Imagine representing a party in a lawsuit concerning coverage for mental health services. The lawsuit was brought by the parents of a minor child. The client received a request for production of medical records concerning the child’s mental health treatment. Can the client produce the records?

In short: it depends.

The path to the correct answer is exceedingly complex. It requires an analysis of federal privacy rules, state privacy and minor consent laws, and applicable regulations. This article provides an overview of the type of analyses a lawyer should undertake to determine whether a minor’s medical records relating to mental health treatment may be produced.

HIPAA Privacy Rules

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes federally protected rights that permit individuals to control certain uses and disclosures of their protected health information, including their medical records.

Under HIPAA Privacy Rules, with certain exceptions, mental health records are generally treated the same as medical records. In the context of litigation, medical records can typically be disclosed by a covered entity (defined as providers, health plans and other entities specified under 45 C.F.R. 160.103) in any one of the following situations:

a) The patient provides written permission for the disclosure; b) The covered entity is a party to the litigation and uses or discloses the records for purposes of the litigation, so long as the entity makes reasonable efforts to limit such uses and disclosures to the minimum necessary to accomplish the intended purpose; c) The covered entity receives a court order; or d) The covered entity receives a subpoena for the information, if the covered entity either:

i. Notifies the subject of the information about the request, so the person has a chance to object to the disclosure; or ii. Seeks a qualified protective order from the court.

See 45 C.F.R. § 164.512(e).

Yet HIPAA Privacy Rules alone do not answer the question as to when and under what circumstances a minor’s mental health records may be disclosed. State privacy laws and state laws concerning consent and minors must also be considered.

State Privacy Laws

Many states have enacted privacy laws that are more stringent than HIPAA and place further protections on disclosure of medical records generally and mental health records specifically.

In California, mental health records may be subject to one of two state laws: (1) the Lanterman-Petris-Short Act, California Welfare and Institutions Code, Section 5328 et seq. (LPS Act); or (2) the California Confidentiality of Medical Information Act, California Civil Code Section 56 et seq. (CMIA). To determine whether mental health records may be disclosed under California law, the first inquiry to make is whether the records are subject to the LPS Act or CMIA.

The LPS Act concerns involuntary civil commitment to a mental health institution in the state of California, and it strictly prohibits the disclosure of medical records concerning involuntary commitments absent a court order. Cal. Welf. & Inst. Code § 5328(f). In contrast, the CMIA generally prohibits a healthcare provider, healthcare service plan or contractor from disclosing medical information regarding a patient without first obtaining a written authorization from the patient, with certain exceptions. Cal. Civ. Code § 56.10. Disclosures can be made without written authorization in certain circumstances, including but not limited to where compelled by:

  1. Court order;
  2. An administrative agency under its lawful authority; or
  3. A party to a legal proceeding before a court or administrative agency by subpoena or other authorized discovery mechanism.

Cal. Civ. Code § 56.10.

Even if applicable state laws authorize disclosure of mental health records, that is unlikely to be the end of the inquiry where a minor’s medical records are involved.

Consent and Minors

When consent to release a minor’s records is required under federal or state law, who is authorized to provide that consent?

Under the HIPAA Privacy Rule, “personal representatives” are those persons who have authority, under applicable law, to make healthcare decisions for a patient. Typically, a parent, guardian or other person acting in loco parentis (collectively, Parent) is considered a personal representative of his or her minor child. As such, he or she has the authority to make healthcare decisions for the minor and may exercise the minor’s rights with respect to protected health information.

But there are several important exceptions to this rule. A Parent is not considered the “personal representative” of his or her minor child when:

  1. A minor has consented to the healthcare services and the consent of the Parent is not required by federal or state law;
  2. Someone other than a Parent is authorized under federal or state law to provide consent for the medical services to a minor and provides such consent (e.g., court-ordered healthcare services); or
  3. A Parent consents to a confidential relationship between the minor and a healthcare provider with respect to the healthcare service.

In addition to these federal rules, many states have enacted more stringent privacy and informed-consent laws concerning minors. These laws generally fall into two categories: laws based on the status of the minor (e.g., minors who are emancipated) and laws based on the type of care sought (e.g., mental health or family planning).

For example, in California minors 12 years or older may consent to outpatient mental health treatment if, in the opinion of the treating provider, the minor is mature enough to participate intelligently in the mental health treatment. Cal. Health & Saf. Code § 124260. In such a case, a provider cannot share the minor’s medical records with his or her parents (or others) absent a signed authorization from the minor. Cal. Health & Saf. Code §§ 123110(a), 123115(a)(1); Cal. Civ. Code §§ 56.10, 56.11, 56.30.

Federal law also permits providers to refuse to produce medical records to a parent or person otherwise entitled to receive them if the provider believes that (a) the patient has been or may be subject to violence, abuse or neglect by that person; (b) the patient may be endangered if that person is treated as a personal representative; or (c) it is not in the best interests of the patient to treat the person as a personal representative. 45 C.F.R. § 164.502(g). California state laws similarly permit a provider to refuse to disclose records if the provider believes disclosure would negatively impact (a) the provider’s professional relationship with the minor or (b) the minor’s physical safety or psychological well-being. Cal. Health & Saf. Code § 123115(a)(2).

Records Subject to Heightened Protections

Another critical inquiry is whether the specific type of records requested may be disclosed under any circumstances. Certain classes of medical records are subject to heightened protections; two examples are psychotherapy notes and medical records regarding substance use disorder (SUD) diagnoses and treatment.

1. Psychotherapy Notes

The HIPAA Privacy Rule distinguishes between mental health information that is contained within an individual’s medical record and psychotherapy notes. Psychotherapy notes are subject to heightened protections and, with limited exceptions, may be disclosed only if the patient signs an authorization permitting disclosure. See 45 C.F.R. § 164.508(a)(2). Similarly, a personal representative is precluded from obtaining psychotherapy notes regarding his or her minor child. Disclosure of psychotherapy notes is permitted only where certain federal exceptions apply, including where disclosure is required by law, such as mandatory reporting of abuse and duty to warn in cases of serious and imminent threats.

Even where disclosure is permitted under federal law, state laws should also be consulted. Where state laws conflict with federal laws, a pre-emption analysis will need to be undertaken to determine which law governs.

2. Substance Use Disorders

Another class of records afforded heightened protection relates to SUDs. The Confidentiality of Alcohol and Drug Abuse Patient Records regulation, 42 C.F.R. Part 2, applies to any individual or program that is federally assisted and holds itself out as providing, and provides, alcohol or drug abuse diagnosis, treatment or referral for treatment. This federal law restricts the disclosure and use of patient records that include information on substance use diagnoses or treatment information. 42 C.F.R.§ 2.11. Except in very limited circumstances, this law requires a patient’s written consent—with nine specified elements, including the precise recipient of the disclosed information and the purpose of the disclosure. 42 C.F.R. §§ 2.31(a), 2.51-2.53.

Where medical records contain SUD diagnoses or treatment information, disclosure should not be made absent specific written authorization from the patient—or the patient’s personal representative—unless an exception applies. See 42 C.F.R. §§ 2.51-2.53 (establishing exceptions for medical emergencies, research and audits).

Conclusion

Lawyers are well-advised to proceed with caution in the complex arena of mental health privacy laws, especially with regard to minors. While this article highlights some of the federal and state laws at play, a comprehensive review of all potentially applicable federal and state laws is strongly advised before disclosure in any case.