed to support an appeal for Social Security Disability Insurance (SSDI),
Supplemental Security Income (SSI) or Medi-Cal benefits, if a request for the
records and proof of the appeal is given to the provider in writing. H&SC
§123110(d)(1). Records must be
provided within 30 days of the written request. H&SC §123110(f). Only one copy of relevant portions of the
records must be provided free of charge.
H&SC §123110 (d)(2).
“Relevant” records are records beginning on the date of the initial
application for benefits and ending when a final decision has been made on
any appeal. H&SC
§123110(d)(1). A provider does not
have to provide records free of charge if the patient is represented by a
private attorney (attorney other than a nonprofit legal services
entity). H&SC §123110(d)(3). If the appeal is successful, the provider
may bill the patient for the records at the rates specified above. H&SC
How do I amend my health records?
For providers covered by HIPAA, amendment of health
records is governed almost entirely by HIPAA privacy regulations. According to those regulations, you must
ask the provider to amend your records.
45 C.F.R. § 164.526(b)(1). The
provider can require that your request be in writing and that it include the
reason for the requested amendment, but the provider must notify you of these
requirements before you make the request.
45 C.F.R. § 164.526(b)(1).
There is no time limit on requesting an amendment. 45 C.F.R. § 164.526(a)(1). You can ask for an amendment for as long as
your records exist. 45 C.F.R. § 164.526(a)(1).
The provider must act on your request within 60
days. 45 C.F.R. §
164.526(b)(2)(i). The provider can
have a 30 day extension if the provider gives you a written statement of the
reasons for the delay and the date by which action will be completed. 45 C.F.R. § 164.526(b)(2)(ii). (California
law has no time limit, but this no longer applies.)
If the provider agrees to amend your records, the
provider must, at a minimum, identify the record to be amended and either
append the amendment to that record or provide a link to the amendment. 45 C.F.R. § 164.526(c)(1). The provider must also notify you that the
amendment has been made, and obtain your consent to inform others who have
received the records in question. 45
C.F.R. § 164.526(c)(2). The provider
must provide the amendment to people that you informed the provider had
received the records in question, and to people that the provider knows have
the information and who could rely on the information to your detriment. 45 C.F.R. § 164.526(c)(3). Providers receiving the amendment must also
amend the records in that provider’s possession. 45 C.F.R. § 164.526(e).
The provider can deny your request for amendment if the
provider believes that the record is accurate and complete. 45 C.F.R. § 164.526(a)(2)(iv). The provider can also deny your request for
amendment if the provider did not create the record in question (unless the
creator of the record is no longer available to act on a request for
amendment); or the provider does not have the record in question; or you do
not have a right of access to the record. 45 C.F.R. § 164.526(a)(2).
If the provider denies your request for amendment of the
records, the provider must give you the denial in writing. 45 C.F.R. § 164.526(d)(1). The written denial must contain the
a. The basis for
the denial (e.g. the provider believes that the records are accurate and
of your right to submit a statement disagreeing with the denial, and how to
submit the statement.
that if you do not submit a statement disagreeing with the denial, you can
request the provider to submit your request for amendment, and the provider’s
denial, together with any future disclosures of the records.
d. A description
of how you can file a complaint with the provider or with the Department of
Health and Human Services Office for Civil Rights (OCR).
45 C.F.R. § 164.526(d)(1).
The provider may “reasonably limit the length” of a
statement of disagreement, but must allow you to include up to 250
words. 45 C.F.R. § 164.526(d)(2),
H&SC 123111(a). (HIPAA privacy
regulations specify no minimum length, but H&SC 123111(a) allows you up
to 250 words.) The provider may
prepare a written rebuttal to your statement of disagreement, but the
provider must give you a copy. 45
C.F.R. § 164.526(d)(3). If the
provider discloses your medical records, the provider must include your
statement of disagreement in the disclosure.
H&SC § 123111(b). (Compare
HIPAA privacy regulations, which give the provider the option of disclosing a
summary of the request for amendment documents. 45 C.F.R. § 164.526(d)(5)).
In addition, notwithstanding HIPAA requirements, California law allows
you to provide to your health care provider a written addendum with respect
to any item or statement in your records that you believe to be incomplete or
incorrect. The addendum shall be
limited to 250 words per alleged incomplete or incorrect item in your
patient's record and must clearly indicate in writing that you want the addendum
to be made a part of your record. H&SC
What can a patient or patient's representative
do if he or she is denied access to the patient's records?
You can file a complaint with the medical services
provider. A provider must have a
complaint process under HIPAA. 45
Complaints for violations of federal HIPAA privacy
regulations, which occurred after the effective date of the regulations on April 14, 2003, can be
filed with the federal Department of Health and Human Services Office for
Civil Rights (OCR). 45 C.F.R. § 160.306(a). The address is Office for Civil Rights,
Department of Health and Human Services, 90 7th Street, Suite 4-100, San Francisco, California 94103,
Voice Phone (415) 437-8310. FAX (415) 437-8329. TDD (415) 437-8311. OCR
can provide you with a form for filing a complaint. The complaint form can also be found on the
internet at http://www.hhs.gov/ocr/privacyhowtofile.htm;
also help with, or questions regarding complaint form can be found by calling
(800) 368-1019. Complaints must be
filed in writing within 180 days of the date you knew or should have known of
the violation. 45 C.F.R. §§
160.306(a), 160.306(b)(3). The
complaint must name the provider that is the subject of the complaint and
describe the acts or omissions that violate the regulations. 45 C.F.R. § 160.306(b)(2). OCR
can impose civil and criminal fines, but cannot award money damages to an
individual. 45 C.F.R. §§ 160.506,
508. Additional HIPAA information can
be found at http://www.hhs.gov/ocr/hipaa/.
A provider may not retaliate against you for exercising
your rights under HIPAA. 45 C.F.R.
A health care provider who willfully violates the
California Health and Safety Code requirements may be subject to penalties,
including but not limited to a $100 fine and licensure suspension or
revocation. H&SC §§123110(i) and (j).
In addition, a patient, or a patient’s representative may sue for access
to the records. H&SC §
123120. The prevailing party is
entitled to costs and reasonable attorneys’ fees.
You may also sue for actual damages if a licensed
provider who went out of business abandoned your records. H&SC § 123145(b). (Providers who go out of business must keep
records for a minimum of 7 years and at least until an individual turns age
19. H&SC § 123145(a)). Violations of the California statute and the federal HIPAA
privacy regulations might also give rise to a negligence action against a
provider for money damages because the statute and regulations establish a
duty of care on the part of medical service providers.