Individuals may have access to and obtain a copy of their PHI. A client who has, is receiving, or was denied services, a parent of a minor, and/or a personal representative or legal guardian as relevant to their representation, must request in writing access to inspect, or receive copies of PHI. Additionally, a personal representative or legal guardian must have written authorization from the client to access PHI. Use the Individual’s Request for Access to Protected Health Information, MO 886-4450, for the client’s request. This form should be used anytime a client is requesting access to and/or a copy of their file and the file has any Protected Health Information.
Staff Assistance to the Individual
Staff may assist the individual in initiating this process. For example, the client may want a copy of his or her doctor’s report from their Children’s Division case file, but he or she may not remember the examination date. Provide the date from the case record to help the person.
Approving the Request for Client Access to PHI
Individuals and/or their attorneys or representatives frequently request access to specific Protected Health Information in files, such as a copy of their counseling reports. At other times, the individual or representative may be requesting access to their entire case file or to their CA/N investigation record. Staff should refer to policies and procedures in the Child Welfare Manual on how to respond to these requests (see Child Welfare Manual Section 5.2.4). However, as many case files and CA/N investigation records contain PHI, if staff ascertain that any of the information in the file could be PHI, staff should also have the individual and/or personal representative fill out the Individual’s Request for Access to Protected Health Information. Staff should also verify that the personal representative requesting information is truly representing the individual.
The Request form could be completed at the time the individual comes in to review their file or to pick up copies of their information, or the form could be mailed to the individual and returned to staff. Copies of the Individual’s Request for Access to Protected Health Information should be retained in the file.
If after review staff approve the request, staff shall ensure access in a timely manner and arrange for a mutually convenient time and place for the client to inspect the PHI or obtain copies, unless access in another format has been requested by the client and agreed to by staff as (see Requested Format below). Charge the same per page copying fee that CD uses to reimburse medical providers. Do not charge any search or retrieval fees. The client’s agreement to any costs is confirmed by the person checking the appropriate box on the Individual’s Request for Access to Protected Health Information form. Any requests for additional accommodations shall be sent or given in writing to the CD Privacy Officer.
Providing a Summary of the PHI
If it is acceptable after discussion with the client, a summary of the PHI may be used. The client’s agreement to a summary shall be documented in writing by checking the appropriate box in the Individual’s Request for Access to Protected Health Information form. Staff should then forward to the DSS Privacy Officer the Individual’s Request for Access to Protected Health Information form, copies of the requested information and a cover memorandum. Advise the DSS Privacy Officer that you recommend that the client receive the requested summary.
The request is processed in the format requested (i.e., hard paper copy, microfiche, computer disk, etc.), if possible, and in a timely consistent manner according to established timeframes but not more than 30 days after receipt of the request. If the record cannot be accessed within the 30 days, the timeframe may be extended once for no more than an additional 30 days with notification in writing to the individual outlining reasons for the delay and the date the request will be concluded.
If after review of the request, staff believe that a request should be denied, the request together with appropriate documentation shall be forwarded to the CD Privacy Officer for review, decision, and response to the client.
Denials without a Right to Review
The CD Privacy Officer, in cooperation with CD staff, may deny requests for access to protected health information without a right to review in the following situations:
- If the information conforms to one of the following categories: psychotherapy notes; information compiled for use in a civil, criminal or administrative action or proceeding;
- If the client is participating in a research related treatment and has agreed to the denial of access to records for the duration of the study;
- If access is otherwise precluded by law;
- If the information was obtained from someone other than a health care provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information; and
- If DSS has been provided a copy of a court order from a court of competent jurisdiction, which limits the release or use of PHI.
Psychotherapy notes have special protections under HIPAA in terms of releasing such notes to the individual. As noted earlier, psychotherapy notes are defined as “notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record.” Case narratives compiled by Children’s Division Children’s Service Workers are an integral part of the case record and do not meet the definition for psychotherapy notes.
Case records may, however, contain psychotherapy notes that originated from a mental health professional. Psychotherapy notes are a distinct and separate category from counseling reports, counseling summaries or psychological evaluations. Psychotherapy notes are exempt from individual access. If an individual requests a document that is labeled psychotherapy notes do not release that specific information and submit the request to the CD Privacy Officer. The CD Privacy Officer will review the request and notify staff of the decision. Other information should be released to the individual per the policies and procedures of the Child Welfare Manual upon execution of the signed Individual’s Request for Access to Protected Health Information.
Denials with a Right to Review
Although, the CD Privacy Officer, in cooperation with CD staff, may deny requests for access to protected health information, the client does have a right to review of this denial in the following situations:
- A licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person;
- The Protected Health Information makes reference to another person and a licensed health care professional has determined that the access requested is reasonably likely to cause substantial harm to such other person; or
- The request for access is made by the individual’s personal representative and a licensed health care professional has determined that the provision of access to such personal representative is reasonably likely to cause substantial harm to the individual or another person.
If a client is denied access to all or part of their PHI contained in the CD case file, they have a right to appeal the denial decision. If the client or personal representative requests a review of the denial DSS has designated a licensed health care professional, who was not involved with the initial decision to deny access, to review the decision. Denial reviews will be referred by the DSS Privacy Officer to a designated departmental licensed health care professional for completion of the review. Such denial reviews shall under no circumstances be completed by any other licensed health care professional. Staff must complete the following in processing a request for review of a denial to access PHI:
- The appeal shall be submitted in writing to the DSS Privacy Officer. The DSS Privacy Officer will then designate a licensed health care professional to review the denial; and
- The designated licensed health care professional who did not participate in the original decision to deny access shall review the record and the request for access to the client’s record;
- If the reviewer determines that the initial denial was appropriate, the DSS Privacy Officer notifies in writing that the review resulted in another denial of access. The notice includes the reasons for denial and describes the process the individual may use to make a complaint to the Secretary of the Department of Health and Human Services.
- If the denial was not appropriate, the licensed health care professional who acts as the reviewer shall refer the request to the DSS Privacy Officer for action. The Privacy Officer may provide this PHI to the individual or direct staff to provide it.
- If access is denied to any portion of the PHI, access must still be granted to those portions of the PHI that are not restricted.
Denial of Access
If after review, CD denies access to PHI in whole or in part, CD may as directed:
- Make other PHI information accessible to the individual after excluding the denied PHI; or
- If the information requested is not maintained by CS and staff is aware of the location of such information, staff may inform the individual where to direct his or her request. Make other PHI information accessible to the individual after excluding request.
Release of PHI of a Deceased Client
- The PHI of a deceased client may only be released via a Probate Court order from the County Circuit Court where the deceased resided or from another Probate Court in the State of Missouri. In the case of a child victim who is the reported subject of abuse/neglect, information should be released per state law and statute with the juvenile court, law enforcement, prosecutors and members of the Child Fatality Team.
- Other requests for information should be referred to the CD Privacy Officer.