You have the right to review, copy, or amend your patient records. California Health and Safety Code (H&SC) §123110(a). You also have a right to have someone go with you when you review your records. H&SC § 123110(a). Your personal representative (parent, guardian, conservator, or health care agent) has the same right that you do to review, copy or amend your records (except as explained in this memo). This memo also discusses certain limitations on your rights.

What laws allow me to review, get copies of, or amend my health records?

Both federal law and California law allow patients to review, receive copies of, or ask for amendments of, their health records. The federal standards are contained in The Health Insurance Portability and Accountability Act (HIPAA) privacy regulations. The state standards are contained in The California Patient Access to Health Records Act, California Health and Safety Code sections 123100, and following. Both the federal and California laws are designed to protect your rights, but there are slight differences in the standards. The federal standards apply unless the state standards give you more rights. 45 C.F.R. §§ 160.203(b), 160.202 (definition of “more stringent,” subparagraph (2)). This means that sometimes the federal standards apply, and sometimes the state standards apply. This memo explains when the federal standards apply and when the state standards apply.

For the most part, the California law provides greater rights of access to, or amendment of, medical records than the federal regulations. Therefore, the California law generally covers access to, and amendment of, patient records. However, there are four situations where the federal HIPAA regulations provide greater rights of access or amendment than California law. The federal regulations provide greater rights in the following four situations:

1. Access to mental health records (except psychotherapy notes).
2. Summaries of medical records by health care providers in lieu of allowing access to the records.
3. Amendment of medical records.
4. Access to x-rays or EKG, EEG, or EMG tracings.

The rest of this memo explains what the standards are for you to review, copy, or amend your medical records. The memo also explains whether the standards that apply are found in the federal HIPAA privacy regulations or in the California Health and Safety Code.

How can I obtain access to my records?

You or your authorized representative must make a written request to inspect and/or to receive copies of your records. H&SC §123110(a), (b). A request for copies must specify the records to be copied. H&SC §123110(b).

Are there time limits for compliance with a request to review and/or receive copies of health records?

Yes. The health care provider must allow access to the records during regular business hours within five (5) working days after receiving the written request. H&SC §123110(a). If you or your authorized representative makes a request for copies of all or part of a file, the health care provider must transmit the copies within fifteen (15) days after receiving the written request. H&SC §123110(b).

Is there any limitation on a patient's right to access his or her mental health records?

Yes. Both HIPAA and California law place some restrictions on access to mental health records. The particular limitations depend on whether or not the records are psychotherapy notes. Psychotherapy notes are notes by a mental health professional from a private counseling session or a group, joint, or family counseling session and that are separated from the rest of your medical record. 45 C.F.R. § 164.501.

What are the restrictions on access to mental health records (other than psychotherapy notes)?

HIPAA privacy regulations allow a provider to deny access to mental health records (except psychotherapy notes) only under the following conditions:

A licensed health care professional has determined, in the exercise of professional judgment, that the access is reasonably likely to endanger the life or physical safety of you or another person,

The record refers to another person (unless that person is a health care provider) and a licensed health care provider has determined, in the exercise of professional judgment, that the access requested is reasonably likely to cause substantial harm to that other person,

The request for access is made by your personal representative (e.g. parent, guardian, conservator or health care agent) and a licensed health care professional has determined, in the exercise of professional judgment, that providing access to your personal representative is reasonably likely to cause substantial harm to you or to another person.

Under the HIPAA regulations, a patient can be denied access only if access is likely to endanger someone’s life or physical safety. This is a hard standard for a provider to meet. On the other hand, access can be denied to a patient’s representative (e.g. parent, guardian, conservator, health care agent) if access is likely to cause someone substantial harm. 

This means that it is harder for a patient’s representative to access patient records than it is for a patient to access their own records.

NOTE: These restrictions apply only to access by the patient, or a representative of a patient who does not obtain an authorization for release of information. There are no such restrictions on release of information to someone other than a patient if the patient has executed a valid written authorization.

What rights does a patient have if a provider refuses to allow access to mental health records (other than psychotherapy notes)?

Under HIPAA privacy regulations, if the provider refuses to allow access to the records, the provider must provide a written denial. The written denial must contain the following information:

1. the basis for the denial;
2. the right to review by a licensed health care professional designated by the provider (including a description of how to exercise the right to review);
3. the right to file a complaint with the provider, and the right to file a complaint with the Department of Health and Human Services Office for Civil Rights.

Note: These same federal requirements for denial of access and notice apply to denial of access to x-rays and EKG, EEG and EMG tracings by HIPAA-covered providers. This is because HIPAA privacy regulations provide greater access to these records than California law does.

What are the California law restrictions on a patient's right to access his or her psychotherapy notes?

California law applies to access to patient records if the provider is not covered by HIPAA. In addition, California law applies in all cases to disclosure of psychotherapy notes. This is because federal regulations do not require access to psychotherapy notes at all. Therefore, California law provides greater rights of access than federal regulations. (“Psychotherapy notes” is narrowly defined to mean notes recorded by a mental health professional during a private, group, joint or family counseling session and that are separated from the rest of your medical record.)

Under California law, the health care provider may decline to permit inspection or provide copies of psychotherapy notes to a patient if the health care provider determines there is a "substantial risk of significant adverse or detrimental consequences to the patient in seeing or receiving" such psychotherapy notes. H&SC §123115(b). However, such a refusal is subject to the following four conditions:

1. the health care provider must enter into the records a written explanation for refusing to permit inspection or provide copies of the records, including a description of the specific adverse or detrimental consequences to the patient that the provider anticipates would occur if inspection or copying were permitted;
2. the health care provider must permit inspection by, or provide copies of, the mental health records to a licensed physician and surgeon, licensed psychologist or licensed clinical social worker designated by the patient;
3. the health care provider must inform the patient both of the provider's refusal to permit access to the requested records and of the patient's right to inspect and obtain the records; and
4. the health care provider must record whether the patient requested that another health professional inspect or obtain the requested records.

H&SC §123115(b)(1)-(4).

Is there any limitation on access to information in my records provided by someone other than a health care provider?

California law provides that a provider does not have to allow access to information given “in confidence” to the provider by someone other than another health care provider or the patient. Federal HIPAA privacy regulations provide that this information can only be withheld if disclosure would be “reasonably likely to reveal the source of the information.” 164.524(a)(2)(v).

Are there any limitations on a parent's right to access his or her minor child's health records?

Yes. A parent is not entitled to inspect or obtain copies of a minor's patient records if the minor patient is authorized by law to consent to medical treatment. H&SC §123115(a)(1). See, Cal. Family Code §§6920-6929. Also, a parent is not entitled access to a minor's patient records if the provider determines that access to the records requested by the parent would have a detrimental effect on the provider's professional relationship with the minor patient or the minor's physical safety or psychological well being. H&SC §123115(a)(2). This restriction of access is specifically allowed under the federal HIPAA privacy regulations. 45 C.F.R. § 164.502(g)(3)(ii)(B).

Does a health care provider have discretion to provide a summary of, rather than direct access to, a patient's medical records?

Federal HIPAA privacy regulations allow a provider to prepare a summary instead of allowing you access to records, but only if you agree in advance to both a summary and any fees for preparing the summary. 45 C.F.R. § 164.524(c)(2)(iii)

If the provider prepares a summary instead of allowing access to the records, the patient's entire record must be summarized unless the patient limits his or her request to certain injuries, illnesses, or episodes. H&SC §123130(a). A health care provider may confer with the patient to clarify what information is sought. If, as a consequence, the patient requests information about only certain injuries, illnesses, or episodes, the provider is required to summarize only the injuries, illnesses, or episodes designated by the patient. 

The summary must contain for each injury, illness, or episode any information included in the record relative to the following:

1. chief complaint(s), including pertinent history;
2. findings from consultations and referrals to other health care providers;
3. diagnosis, where determined;
4. treatment plan and regimen including medications prescribed;
5. progress of treatment;
6. prognosis, including significant continuing problems or conditions;
7. pertinent reports of diagnostic procedures and tests and all discharge summaries; and
8. objective findings from the most recent physical examination, such as blood pressure, weight, and actual values from routine laboratory tests.

H&SC §123130(b)(1)-(8)

Can a provider withhold records because of unpaid bills?

No. A health care provider cannot withhold a patient's records because of unpaid bills for services. Any health care provider who willfully withholds records because of unpaid bills is subject to sanctions. H&SC §123110(j).

Can a provider require a fee for copying or summarizing records before releasing the records or summary?

Yes. Before giving copies of records to the requester, a provider may require the requester to pay: copying costs, not to exceed twenty-five cent ($.25) per page or fifty cents ($.50) per page for records that are copied from microfilm, and any additional reasonable clerical costs incurred in making the records available. H&SC §123110(b).

Additionally, the health care provider may charge a "reasonable fee" based on actual time and cost for preparation of a summary pursuant to a patient's request for access to his or her records. H&SC §123130(f). 

However, a provider cannot charge for copies of records needed to support an appeal for Social Security Disability Insurance (SSDI), Supplemental Security Income (SSI) or Medi-Cal benefits, if a request for the records and proof of the appeal is given to the provider in writing. H&SC §123110(d)(1). Records must be provided within 30 days of the written request. H&SC §123110(f). Only one copy of relevant portions of the records must be provided free of charge. H&SC §123110 (d)(2). “Relevant” records are records beginning on the date of the initial application for benefits and ending when a final decision has been made on any appeal. H&SC §123110(d)(1). A provider does not have to provide records free of charge if the patient is represented by a private attorney (attorney other than a nonprofit legal services entity). H&SC §123110(d)(3). If the appeal is successful, the provider may bill the patient for the records at the rates specified above. H&SC §123110(e).

How do I amend my health records?

For providers covered by HIPAA, amendment of health records is governed almost entirely by HIPAA privacy regulations. According to those regulations, you must ask the provider to amend your records. 45 C.F.R. § 164.526(b)(1). The provider can require that your request be in writing and that it include the reason for the requested amendment, but the provider must notify you of these requirements before you make the request. 45 C.F.R. § 164.526(b)(1). There is no time limit on requesting an amendment. 45 C.F.R. § 164.526(a)(1). You can ask for an amendment for as long as your records exist. 45 C.F.R. § 164.526(a)(1).

The provider must act on your request within 60 days. 45 C.F.R. § 164.526(b)(2)(i). The provider can have a 30 day extension if the provider gives you a written statement of the reasons for the delay and the date by which action will be completed. 45 C.F.R. § 164.526(b)(2)(ii).

If the provider agrees to amend your records, the provider must, at a minimum, identify the record to be amended and either append the amendment to that record or provide a link to the amendment. 45 C.F.R. § 164.526(c)(1). The provider must also notify you that the amendment has been made, and obtain your consent to inform others who have received the records in question. 45 C.F.R. § 164.526(c)(2). The provider must provide the amendment to people that you informed the provider had received the records in question, and to people that the provider knows have the information and who could rely on the information to your detriment. 45 C.F.R. § 164.526(c)(3). Providers receiving the amendment must also amend the records in that provider’s possession. 45 C.F.R. § 164.526(e).

The provider can deny your request for amendment if the provider believes that the record is accurate and complete. 45 C.F.R. § 164.526(a)(2)(iv). The provider can also deny your request for amendment if the provider did not create the record in question (unless the creator of the record is no longer available to act on a request for amendment); or the provider does not have the record in question; or you do not have a right of access to the record. 45 C.F.R. § 164.526(a)(2).

If the provider denies your request for amendment of the records, the provider must give you the denial in writing. 45 C.F.R. § 164.526(d)(1). The written denial must contain the following:

1. The basis for the denial (e.g. the provider believes that the records are accurate and complete).
2. Notification of your right to submit a statement disagreeing with the denial, and how to submit the statement.
3. Notification that if you do not submit a statement disagreeing with the denial, you can request the provider to submit your request for amendment, and the provider’s denial, together with any future disclosures of the records.
4. A description of how you can file a complaint with the provider or with the Department of Health and Human Services Office for Civil Rights (OCR).

45 C.F.R. § 164.526(d)(1).

The provider may “reasonably limit the length” of a statement of disagreement, but must allow you to include up to 250 words. 45 C.F.R. § 164.526(d)(2), H&SC 123111(a). (HIPAA privacy regulations specify no minimum length, but H&SC 123111(a) allows you up to 250 words.) The provider may prepare a written rebuttal to your statement of disagreement, but the provider must give you a copy. 45 C.F.R. § 164.526(d)(3). If the provider discloses your medical records, the provider must include your statement of disagreement in the disclosure. H&SC § 123111(b). (Compare HIPAA privacy regulations, which give the provider the option of disclosing a summary of the request for amendment documents. 45 C.F.R. § 164.526(d)(5)).

In addition, notwithstanding HIPAA requirements, California law allows you to provide to your health care provider a written addendum with respect to any item or statement in your records that you believe to be incomplete or incorrect. The addendum shall be limited to 250 words per alleged incomplete or incorrect item in your patient's record and must clearly indicate in writing that you want the addendum to be made a part of your record. H&SC § 123111(b).

What can a patient or patient's representative do if he or she is denied access to the patient's records?

You can file a complaint with the medical services provider. A provider must have a complaint process under HIPAA. 45 C.F.R. 164.530(d).

Complaints for violations of federal HIPAA privacy regulations, which occurred after the effective date of the regulations on April 14, 2003, can be filed with the federal Department of Health and Human Services Office for Civil Rights (OCR). 45 C.F.R. § 160.306(a). The address is Office for Civil Rights, Department of Health and Human Services, 90 7th Street, Suite 4-100, San Francisco, California 94103, Voice Phone (415) 437-8310. FAX (415) 437-8329. TDD (415) 437-8311.

OCR can provide you with a form for filing a complaint. The complaint form can also be found on the internet at http://www.hhs.gov/ocr/privacyhowtofile.htm; also help with, or questions regarding complaint form can be found by calling (800) 368-1019. Complaints must be filed in writing within 180 days of the date you knew or should have known of the violation. 45 C.F.R. §§ 160.306(a), 160.306(b)(3). The complaint must name the provider that is the subject of the complaint and describe the acts or omissions that violate the regulations. 45 C.F.R. § 160.306(b)(2). Additional HIPAA information can be found at http://www.hhs.gov/ocr/hipaa/.

A provider may not retaliate against you for exercising your rights under HIPAA. 45 C.F.R. 164.530(g).

A health care provider who willfully violates the California Health and Safety Code requirements may be subject to penalties, including but not limited to a $100 fine and licensure suspension or revocation. H&SC §§123110(i) and (j). In addition, a patient, or a patient’s representative may sue for access to the records. H&SC § 123120. The prevailing party is entitled to costs and reasonable attorneys’ fees.

You may also sue for actual damages if a licensed provider who went out of business abandoned your records. H&SC § 123145(b). (Providers who go out of business must keep records for a minimum of 7 years and at least until an individual turns age 19. H&SC § 123145(a)). Violations of the California statute and the federal HIPAA privacy regulations might also give rise to a negligence action against a provider for money damages because the statute and regulations establish a duty of care on the part of medical service providers.