City and County of San Francisco
Department of Public Health
POPULATION HEALTH AND PREVENTION
COMMUNITY BEHAVIORAL HEALTH SERVICES
1380 Howard Street, 5th Floor
San Francisco, CA 94103
POLICY/PROCEDURE REGARDING: Minor Access to Medical Records
Issued By: Robert Cabaj, MD
Deputy Director Designee of Health for Mental Health
Date: December 18, 2002
Manual Number: 3.06-03
Reference: Legal Authority: California Health and Safety Code section 123100-123149.5, 42 CFR, Part 2, section 2.23, HIPAA (45 CFR 164.524, 164.526)
State and federal laws guarantee clients' access to their own medical records except in very limited situations. The purpose of this policy is to provide guidance regarding access to minors' medical records created in the provision of outpatient behavioral health services. It covers outpatient mental health and outpatient substance abuse treatment. This policy applies to all civil service programs, contractors, and private providers who provide services for SF Community Behavioral Health Services. In the case of records that were created as a result of the consent of the parent or legal guardian, the parent or legal guardian has the right to access the record, subject to certain limited exceptions described herein. In the case of records that were created as a result of the consent of the minor (e.g., emancipated minor, self-sufficient minor or minor seeking sensitive services) only the minor shall have the right to access. Parent or legal guardian access to records created pursuant to minor consent require the written authorization of the minor client (see Confidentiality of Records Policy and Procedures for discussion of release of information pursuant to authorization). This policy was written before the compliance date for the HIPAA (Health Insurance Portability and Accountability Act) privacy regulations and related patients' rights became effective; it therefore includes policies and procedures that apply under current California law, as well as references to changes that will be implemented as of the April 14, 2003 HIPAA compliance date.
For purposes of access to the client record, the term "record" includes any form or medium (hard copy or electronic) maintained by the provider relating to health history, assessment, ongoing treatment, diagnosis, or condition of a client relating to treatment either provided or proposed. It also includes all related documents such as x-rays, tracings, laboratory reports, consultant's reports, progress notes, testing results, and billing records regardless of where they are located or maintained. Administrative reports and incident reports or not part of the record; however, mandatory child abuse reports to CPS, and correspondence to and from, or about the client (if it relates to care or billing issues) may also be considered part of the "protected health information" or "PHI" under HIPAA.
Exclusions from Client Record Definition
State and federal law specifically exclude from the definition of the client record for purposes of client access any protected health information pertaining to some other person (such as information that may be in the record about other family members or clients involved in group therapy), information given in confidence by someone other than a health care provider under a promise of confidentiality where access would be reasonably likely to reveal the source of the information (e.g., a family member or other close associate of the client), and aggregate information that might exist in logs, registers, indexes, or other operational documents which contain client information (e.g., a list of charts that are subject to quality assurance review).
HIPAA regulations additionally specifically exclude from the record and therefore from "access" the following: 1) psychotherapy notes (the private notes maintained apart from the record by the psychotherapist), 2) information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding, 3) protected health information that is subject to the Clinical Laboratory Improvements Amendments of 1988 or that may be subject to the Privacy Act to the extent that such access would be prohibited or exempted by law. However, since California law does not exclude psychotherapy notes, presumably access to these notes affords greater rights to the patient, so California Law will pre-empt this HIPAA exclusion and patients will continue to have the right to access these notes as well if they are maintained as part of the record.
Records from Other Providers
Access must be provided to any client information that may be contained within the medical record of the client, including copies of records from other providers. This is true even though the other providers are not associated with Community Behavioral Health Services or any of its programs, and even if the outside provider has marked the record or information as "confidential." If the record does include records from other providers, these must be given to the client as well. If the school has sent a copy of a minor student’s IEP, and this is kept in the chart, it too would be considered “part of the record.”
Under HIPAA, if Behavioral Health Services does not maintain the records that are the subject of the request, it must inform the individual where to direct the request for access if it knows where the requested information is maintained. Also, the client is entitled to access protected health information about the client that is held in the records of Business Associates of Behavioral Health Services. Business Associates are those outside entities or individuals who contract with Behavioral Health Services to provide services for its benefit which require the use of client's protected health information.
Access to Old Records
The minor client in the case of minor consent, or the parent or guardian in other cases, is entitled to access client information regardless of when it was created, and any and all records maintained by Behavioral Health Services must be provided if requested. This does not mean that records must be kept longer than the records retention policy requires, but if old records exist and have not been purged, they must be included in response to the request for access.
The law does not distinguish between access to current records and access to old records created at a time when the requesting party might not have been qualified to access those records. For example, an adult client may request access to records that were created when he/she was a minor under parent/guardian consent. Similarly, a parent might request access to a minor's record that was created during the time that the parent's legal authority to consent to care for the minor had been denied.
Generally, if the individual currently meets the criteria for access to records (i.e., can consent to current care) access to old records should not be denied, especially if the access is requested for the purpose of assisting the requesting party in determining whether to give informed consent to a particular treatment or not. However, if the access is being sought for non-treatment purposes, for example in a custody battle or to pursue litigation, the provider may justifiably object to granting access. These situations should be discussed with the supervisor if they become problematic, and/or legal counsel if necessary.
Once a minor client reaches majority, access to earlier records created under the parent's consent would generally be appropriate if such access would enhance the client's ability to give informed consent. Similarly, if a newly appointed legal guardian seeks access to information or records in order to provide informed consent such access should generally not be denied.
Access by Minor Client
The minor client has a right to request access to his or her own record, or that portion of the record, that reflects care provided under the minor's consent. A minor client may request access regardless of whether he or she is a current or a former client. Access laws do not require the provider to retain records longer than what is legally required and there is no obligation to former clients to maintain records beyond the organization's records retention program. (Note: California law requires that records be kept for at least 7 years at a minimum following discharge of the minor client, and at least 1 year after such minor has reached the age of 18 whichever is longer.)
Access by Parent or Guardian
A parent or legal guardian who consented to the care that is subject to the records request may access records pertaining to care that he/she consented to. The law does not address the issue of old records created pursuant to another's consent, but if old records are necessary to provide a basis for giving current informed consent, common sense and quality of care issues dictate that those records may also be accessed, even if a different parent or legal guardian consented to that care (subject to the discretion of the provider). In the case of old records that were created under minor consent, only the minor may access (or release) those records.
Please note that there is a California law that, in direct conflict with federal law, allows parental consent and access to information in a minor's substance abuse record, even over a minor's objection in some cases (Family Code section 6929(g)); however, this statute would only be applicable to programs in California that are 100% privately funded. It is the federal law that controls access to Community Behavioral Health Services records, and that is the law that should be followed. Federal law clearly provides that in the case of minor consent only the minor can authorize release of information to the parent, and access should be strictly limited to the minor if he or she consented to the care.
Requests for Records of Adopted Clients
Adoptive parents have the same right of access to the record as natural parents. However, the right of access extends only to the records of the minor client, and does not include any records that might relate to the natural mother. Any reference to anyone other than the minor should therefore be removed before allowing access to the record.
Requests for Records of Wards or Dependents
Persons who are responsible for the care of wards or dependents of the court generally get their authority because of the status of the minor and their status in relation to the minor. Frequently the authority to consent to medical care and behavioral health services is given to the person by the courts. Care should be taken to make sure that the court order granting authority to consent to necessary and appropriate medical care includes authority to access medical records or information. Information should not be shared with foster parents, probation, or social services until their authority to access such information is clarified.
Access by Patient Rights Advocate
California law provides that behavioral health clients have the right to authorize in writing the release of their record (by copy or by inspection) to the Patient Rights Advocate. This right extends to minor clients who are receiving behavioral health services under minor consent law and to the parent or legal guardian in all other cases.
Records of Deceased Clients
Records of deceased minor clients maintain similar privacy protections as existed when the minor was alive. If the records were created under minor consent, the "personal representative" of the minor has the same rights of access as the minor would have enjoyed. The "personal representative" includes the minor's beneficiary, administrator of the estate, or executor under a will. In the case of substance abuse records, it also includes a spouse. If the records were created under parent or guardian consent, the parent/guardian who consented to the care has the same right of access as would have been enjoyed while the minor was alive.
Types of Access - Community Behavioral Health Services Records
The parent or legal guardian, or in the case of minor consent, the minor him/herself, may either inspect or receive a copy the Community Behavioral Health Services record by requesting such access in writing from the provider, or in the case of Community Behavioral Health Services civil service records, by calling the Health Information Management (415-255-3488) located at 1380 Howard on the 4th floor and asking for a request form.
If the written request is given to a private provider or contractor, the provider should indicate whether access will be allowed, denied, or denied in part, and instruct staff accordingly. In the case of Community Behavioral Health Services civil service programs, staff should forward the written request to Health Information Management and the provider will be notified. If the request is made directly to Health Information Management, the provider should be immediately notified of the request so that any concerns about access can be promptly stated. The law requires prompt response to such requests, so it is essential that this be done in a timely manner. The parent or legal guardian, or minor client who has consented to care, has the right to inspect the record within 5 business days of receipt of the written request, or may obtain a copy of the record within 15 calendar days.
The client may request access in any format so long as it is readily producible in such format. If unavailable in the format requested, the client must be given a readable hard copy, or be given the information in a mutually agreed upon format.
Laws governing access to Alcohol and Other Drug Treatment Program records include the additional provisions that the provider may informally allow the client access to the record by visual inspection and/or discussion between the provider and client and that it does not have to obtain a written "consent" or other authorization in order to provide such access to the record (this same rule will be observed for any records maintained by Community Behavioral Health Services). Information obtained by client access to his/her own substance abuse treatment program record is subject to the added restriction that it may not be used to initiate or substantiate any criminal charges against the client or to conduct any criminal investigation of the client.
Access by Inspection
If requested, access by visual inspection should be permitted within 5 business days of the written request, during business hours. Clients should never be permitted to inspect the record without supervision, to prevent alteration or destruction of the record contents. The provider may delegate this function to clerical staff, but ideally, the provider should be present when the client inspects the record so that questions or concerns may be promptly answered and addressed. If a client wishes to be accompanied by a friend, relative, or the Patient Rights Advocate, this should be documented on the written request to access the record, and authorized by the provider prior to allowing inspection (the law allows the client to be accompanied by one other person). The provider may additionally document this request in the progress notes.
Access by Copy
If access to the record is by providing a copy of the chart, the request must be acted upon promptly, and a copy must be transmitted to the client within 15 calendar days of the request. The client may be charged up to $.25 per page (or $.50 per page for copies from microfilm) and reasonable administrative costs in providing the copy. Under certain circumstances the client, or client's representative, is entitled to a copy at no charge of relevant portions of the record that may be needed for an appeal regarding eligibility for a public benefit program (e.g., MediCal, social security disability benefits, SSI, etc.). Once the benefits have been received, the client may be billed for the costs of the copy.
Request for Summary in Lieu of Record
Under California law, the provider may opt to provide a summary of the record instead of actual access by inspection or copy. A summary must reflect all relevant dates, tests, lab work, assessments, consultations, progress notes, etc. This rule will no longer be in effect after April 14, 2003 due to HIPAA requirements which differ and provide greater access to the client.
HIPAA provides that the client (not the provider) may choose to receive a summary in lieu of access to the entire record. A summary may be provided if the client agrees in advance to the summary, the necessary time to prepare the summary, and any related fees. Fees must be based upon actual time and cost for preparation of the summary. Normally, access to a summary should be provided within 10 business days of the request, unless the record is lengthy or the patient has been discharged within 10 calendar days immediately prior to the request, in which case the time may be extended to a maximum of 30 calendar days. HIPAA provides that a provider may give a verbal summary of the information in lieu of direct access to the record, if the client agrees in advance to this form of access.
Denial of Request to Access the Record (No Legal Right of Access)
If a parent or guardian requests access to protected health information related to services provided to a minor pursuant to minor consent, the provider must deny access. A sample form notifying the parent or guardian of denial of access for this reason is attached. If only a part of the record documents care for which the minor can consent and that portion can be removed, a parent or guardian could then be given access to the remainder of the record.
Similarly, if a minor client attempts to access information in his/her own record and the services have been provided pursuant to parent/legal guardian consent (e.g., because the minor is under the age of 12), access to the record must be denied, since only the parent or guardian has that right.
Denial of Access (Detrimental to Client)
Under California law, if a health care provider believes that release of a minor's health care record to the parent or legal guardian would cause physical or mental harm, or would harm the therapeutic relationship, access can be denied. The fact that the record was requested, and that access was denied, and the reasons that access was denied must be documented by the provider in the client's chart. These rules will not change on April 14, 2003, when HIPAA privacy regulations go into effect. HIPPA regulations specifically defer to state law on matters pertaining to minors and their representatives.
HIPAA allows the provider to deny access to the minor client under minor consent situations if 1) it is reasonably likely to endanger the life or physical safety of the client or another person, or 2) when the record makes reference to another person (other than a health care provider) and the provider determines that access is reasonably likely to cause substantial harm to the other person. HIPPA is less restrictive than California law (and therefore affords greater patient rights) and will therefore pre-empt state law on April 14, 2003. Until then, a provider may restrict access under California Health and Safety Code Section 123115(b) which permits denial of access to the minor client if the provider determines that there is a substantial risk of “significant adverse or detrimental consequences” to a client in seeing those records. (Sample letters dealing with denial of access are attached).
Under HIPAA, and beginning April 14, 2003, the denial of access for the above-noted reasons is subject to review by a designated "reviewing official" who did not participate in the original decision to deny access. The decision of the "reviewing official" must be followed. If the "reviewing official" agrees that access should be denied, then the "third party professional review" currently allowed under California law must be offered. This rule requires the provider to notify the client that the client may designate a "third party" licensed health care professional to review the record on their behalf. This person may be a licensed physician, licensed psychologist, licensed clinical social worker, or licensed marriage and family therapist. A marriage and family therapist registered intern may not inspect the records pursuant to this section unless directly supervised by a licensed professional who has signed a receipt for those records. The fact that the provider notified the client of this right, as well as the client’s response, must be charted. The third party professional may discuss the record with the client but may not provide a copy of the record to the client. The third party professional review will be done at the client's expense.
Other Conditions Permitting Denial of Access
HIPAA regulations provide that if the provider is acting under the direction of a correctional institution it may deny in whole or in part a inmate's request to obtain a copy of protected health information if such access would jeopardize the health, safety, security, custody, or rehabilitation of the individual or of other inmates, or the safety of any officer, employee, or other person at the correctional institution or responsible for the transporting of the inmate.
Also, under HIPAA, access to protected health information created or obtained by the provider in the course of research that includes treatment may also be temporarily suspended for as long as the research is in progress, provided that the individual has agreed to the denial of access when consenting to participate in the research that includes treatment, and the provider has informed the individual that the right of access will be reinstated upon completion of the research.
Right to amend or correct the record.
The minor client in the case of minor consent, or the parent or legal guardian in other cases may request that the record be amended or corrected; if such amendment or correction is justified, the amendment or correction shall become part of the original record. Under HIPAA there is no limit on how long the amendment may be, nor is there a limit on how often the record may be amended.
However, under no circumstances will portions of the original chart be removed or obliterated. The right to amend or correct the record is subject to several other limitations. A provider may deny the right to amend if it determines that the protected health information or record that is subject to request 1) was not created by the provider, 2) is not actually part of the record, 3) would not be subject to inspection by the client under access laws, or 4) is already accurate or complete. Any corrections or amendments should be forwarded on to others who may be relying on the record to provide treatment, payment or operations.
Audit of Disclosures for other than Treatment, Payment or Operations
HIPAA provides that clients also have the right to know how their protected health information has been used or disclosed without their written authorization for other than treatment, payment or operations. This audit would include, for example, any disclosures made under mandated reporting laws, in response to a court order, or to law enforcement as permitted under the law (for example, to report a crime committed at, or threatened at a treatment facility). It is the provider's responsibility to maintain a log of disclosures, beginning April 14, 2003, for each record he or she maintains. The log should include the following information: the date of the disclosure, the name of the entity or person who received the information, and if known, the address of such entity or person, a brief description of the information disclosed, and a brief statement of the purpose of the disclosure or a copy of the request for the information.
When the client requests access to his/her record, the provider may informally discuss the reason to determine what specific information is being sought. If the client wants a copy, or the right to inspect the entire record, a written form should be completed and appropriate staff should be notified so that arrangements for inspection or copying can be made. If the requested record has been created by providers of a Community Behavioral Health Services civil service program, the request should be forwarded to Health Information Management; it can be faxed to Health Information Management at 252-3001.
If the form is dropped off directly at Health Information Management, and the provider is unaware of the request, the provider should be immediately notified. The written request for access and the chart should be forward to the provider if the provider does not have it, so that he or she has the opportunity to determine if there is any reason that access should be denied.
The provider should chart any concerns about releasing the chart to the minor client or to the parent or guardian in the client’s record in the progress notes.
If there is no objection to access to the record, the provider should notify the client that the record may be inspected during normal business hours. An appointment should be made and staff should accompany the client during the inspection process. This should occur within 5 business days of the request.
If the client wishes a copy of the record instead, the provider should notify the client of the cost to provide the copy and should obtain payment ($.25 per page plus reasonable administrative costs) before making the copy. The copy should be sent to the client or made available within 15 calendar days of receipt of the written request to access the record.
If the provider is going to deny access, the client should be informed of his or her right to have the denial reviewed by the "reviewing official" at Community Behavioral Health Services and should be given the opportunity to request such a review. If the "reviewing official" agrees with the provider that access should be denied, the client should be informed of his or her right for third party professional review.
If only portions of the chart may be released, those portions only should be copied or made available for the client's inspection.
If the client has requested a summary, the summary should be provided within 10 business days of the request, unless the client has agreed to a longer time period, which should be included on the written request.
If the client wishes to amend or correct the record, any such amendment or correction should be made part of the permanent record, and those who have received copies of the record should be given copies of the amendments and/or corrections.
If the client requests an accounting of disclosures of his or her protected health information (an "audit log"), the provider should be notified and the information provided within 60 calendar days of the request. The client may not be charged for the first request for the audit log within any 12 month period, but may be charged a cost-based fee for subsequent requests within that 12 month period, provided the client has been advised of the fee and has the opportunity to withdraw the request so as to avoid the fee.
Contact person: Miriam Damon, RN, MFT
Distribution: Administrative Manual Holder
Attachments: Forms/Sample Letters (6)