search

Lartey Wellness Group – Client Records Access Policy

Lartey Wellness Group – Client Records Access Policy Purpose and Scope

This policy establishes Lartey Wellness Group’s commitment to handling client health record requests in compliance with all applicable laws and regulations. It covers all client record requests – including general medical records, mental health records, therapy/progress notes, and any other protected health information (PHI) maintained by Lartey Wellness Group. Special considerations for sensitive records (such as psychotherapy session notes) are included to ensure we meet legal requirements while protecting both client confidentiality and the organization’s interests. The goal is to provide clients timely access to their records when permitted, and to justifiably hold or redact information only under legally recognized circumstances, with proper documentation and approvals.

Scope: This policy applies to all workforce members (employees, contractors, and volunteers) of Lartey Wellness Group involved in maintaining or releasing client records. It addresses requests from clients (or their personal representatives) for access to records. It also outlines procedures for partial disclosures, redactions, documentation, appeals of denials, and includes real-world legal justifications (with citations) to protect Lartey Wellness Group through compliance.

Definitions

Protected Health Information (PHI): Individually identifiable health information maintained or transmitted by Lartey Wellness Group in any form (electronic, paper, or oral). PHI relates to a client’s past, present, or future physical or mental health or treatment, or payment for health care[1].

Designated Record Set: A group of records maintained by or for Lartey Wellness Group that is used to make decisions about individuals. This includes medical and billing records, enrollment, payment, claims, case management records, and other records used to make decisions about a client[2][3]. Clients have a right to access PHI about themselves in any designated record set we maintain (with limited exceptions).

Psychotherapy Notes: Notes recorded by a mental health professional documenting or analyzing the contents of a counseling session, kept separate from the rest of the client’s medical record[4][5]. These are sometimes called “process notes” and contain the therapist’s personal impressions. Psychotherapy notes do not include session start/stop times, treatment modalities, frequencies, medication prescriptions and monitoring, test results, or summaries of diagnosis, treatment plan, or progress – those elements are part of the general mental health record (not afforded special protection)[6][7].

Personal Representative: A person legally authorized to act on the client’s behalf in making health care decisions or in accessing health records. Examples include a parent/guardian of a minor (with certain exceptions for minors’ own consented treatment), a healthcare power of attorney, or an executor of a deceased client’s estate. Personal representatives generally have the same rights of access to records as the client, unless releasing records to them would cause harm as defined by law[8].

Person in Interest (Maryland term): The patient or a person authorized to request medical records on the patient’s behalf under Maryland law (e.g., personal representative, guardian, or parent, as applicable). Maryland law uses “person in interest” in the context of medical record disclosures to signify who has rights to request or obtain records[9].

Disclosure: The release, transfer, provision of access to, or divulging of information from records to an individual or entity outside Lartey Wellness Group.

Use: Sharing or employing health information internally within Lartey Wellness Group.

Protected Records (42 CFR Part 2): For substance use disorder (SUD) treatment programs (if any within Lartey Wellness Group), records that are protected under 42 CFR Part 2. These records have stringent confidentiality rules. (Note: A patient’s own Part 2 records can be released to that patient upon request – no written consent is required to provide patients access to their own SUD records[10].)

Redaction: The process of removing or obscuring parts of a record that are not permitted to be released (e.g., confidential third-party information) while releasing the remainder.

Applicable Laws and Regulations

Lartey Wellness Group adheres to all relevant federal and state laws governing patient health records. Key laws and regulations include:

  • Health Insurance Portability and Accountability Act (HIPAA) – Privacy Rule: Specifically 45 C.F.R. §164.524, which grants individuals the right to access, inspect, and obtain copies of their PHI in a designated record set[1]. This rule outlines permitted timeframes, fees, and grounds for denial or delay of access (including special protections for psychotherapy notes[11] and other exceptions). We also follow 45 C.F.R. §164.508 and §164.512 regarding authorization requirements (notably, an individual’s specific authorization is required for use or disclosure of psychotherapy notes, with limited exceptions for oversight, threats of harm, etc.[12][13]).

  • 42 C.F.R. Part 2 – Confidentiality of Substance Use Disorder Patient Records: If applicable, these federal regulations protect records of diagnosis, treatment, or referral for substance use disorders. Part 2 generally requires patient consent for disclosures to third parties, but it explicitly allows providing the patient with access to their own records. No consent is needed to give the patient their own information[10], aligning with patient access rights.

  • Maryland Confidentiality of Medical Records Act (Maryland Health-General Code §4-301 et seq.): State law that parallels HIPAA in many respects and in some areas is more stringent. Maryland law requires providers to disclose medical records within no more than 21 working days after receiving a request from a patient or person in interest[9]. Knowingly refusing to disclose records in violation of this requirement can result in actual damages and criminal penalties (misdemeanor, with fines up to $1,000 for a first offense and $5,000 for subsequent offenses)[9]. Maryland also regulates the fees that can be charged for copies (updated annually) and forbids refusal due to the patient’s unpaid medical bills[14].

  • HIPAA Right of Access Initiative (Enforcement Program): A U.S. Department of Health & Human Services (HHS) OCR enforcement effort (begun in 2019) to ensure compliance with patient access rights. Numerous enforcement actions (settlements and fines) have been brought against healthcare providers of all sizes, including mental health practices, for failing to provide records timely or unlawfully denying access[15][16]. (See Enforcement and Case Examples below.)

  • Other Federal/State Laws: We also consider other laws as applicable, such as state-specific mental health confidentiality statutes, the federal Privacy Act (for any records maintained by federal agencies), or laws protecting minors’ health information. If multiple laws apply, Lartey Wellness Group will follow the law that is most protective of the client’s rights or that sets the stricter standard for disclosure.

Policy Statement

It is the policy of Lartey Wellness Group to provide clients with access to their health records in a timely, consistent, and compliant manner, while protecting sensitive information as allowed by law. We will not withhold records arbitrarily – any decision to deny or delay a client’s access request must be grounded in a specific legal exception as detailed in this policy. All denials or limitations will be documented with the rationale and communicated to the requester in writing[17].

Lartey Wellness Group is committed to transparency, client autonomy, and regulatory compliance. We recognize that easy access to one’s own health information is a patient right and often critical for continuity of care. At the same time, we acknowledge that certain records (e.g., psychotherapy session notes or information likely to cause harm if released) require careful handling. This policy balances these interests by outlining clear procedures and justifications for any refusal or partial disclosure, thereby protecting our clients’ well-being and the organization from legal risk.

Procedures for Responding to Record Requests

1. Request Submission and Verification

How to Request Records: Clients (or their personal representatives) are encouraged to submit record requests in writing for clarity and documentation. This can be done via Lartey Wellness Group’s designated Client Records Request Form, through the client portal, or via a written letter/e-mail that includes the necessary details (client name, date of birth, description of records requested, date range, desired format, etc.). If a client makes an oral request (e.g., in person or by phone), staff should document the request in writing and, if needed, have the client verify it (to ensure accuracy and clarity).

Verification of Identity: In line with HIPAA, staff must take reasonable steps to verify the identity of the person making the request[18][19]. This may involve checking photo ID for in-person requests or asking security questions/matching signatures for written requests. No unreasonable barriers will be imposed – for example, we will not require a client to physically come to the office if they request records by mail or portal (we accommodate remote verification)[19]. We will also not insist on use of our specific form if the client’s request contains all needed information; our form is recommended but not mandatory, to avoid delaying access[19].

Requests by Personal Representatives: If a personal representative (e.g., parent, legal guardian, power of attorney, executor) requests records, staff must verify their authority (e.g., legal documentation, court order, proof of guardianship or executor status, etc.). We treat properly authorized personal representatives as if they were the client, unless there is a concern that releasing records to them might cause harm to the client or someone else (see Denial grounds below for when a personal rep may be denied access)[8].

Scope of Request: If the request does not clearly specify which records or what dates, staff should clarify with the requester to ensure we provide the correct documents. We will interpret requests broadly to include all records in the designated record set relevant to the request, including clinical notes, treatment plans, evaluations, billing records, etc., unless the client only wants a subset. (Example: A request for “my records” will be taken to include all medical/mental health records; a request for “progress notes from last year” will be limited to those notes in that timeframe.) Clients have the right to access all PHI about themselves in our designated record sets, regardless of format or age of the records[20][21], except for the specific exclusions defined by law.

2. Timelines for Processing Requests

Standard Timeframe (HIPAA): Lartey Wellness Group will act on a request for records no later than 30 calendar days after receiving the request[22]. “Act on a request” means we will either: (a) provide the requested records, in whole or in part, or (b) provide a written denial (in whole or in part) explaining the reason, or (c) if we need more time, provide a written notice of extension (see below). We aim to fulfill requests as soon as possible, and not wait until the deadline if avoidable, since 30 days is an outer limit, not a goal[23].

Maryland Timeframe (Stricter State Law): Because Lartey Wellness Group operates in Maryland, we must comply with Maryland’s requirement to disclose medical records within 21 working days after a request[9]. Twenty-one working days is roughly equivalent to about 4 weeks (excluding weekends and holidays). This state requirement is slightly stricter than HIPAA’s 30 calendar days, so we will ensure records are provided within the 21-work-day window whenever applicable. If Maryland law applies to the request, staff should treat that as the deadline (assuming it comes sooner than the HIPAA deadline). Failure to meet the 21 working day requirement can result in state penalties (see Enforcement section), so compliance is critical[9].

Extensions: Under HIPAA, if we cannot meet the 30-day timeframe, we are allowed one extension of up to 30 additional days only if we send the requester a written notice within the original 30 days explaining the cause of delay and the expected completion date[22]. However, Maryland law does not explicitly provide for extensions beyond 21 working days. To reconcile this, Lartey Wellness Group will make every effort to comply within 21 working days. In extraordinary circumstances where we cannot, we will communicate with the requester as early as possible, explain the situation, and document the requester’s agreement to a revised timeframe if possible. Even with an extension, we will not exceed 60 calendar days total from the request date under any circumstance (per HIPAA’s absolute limit with extension[22]).

Incremental Responses: If a request is broad and gathering the full record will take significant time (e.g., older archives), HHS guidance encourages providing records in batches or as they become available rather than waiting to send everything at once[23]. We will, if feasible, release portions of the record to the client on a rolling basis if they prefer that (e.g., provide recent records first while older ones are still being retrieved).

Urgent requests: If a client indicates an urgent need (e.g., an upcoming doctor’s appointment or personal emergency), staff will try to expedite the request ahead of normal queue when possible. While not legally required to do so if still within allowed time, prioritizing urgent patient needs aligns with good patient care and service.

3. Form and Format of Access

Client’s Preference: The client can request their records in any format or medium that Lartey Wellness Group can reasonably produce. We will provide PHI in the form and format requested if readily producible[24][25]. This means:

  • If the client requests electronic copies (PDF, Word, secure portal download, etc.) and we maintain the records electronically, we will provide an electronic copy in the format requested (or an alternative format we agree upon if the original format isn’t feasible)[26][27].

  • If the client requests paper copies of electronic records, we will print them out if that is what the client prefers[25].

  • If a record is only on paper and the client wants an electronic copy, we will scan it if possible to create an electronic file (PDF or similar)[28].

  • If a specific file format is requested (e.g., Excel or CSV data export), we will accommodate if our systems can output that; if not, we’ll provide an agreed alternative format.

Inspection in Person: Clients have the right not only to get copies, but also to inspect their records on-site (HIPAA permits inspection as an option)[29]. If a client prefers to review the record in person, Lartey Wellness Group will arrange a supervised review session at a convenient time and private location. During inspection, the client may flag any pages they want copied. We will have a staff member or Privacy Officer present (or observing remotely for electronic records) to answer questions and ensure the integrity of the records.

Manner of Access (Delivery): We will provide the records in the manner requested by the client whenever possible. For example, if the client asks us to:

  • Mail the records to their home, we will do so via postal mail (marked confidential).

  • E-mail the records, we will do so in a secure manner. By default, we use encrypted email or a secure portal. If a client specifically requests unencrypted email (or a similar method) despite potential security risks, we will advise them of the risks and may comply if they acknowledge understanding (HIPAA allows individuals to receive their PHI by unencrypted email if they so request, accepting the risk)[30].

  • Allow pickup in person (paper or electronic media like USB), we will schedule a pickup time and require ID at pickup.

  • Fax to a number they provide (though fax is less common now, we can accommodate if needed).

  • Transmit to a third party: A client has the right to direct us to send their records directly to a designated third party (e.g., a new doctor or an attorney), by a signed request specifying the recipient and address/email. We will treat such requests with the same timeline and requirements as if releasing to the client[31][32].

We will not force a client to use one particular method of access. For example, if they request mailing, we won’t demand they use the portal; if they ask for an electronic copy, we won’t insist on giving paper only[19][33]. Our systems are capable of providing records via mail or email for all clients, so we accommodate those as standard methods[30].

Language or Format Needs: If a client needs records in a special format (such as large print, Braille, or translation to another language) for accessibility or understanding, we will attempt to accommodate or provide an explanation/summary if agreed by the client[34]. (For example, if a client is visually impaired, we will offer to provide an electronic text version that can be read by a screen reader.)

Summaries or Explanations: In some cases, a client might request or agree to receive a summary of the records or an explanatory letter instead of the full record (or in addition to it). We can provide a summary only if the client agrees in advance to this and any associated fees for preparing the summary[34]. We will not substitute a summary for the actual records unless the individual opts for that approach.

4. Fees for Copies

Cost-Based Copying Fees (HIPAA Standard): We may charge a reasonable, cost-based fee for providing copies of records[35]. This fee can only include the cost of:

  • Labor for copying (scanning, printing, photocopying, or converting records to the requested format)[36].

  • Supplies (paper, toner, or if electronic, the cost of portable media like a USB drive or CD if the client requests records on portable media)[37].

  • Postage or shipping, if the client requests mailing[37].

  • If the client agreed to a summary or explanation, the labor cost to prepare that summary[35].

We will not charge any fees for time spent searching for or retrieving records, or for handling the request (overhead), as those are not permitted under HIPAA’s cost-based fee limitation[38][39]. Our fees will also be reasonable in relation to actual costs – even if state law sets a higher cap, we will charge no more than what is reasonably cost-based under the circumstances[40].

Maryland Fee Limits: Maryland law defines a maximum fee structure for medical record copies (adjusted annually) – for example, it allows a per-page fee (e.g., around $0.76/page for paper copies in recent years), plus an administrative fee (approx. $22) and actual postage costs[41]. Lartey Wellness Group will comply with Maryland’s cap: we will not charge above the state-authorized amounts. In many cases, our actual cost-based charges may be less than the state maximum, especially if records are provided electronically. We will charge the lower of (a) the applicable state maximum or (b) the actual allowed cost as per HIPAA. (Note: For electronic copies, Maryland law (per HITECH Act adoption) limits fees to actual labor costs for electronic preparation[42], which aligns with HIPAA’s rules.)

No Charge Situations: By law, we cannot charge certain fees in specific scenarios. For instance, if we are transferring records to another provider for a current Medicaid recipient, Maryland prohibits charging any fee for that transfer[14]. Additionally, if a record is needed to support a claim or appeal under Social Security or other disability programs, federal law (42 U.S.C. §1320d) and state guidelines often limit or eliminate fees for the patient. Lartey Wellness Group will waive or adjust fees as required by any such regulations or, in cases of financial hardship, when appropriate (at management’s discretion, we can provide records free or at a discount as a courtesy in special situations).

Fee Notification: If any fee is to be charged, we will inform the client in advance (before incurring the charge) of the approximate amount. The client can then decide to proceed, narrow the request to reduce cost, or cancel the request. We will provide an invoice or breakdown of the fee if requested, showing how the fee was calculated (number of pages, hourly rate for labor, postage, etc.).

No Denial for Unpaid Bills: Importantly, we will NOT refuse to provide a copy of records because a patient has unpaid medical bills for services[14][43]. HIPAA expressly forbids withholding records due to a patient’s failure to pay their health care bills[43]. (For example, if a client owes money for therapy sessions, we still must provide their records upon request – we cannot make record access contingent on payment for services.) We may, however, require payment of the copying fee itself before releasing the copies[14]. In practice, if a fee applies, we will notify the client and may require that fee to be paid prior to handing over the records, but we will never withhold the records themselves as leverage for any other debts.

Documentation of Fees: All fees charged and payments received for record requests should be documented (a receipt provided to the client, and a note in the record request log).

5. Grounds for Denying or Limiting Access

Lartey Wellness Group’s policy is to provide full access to a client’s records unless one of the strictly defined legal exceptions applies. The HIPAA Privacy Rule (and supporting state laws) outline specific situations where we may or must deny access to some or all of the requested information. Any such denial must be reviewed and approved by the Privacy Officer or designated senior clinician, and accompanied by proper written notice to the client (see “Denial Notification” below). Below are the only permissible grounds for denying a request, in whole or in part:

a. Information Excluded from the Right of Access:

  • Psychotherapy Notes: If the client’s request includes psychotherapy notes (as defined above) that are maintained separately from the medical record, we will exclude those notes from the release. Patients do not have a HIPAA right to inspect or obtain copies of a therapist’s separate psychotherapy process notes[11][44]. Lartey Wellness Group will decline to provide psychotherapy notes to the client (or anyone else) unless release is required by law or the therapist chooses to provide them in rare circumstances. We will, however, provide any information from the counseling sessions that is documented in the regular medical record or treatment plan (e.g., diagnoses, session dates, medication details, summaries) even if psychotherapy notes are withheld[5][45]. Rationale: Psychotherapy notes receive special protection because they are the therapist’s personal reflections and are generally not useful to others not present in the session, and disclosure could harm the therapeutic process[46][47]. (Federal law even requires patient authorization for nearly all disclosures of such notes to third parties[12].) Example: If a client requests “all my therapy records,” we will provide progress summaries, treatment plans, etc., but not the therapist’s private note pages marked as psychotherapy notes.

  • Information Compiled for Legal Proceedings: Any information that was compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding is excluded from the right of access[48][49]. This might include, for example, records gathered by our attorneys in defending a lawsuit, or correspondence with a malpractice insurer, etc. If such material exists in the file and was prepared for litigation, we will withhold it. The client can still access the underlying medical information that might be in their medical record, but not the confidential legal-preparation documents themselves[11]. Example: A client who knows of a pending lawsuit might request their file; any incident reports or attorney communications prepared for that litigation would be withheld under this exception.

  • Correctional Institution Inmate Requests: (This likely will not apply to Lartey Wellness Group as we are not a correctional institution, but for completeness:) If the client is an inmate in a jail/prison and requests a copy of records, we could deny it if giving a copy would jeopardize safety, security, custody, or rehabilitation within the correctional setting[50]. In such cases, typically the institution’s rules control access. (We mention this for completeness of HIPAA rules, but our clinic does not directly operate in correctional facilities.)

  • Research-related Records (Temporary Suspension): If a client is participating in a research study that includes treatment, and they agreed when consenting to the study to temporarily suspend access to their records for the duration of the study, we may deny access to those particular records until the research is complete[51]. (Again, this is an uncommon scenario; it would require that Lartey Wellness Group is involved in a research project with such an agreement. Any denial for this reason must have documentation of the client’s consent to the suspension in the research consent form.)

  • Records Subject to the Privacy Act: If the records are maintained by a federal agency component and subject to the federal Privacy Act, and the Privacy Act would deny access, we can deny under HIPAA as well[52]. (Likely not directly relevant to our clinic unless we hold records on behalf of a federal program.)

  • Information from Confidential Sources: If the PHI requested was obtained from someone other than a healthcare provider under a promise of confidentiality and giving the client access would be reasonably likely to reveal the source, we may deny access to that specific information[53]. This is an unreviewable denial right under HIPAA. Example: A family member or friend of the client may have privately given information to the therapist (with an assurance of confidentiality) about the client’s condition. If the client requests records, that piece of information could be withheld to avoid revealing that the family member was the source[53]. We would provide the rest of the record, excluding any reference that would identify the informant. (Note: This exception is narrow and only applies if the person who provided the info was not a healthcare provider. Information from other healthcare providers is generally part of the record that must be shared[21].)

b. Grounds for Denial Requiring Review (Potential Harm):

These next grounds are “reviewable” under HIPAA, meaning if we deny access based on them, the patient has the right to an independent review of the decision (see Appeals/Review Process below). They involve situations where access might cause harm:

  • Danger to Life or Physical Safety: If a licensed health care professional (e.g., the treating clinician or our clinical director) determines that allowing the client to access the requested information is reasonably likely to endanger the life or physical safety of the client or another person, we may deny access[54][55]. This is intended for extreme situations – e.g., reading their records might trigger a suicide attempt or violent action. This standard is stringent: the harm must be “reasonably likely” and related to life or serious physical safety, not just emotional distress[56][57]. General concerns that the patient “might be upset” or might misinterpret the records are not enough to qualify for this exception[56]. We expect to invoke this only in rare cases where a genuine risk is identified (HIPAA expects this to be “extremely rare”[58]). Example: A therapist believes that if a patient with severe suicidal ideation reads about a poor prognosis or traumatic details in their record, it could lead to self-harm – the therapist could recommend denial of that portion of the record, pending review. For instance, consider a patient whose chart contains a very graphic account of a past trauma (such as a sexual assault). The clinician might fear that reading these details alone, outside of a therapeutic context, could trigger a dangerous psychological crisis or self-harm. In such a case, a temporary denial of access to that specific portion might be justified under this exception (with proper documentation and review). In practice, the clinician may choose to offer to review that information together with the patient in a session rather than simply handing it over, to ensure support is in place – but if even with support the disclosure is deemed likely to cause serious harm, it can be withheld pending the required independent review.

  • Substantial Harm to Another Person Mentioned in the Record: If the PHI requested makes reference to another person (other than a healthcare provider) and a licensed professional determines that releasing it is reasonably likely to cause substantial harm to that other person, we may deny access to that part[59]. Example: The record contains documentation of abuse by a family member who is unaware that the patient reported it; if disclosing the record to the patient might result in retaliation or harm to that family member, or perhaps the family member had given information in confidence about themselves that could cause conflict, a provider could decide disclosing that info to the patient could harm the third party. This is a nuanced scenario and overlaps with the “confidential source” case – essentially, if revealing information in the record would significantly harm someone else, we can consider redacting it. We will use this sparingly and with consultation.

  • Personal Representative Causing Harm: If the request for access is made by a personal representative (e.g., a parent or legal guardian) on behalf of the client, and a licensed provider determines that giving that personal representative access is reasonably likely to cause substantial harm to the client or another person, we may deny the representative access[8]. This often applies in cases of minors or incapacitated adults with suspected abuse or neglect by the personal representative. Example: A therapist might deny a parent access to a teenager’s therapy records if releasing them would likely provoke abuse or endanger the teen, especially if the teen has disclosed sensitive information (like evidence of the parent’s abuse). In Maryland, certain minors have rights to consent to treatment (e.g., for mental health at age 16 under specific conditions) and in those cases the parent may not be entitled to records if it would contravene the minor’s privacy rights or well-being (Maryland Health-General §20-104, etc., provide minors some confidentiality in specific treatment areas). Each such situation will be evaluated carefully with legal counsel if needed. Another Example: If records show that the clinician filed a Child Protective Services (CPS) report due to suspected parental abuse, releasing that portion of the record to the parent could endanger the child or compromise the investigation. In such a case, the provider would similarly deny the parent’s access to that specific information, citing the harm exception. The clinician should immediately consult the Privacy Officer and legal counsel in this scenario to ensure proper handling and documentation (including coordination with CPS or law enforcement as needed). This exemplifies how protecting the minor’s safety can override the parent’s access rights.

Important: When a denial is made on any “reviewable” ground above (danger to life, harm to others, personal rep issues), the client must be informed of their right to have the denial reviewed by another licensed professional not involved in the original decision[60][61]. (See Appeals/Review Process below.)

c. Other State-Specific Refusal Grounds:

Lartey Wellness Group will also consider any additional Maryland-specific laws that might allow refusal or limitation. Maryland law generally aligns with HIPAA’s reasons. One noteworthy Maryland provision: a healthcare provider may deny a parent access to a minor’s record (even if the parent is the personal representative) if the minor has the legal right to consent to the treatment and has requested confidentiality, or if releasing to the parent is deemed not in the minor’s best interest (for example, disclosure could lead to harm). This is consistent with HIPAA’s personal representative harm exception noted above[8] but is explicitly recognized in state law for minors. We will follow Maryland’s minor consent/confidentiality rules (Health-General §4-301 and §20-102 et seq.) when applicable.

Additionally, Maryland regulations permit a provider in some cases to provide a summary of the record in lieu of the full record if direct release would be detrimental. If we ever invoke that, it will be in compliance with Maryland law and with the understanding that the patient can request the full record be sent to another provider of their choice.

d. No Other Grounds: Apart from the above, no other reasons (administrative inconvenience, fear of a lawsuit, concern about misinterpretation, etc.) are valid grounds to deny a patient’s access to their records. We cannot deny access simply because:

  • We believe the records might upset the patient (unless it meets the serious harm threshold above – mere emotional distress is not sufficient[62]).

  • The records contain mental health diagnoses or notes that the provider feels are sensitive (sensitivity alone isn’t an exemption).

  • The patient still owes money (as stated, that is explicitly prohibited as a reason to deny[43]).

  • The patient might use the records in a lawsuit or complaint against us. (Patients have a right to their records even if they intend to file a complaint. In fact, OCR has penalized providers for denying records in such scenarios.)

  • The request is too broad or we think the patient “doesn’t really need” the records. (Patients are not required to give a reason for their request[63], and we should not second-guess their motivations.)

If staff have any uncertainty about whether a particular document can be released or should be withheld, they must consult the Privacy Officer or legal counsel before deciding. It is safer to err on the side of providing access, unless a clear rule above applies, to avoid unlawful denial. The Privacy Officer serves as a key advisor in these situations. Clinicians should not hesitate to involve the Privacy Officer early when unsure; part of the Privacy Officer’s role is to interpret privacy laws and help determine what can or cannot be released. This secondary check helps prevent mistakes and ensures that any denials are solidly grounded in law and policy. In ambiguous cases, the Privacy Officer may also consult with legal counsel, but the initial step is internal consultation so that frontline clinicians are supported in making the right call.

6. Partial Release and Redaction

Whenever a specific portion of the record falls under a denial ground, but other portions do not, we will utilize partial disclosure and/or redaction rather than withholding the entire record. This “segregate and release” principle means we provide as much as possible and withhold only what is necessary. HIPAA mandates that we give the individual access to all other requested PHI after excluding the denied portions[64].

Procedures for Partial Releases:

  • Identify Removable Information: If, for example, a third-party confidential information is embedded in a page of a record, we can redact (black out) those lines or identifying details, and release the rest of the page. If psychotherapy notes are in a separate section, we simply omit that section and release all other sections.

  • Technical Redaction: For electronic records (PDFs, Word files), use proper redaction tools (not just drawing a black box over text, but actually removing the text data beneath). For paper records, use an opaque redaction marker or create a photocopy with the sensitive sections cut out/covered.

  • Documentation of Redaction: Internally, keep an unaltered original in our files, but also keep a copy that shows what was redacted for the release. This may be needed if the denial is later reviewed or challenged.

  • Informing the Client: In the denial letter or cover letter accompanying the records, we will inform the client that certain information has been withheld/redacted and the general category of reason (without revealing the sensitive content itself). For example: “Your request has been partially granted. Certain entries provided to us in confidence by a third party have been redacted pursuant to 45 CFR 164.524(a)(2)(v)[53]. The remaining records are enclosed.”

Examples of Partial Disclosure:

  • If a record contains notes from a spouse who insisted on anonymity, we release the record with that name and note excised (removed).

  • If psychotherapy notes are present in the file, we release all other therapy documentation (e.g., the treatment plan, medications, summary notes) but not the separate deep-dive process notes.

  • If releasing a specific diagnostic report would endanger someone, we might hold that one report but still give the patient the rest of their file.

Minimum Necessary Not Applicable: Remember, “minimum necessary” rules do not restrict what a patient can get of their own information – individuals are entitled to the full record (aside from lawful exceptions). Therefore, we do not arbitrarily trim or summarize information for our convenience. Partial withholding is only for lawful exceptions, not to “simplify” the record. If a client asks for everything, we give everything (minus only what’s exempt by law).

Important: Clinicians must refrain from redacting or omitting information unless it squarely fits one of the above lawful exceptions. Sensitive or potentially upsetting details (such as certain diagnoses or frank clinical observations) cannot be withheld solely to spare a client’s feelings or to prevent possible misinterpretation. If something is in the record, the client is entitled to see it (assuming no legal exemption applies) – even if the wording is candid or critical. Rather than redact permissible information, clinicians are encouraged to provide appropriate context or discuss the content with the client (if the client desires), but the record itself must remain complete. In short, we do not censor or sanitize records; we remove only what we are legally required or clearly allowed to withhold.

7. Documentation Requirements

For each client record request, the following documentation steps must be taken:

  • Log the Request: Enter the request into the Record Request Log (whether an electronic tracking system or a manual log). Record the date received, name of requester, description of records requested, and target due date (21 working days per MD law, and also note the 30-day HIPAA deadline).

  • Maintain the Request Copy: Save a copy of the written request (or a summary of an oral request) in the client’s file or designated correspondence folder.

  • Processing Notes: Document actions taken – e.g., “2026-02-01: Retrieved records from EHR and paper file,” “2026-02-02: Reviewed for any psychotherapy notes or sensitive info,” “2026-02-03: Sent 50 pages via encrypted email.” Include who fulfilled the request and when.

  • Approval for Denial: If any part of the request is being denied or limited, document the clinical/professional decision behind it. Typically, a clinician should write a note (or fill out a denial justification form) stating what information is withheld, which exception applies (cite the law, e.g., “psychotherapy notes – excluded from access per 45 CFR 164.524(a)(1)” or “Dr. Smith determined disclosure poses risk of harm per 45 CFR 164.524(a)(3)”), and the date of that decision. Have the Privacy Officer or another authorized person co-sign or acknowledge this decision to ensure it’s valid. This documentation should be stored in a restricted administrative file, not automatically given to the patient (the patient will get the denial letter, which is a separate document – see below).

  • Denial Letter (if applicable): If we deny any portion of a request, we will draft a written denial letter to the client within the required timeframe (within 30 days under HIPAA, and in practice sooner to meet Maryland’s 21-day rule for any final action). The letter must include:

  • The specific reason for the denial, in plain language[17] (e.g., “We cannot release Dr. Doe’s therapy session notes because they are defined as psychotherapy notes, which are not included in the records patients can access by law[11].” Or “Your therapist has determined that reading certain details of your record at this time could pose a serious risk to your safety[54]; therefore, we are denying access to that portion of the record.”).

  • If a reviewable denial: an explanation of the individual’s right to have the decision reviewed by an independent licensed practitioner not involved in the original decision[60]. We will include how the client can request that review (e.g., “If you wish to appeal this decision, please submit a written request to the Privacy Officer within 60 days. An independent clinician will review your request as described below.”).

  • Information on how to file a complaint: Both internally (e.g., contact info for our Privacy Officer or Compliance department) and externally (Office for Civil Rights at HHS, or Maryland Department of Health)[17]. HIPAA regulations require that denial letters inform the patient of their right to file a complaint with OCR if they believe their rights are violated[17].

The denial letter should be polite, neutral in tone, and offer to discuss the issue or provide the permissible information in an alternative form if possible. For example, we might offer a summary or to have a meeting to discuss the record with the patient’s clinician, if that might help clarify information in lieu of direct access to the sensitive portions.

  • Grant Letter (if fully fulfilled): If we are granting the request in full (especially if it took a while to compile), it’s good practice to include a brief cover letter that says “Enclosed are the records you requested...” and lists what is included. This is not legally mandated, but it provides clarity and a helpful record of fulfillment.

Retention: Maintain copies of all request documentation and correspondence for at least 6 years (HIPAA requirement for documentation retention) or longer if state law requires. (Maryland’s record retention requirement for medical records is at least 7 years for adults, etc., so we align with the longer requirement as applicable.) The correspondence related to the request can be kept with the medical record or in a designated compliance file.

Quality Control: The Privacy Officer will periodically review the request logs and files to ensure requests are being handled timely and properly. Any deviations (e.g., late responses, missing documentation) will be addressed through staff training or process improvements.

Staff Support & Workload Considerations: Lartey Wellness Group acknowledges that fulfilling record requests – especially complex ones requiring extensive review or redaction – can be time-consuming for clinicians and staff. We are committed to ensuring this important compliance work is manageable and that staff are supported:

  • If a request is expected to require extensive preparation (for example, reviewing a large volume of records for possible redactions or compiling records from multiple sources), clinicians should inform their supervisor or the Privacy Officer. We can adjust schedules or assign support staff to help, so that patient care duties are not unduly disrupted by the records request process.

  • Any significant time spent on records requests beyond normal job expectations will be recognized. Clinicians will not be expected to complete extensive records preparation on their personal time without compensation or workload adjustment. Management may allocate paid administrative time or other resources for this purpose. In other words, time devoted to lawful records release tasks is treated as part of the job, not an extra uncompensated burden.

  • Our goal is to encourage diligent compliance without overburdening individual providers. By providing assistance and, when necessary, compensation for the extra effort, we make it clear that proper records handling is a shared organizational responsibility. This support helps prevent burnout and ensures that clinicians can take the needed care in reviewing records, ultimately protecting both patient rights and our legal compliance.

8. Appeal and Review Process for Denials

When a client or personal representative is denied access to any portion of their records under a reviewable ground (the “harm” exceptions outlined in section 5.b above), they have the right to appeal that denial and have it reviewed by another professional.

Notice to Client: The denial letter, as mentioned, informs the client of their right to a review. We will consider a request for review if the client (or rep) submits a written or verbal request for a second opinion (no special form is needed, though written is preferable for clarity).

Appointing a Reviewer: Lartey Wellness Group will have a pre-designated Reviewing Official (or a small panel of reviewers) who are licensed health care professionals not involved in the original decision. This could be a senior clinician or an external consultant if appropriate. For example, if a treating therapist denied the access, another therapist or the Clinical Director who was not that patient’s provider will be assigned to review. In practice, the Privacy Officer will coordinate the review process, ensuring the selected reviewer receives the relevant records and the original denial rationale. The Privacy Officer’s role is to facilitate the process and provide the reviewer with necessary context while remaining neutral. This separation of roles reinforces the impartiality of the review and helps ensure a fair, unbiased second opinion.

Review Process: The reviewing official will get access to the pertinent records and the rationale for denial. They will independently evaluate whether the denial was appropriate under the HIPAA standard. Essentially, they ask: “Is it reasonably likely that giving this information to the client would endanger life or safety, or cause substantial harm, as claimed?”[54][57]. They will consider any additional information or statements the client provided in their appeal as well.

Decision: The reviewer will make a written determination to either uphold the denial or overturn it (in whole or in part). According to HIPAA, we must then abide by the reviewer’s decision[61]. That is, if the reviewer says “I believe the risk is not sufficient; the client should get the records,” we will release the records promptly. If the reviewer agrees with the denial, we maintain the denial.

Notification to Client: We will promptly inform the client of the outcome of the review. If the denial is upheld, we’ll send a letter stating that an independent review was conducted and the denial stands, reiterating the option to seek external recourse (e.g., an OCR complaint or other remedies). If the denial is overturned, we will include with the notice the newly released records that were previously withheld (or arrange access immediately in the manner the client prefers).

Timeliness of Review: The law does not set a specific number of days for completing the review, but it should be done in a reasonable time. We aim to complete any such review within 30 days of the client’s appeal request, if not sooner, so that the process doesn’t unduly delay the client’s access.

Documenting Reviews: All review requests and outcomes shall be logged. The reviewer’s written recommendation or decision should be kept on file (separate from the patient’s regular medical record, but with the access request documentation).

Secondary Options: If a client is still unhappy after the review (or if the denial was on unreviewable grounds, leaving them no internal appeal), they may choose to pursue external remedies. They can file a complaint with the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) or with state oversight bodies like the Maryland Board of the relevant profession or the Attorney General’s Health Advocacy Unit. We include information about these options in our denial letters. They could also potentially seek a court order for the records in rare cases (especially if related to litigation). Lartey Wellness Group will re-evaluate any further challenge or legal order with counsel, as needed.

9. Special Considerations

Minors’ Records: For clients who are minors, the personal representative is usually a parent or legal guardian. However, if the minor consented to a health service on their own (as permitted by law for certain services like mental health counseling at age 16+ in Maryland under specific conditions, or substance abuse treatment, STI services, etc.), then the minor may have the authority to control access to those records. In such cases, we will not release those records to a parent without the minor’s consent if prohibited by law. We will follow Maryland’s statutes on minors’ health privacy strictly. If unsure, staff should consult the Privacy Officer before releasing a minor’s records to ensure compliance with both HIPAA and Maryland law (which may grant minors exclusive rights over certain records). For example, if a 17-year-old client received mental health counseling without parental involvement (as allowed under Maryland law) and explicitly requests that their parent not be given access to those therapy records, we will honor that request. We will document the minor’s request for confidentiality and, if the parent later seeks the records, we will respectfully decline to release those particular records, citing the applicable minor confidentiality laws. Clinicians should inform the Privacy Officer when such situations arise so that any parental requests can be handled appropriately and in line with legal requirements.

Deceased Clients: The personal representative of a deceased client (e.g., executor or administrator of the estate) may request records. We treat them as the client for access purposes (with the same 21-day state timeline). If there is no executor, Maryland law may allow certain persons (like next of kin) to obtain records under specific conditions. We will verify the authority (such as requiring a death certificate and official paperwork showing the requestor’s status) before release. Psychotherapy notes of a deceased individual may still be withheld absent a compelling legal reason, since HIPAA protections extend for at least 50 years past death for PHI.

Subpoenas and Court Orders: Although this policy is mainly about client-initiated requests, occasionally requests come via subpoena or court order. Those are handled under our separate Release of Information for Legal Requests Policy. In brief, we will comply with subpoenas after ensuring proper authorization or required notifications to the patient, as required by law, and we will always comply with a court order signed by a judge. Note that if a patient’s attorney requests records via subpoena or the patient’s signed authorization, that is essentially treated as a patient-directed request (with appropriate paperwork). Maryland law specifically says we must comply with subpoenas and cannot charge a fee when transferring records to another provider for a Medicaid patient[14]. All legal requests should be forwarded to the Privacy Officer and/or Legal Counsel for handling. The standard timeliness requirement (21 days under Maryland law) still generally applies to subpoena responses unless a court order specifies a different deadline.

Third-Party Requests with Authorization: If a patient asks us to send records to an external party (e.g., an insurance company, an attorney, or a family member) and provides a valid HIPAA authorization, we will do so. Note that HIPAA’s right-of-access (30-day) rule applies even when a patient directs records to a third party in writing[31]. We will treat those similarly to direct requests from the patient. If the patient’s authorization is broad or not specific, we may confirm with the patient exactly what is to be released (to avoid over-disclosure). Psychotherapy notes, in particular, require their own explicit authorization – so if a patient wanted even their psychotherapy notes sent somewhere, the written authorization must specifically reference those; otherwise we do not release them.

Professional Courtesy and Client Relations: If a client simply has questions about their records, we encourage open dialogue. Sometimes, providing access can be accompanied by an offer to discuss the content with the clinician, especially for mental health records, to prevent misunderstanding or unnecessary distress. This is a service we may provide (e.g., scheduling a session to go over test results or therapy notes) but it is optional for the client – not a prerequisite for obtaining their records. We will not insist on a discussion as a condition to releasing records; it’s offered only as a supportive courtesy. For instance, if a client’s chart contains a very sensitive trauma history or other potentially triggering content, the clinician might suggest reviewing those entries together in a therapy session so the client has support when processing that information. This kind of offer can help the client understand context and cope with any emotional reactions, but again, it is the client’s choice whether to have such a discussion. Access to the records will not be withheld if the client declines a review session; the information will still be provided as requested.

Security of PHI During Processing: Whether mailing or emailing records, staff must ensure the records are sent to the correct recipient/address. We double-check email addresses for accuracy and use encryption for email whenever possible. For physical mail, we verify the mailing address and mark envelopes as confidential with no unnecessary identifying information on the outside. Mis delivery of records is considered a potential breach. If any breach happens (e.g., records sent to the wrong address or wrong person), staff must report it immediately per our Breach Notification Policy so that appropriate mitigation steps can be taken.

Retention of Original Records: Providing copies to a patient does not mean we give up or transfer our original record. We always maintain the original record in our files as required by law (at least 7 years for adults in Maryland, longer for certain records or for minors, etc.[65]). We do not relinquish original documents unless required by law (and even then, usually copies will suffice). If a patient insists on obtaining an “original” item (which sometimes happens for things like radiology films or diagnostic images), staff should consult management – usually we can provide duplicate copies or an equivalent form that meets the patient’s needs while we retain the original.

Enforcement and Case Examples

Failure to adhere to patient access rights can result in significant consequences for Lartey Wellness Group. To underscore the importance of this policy, here are real-world case examples and legal enforcement actions related to record requests:

  • HIPAA Right of Access Enforcement Initiative: Since 2019, the HHS Office for Civil Rights (OCR) has prioritized enforcing patient access rights. By late 2024, OCR had undertaken over 51 enforcement actions against providers for access violations[15]. These actions often result in monetary settlements/fines and corrective action plans. Lartey Wellness Group could face similar enforcement if we fail to comply.

  • Example – Mental Health Center Fined for Delay: Rio Hondo Community Mental Health Center (Los Angeles County) was fined $100,000 in 2024 after a patient waited more than 7 months and made multiple requests (in person, writing, phone) for her records, which were only provided after OCR intervened[66][16]. The initial request came just before a COVID-19 lockdown, and the clinic cited operational issues, but OCR deemed the delay a clear violation. Lesson: External circumstances (even a pandemic) did not excuse the duty to at least communicate and provide records promptly. We must have contingency plans to furnish records even during emergencies.

  • Example – Five-Month Delay by Psychiatric Hospital: Arbour Hospital, a behavioral health hospital in Massachusetts, took 5 months to provide a patient his records. OCR settled this as a violation with a $65,000 fine[67][68]. Lesson: Protracted delays are unacceptable. We must meet the 21/30-day deadlines or face liability. Even if records are eventually provided, a long wait itself breaches the regulation.

  • Example – Refusal to Personal Representative: St. Joseph’s Hospital (Phoenix) refused to provide an incapacitated patient’s records to his mother, who was his legal representative. OCR imposed a $160,000 settlement for this denial[69]. In another case, Wise Psychiatry, P.C. in Colorado denied a father access to his minor son’s records; they faced a fine of $10,000[70]. Lesson: If the personal representative has legal rights (and there is no evidence that disclosure would cause harm), we must comply. Denying a legitimate personal rep without justification is a serious HIPAA violation. Only in cases where there’s a lawful exception (like potential abuse harm as discussed above) can we refuse, and it must be well-documented.

  • Example – Ignoring Requests: Riverside Psychiatric Medical Group in California failed to respond to multiple patient requests and even an OCR intervention; they settled for $25,000[71]. Similarly, a Virginia psychiatric practice (King MD) didn’t provide records even after OCR’s technical assistance, resulting in a $3,500 fine[72]. Lesson: We must not ignore or continually put off requests. Even smaller practices are being penalized. OCR expects us to respond within the time frame and to cooperate if a patient complains. Ignoring requests can quickly lead to enforcement action.

  • Example – Overcharging and Format Issues: Korunda Medical in Florida initially refused outright, then sent records in the wrong format to a third party and charged excessive fees; they paid $85,000 to settle the case[73][74]. Lesson: We must honor format requests if possible and charge only allowable fees. Excessive or unauthorized fees (e.g., charging a “record retrieval fee” not allowed by HIPAA) and not sending records to a designated third party as requested are enforceable violations.

  • Maryland Law Enforcement: Maryland’s Attorney General or health professional boards can also sanction providers for violating state record laws. Maryland law explicitly states that knowing refusal to provide records within 21 working days is a misdemeanor with potential fines and liability for actual damages[9]. A patient could file a complaint with the Maryland Board of Professional Counselors, Psychologists, or Physicians (depending on the provider type) for failure to release records; this could result in disciplinary action against a provider’s license. We protect Lartey Wellness Group by avoiding any such violations. Timely compliance not only avoids penalties but also fosters patient trust.

  • Case Law – Psychotherapy Notes Protection: Courts have recognized the sensitivity of therapy notes. For instance, Jaffee v. Redmond, 518 U.S. 1 (1996), the U.S. Supreme Court established a psychotherapist-patient privilege, affirming that therapy session communications (and by extension, notes) deserve confidentiality akin to attorney-client privilege. This reinforces why HIPAA carves out psychotherapy notes from a patient’s access rights – the law acknowledges that unfiltered therapy discussions are uniquely private and protected[46][47]. Lesson: Our stance of not releasing psychotherapy notes without the therapist’s consent (or unless required by law) is supported by both HIPAA and broader legal principles valuing therapeutic confidentiality.

HIPAA Penalties and Reputational Risk: Beyond the fines in the examples above (which range from a few thousand to six-figure amounts), enforcement settlements also often require organizations to adopt corrective action plans under OCR monitoring[75]. This is costly and time-consuming – for example, requiring training of staff, rewriting policies under OCR oversight, and submitting compliance reports for a year or more. Additionally, each OCR settlement is publicized, which can harm our reputation. Lartey Wellness Group’s commitment is to avoid these outcomes by strict adherence to access rights. We prefer our name not be on the HHS “Wall of Shame” for access violations.

In summary, these cases illustrate that regulators take record access very seriously. By following this policy – providing prompt access, charging only allowable fees, and only denying when absolutely permitted – we protect our clients’ rights and Lartey Wellness Group from enforcement risks. If an unusual situation arises, we will consult legal counsel before denying a request, to ensure our justification would hold up under scrutiny.

Conclusion

Lartey Wellness Group prioritizes both compliance and client care in handling health record requests. All staff must familiarize themselves with this policy and its underlying rationale: to empower clients with access to their information, except where law and ethics dictate caution. This approach not only satisfies legal requirements (HIPAA, Maryland law, etc.) but also strengthens the therapeutic alliance through transparency and trust. When in doubt about any aspect of a records request, staff should escalate the matter to the Privacy Officer rather than guessing or delaying.

By adhering to the guidelines herein – timely responses, thorough documentation, careful consideration of any refusals, and knowledge of the legal landscape – we maintain trust with our clients and uphold Lartey Wellness Group’s obligations. This policy will be reviewed periodically and updated as laws change (e.g., any new federal rules or state amendments) to remain current. Staff will be re-trained on any changes as needed.

Remember: The default answer to a request is “Yes, provide the record.” Only a legally supported “No” or a “partial yes” is acceptable when justified. When we must say “No,” we will do so narrowly, respectfully, and with all required notices and reviews, always keeping in mind our mission to support the client’s wellbeing and rights.

Approved by Compliance Committee on 01/15/2026. Next review due by 01/15/2027 (or sooner if laws change).

References

[1] [8] [48] [49] [50] [51] [52] [53] [59] [61] 45 CFR § 164.524 - Access of individuals to protected health information. Electronic Code of Federal Regulations (e-CFR) | US Law | LII / Legal Information Institute https://www.law.cornell.edu/cfr/text/45/164.524

[2] [3] [11] [17] [18] [19] [20] [21] [22] [23] [24] [25] [26] [27] [28] [29] [30] [33] [34] [35] [36] [37] [38] [39] [40] [43] [44] [45] [54] [55] [56] [57] [58] [60] [62] [63] [64] Individuals’ Right under HIPAA to Access their Health Information – HHS.gov Guidance. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html

[4] [5] [6] [7] [12] [13] [46] [47] “HIPAA, Psychotherapy Notes, and Other Mental Health Records” – Holland & Hart LLP (2013). https://www.hollandhart.com/hipaa-psychotherapy-notes-and-other-mental-health-records

[9] [14] [41] [42] [65] Maryland Department of Health – Medical Records Act & Patient Access Requirements. https://health.maryland.gov/mbpme/pages/records.aspx

[10] 42 CFR Part 2 (Confidentiality of SUD Patient Records) – HHS and Holland & Hart summary (PowerPoint). https://www.hollandhart.com/42-cfr-part-2

[15] [16] [66] “Feds Fine Mental Health Clinic $100K in 2020 HIPAA Case.” BankInfoSecurity News (Jan 2021). https://www.bankinfosecurity.com/feds-fine-mental-health-clinic-100k-in-2020-hipaa-case-a-26863

[31] [32] [67] [68] [69] [70] [71] [72] [73] [74] [75] “OCR Continues HIPAA Right of Access Crackdown, but at a Much Slower Pace.” (Nov 11, 2021). American Society of Consultant Pharmacists (ASCP) News. https://www.ascp.org/news/news-details/2021/11/11/ocr-continues-hipaa-right-of-access-crackdown-but-at-a-much-slower-pace

PreviousTraining Acknowledgement LetterNextPolicy on Signature Requirement for Behavioral Health Documents

Last updated