by Wayne Wenske, Senior Marketing Strategist,
Tanya Babitch, Assistant Vice President of Risk Management,
Robin Desrocher, Director, Risk Management, and
Kassie Toerner, Manager, Risk Management
Federal and state guidelines for safeguarding patient records and ensuring patient privacy can be difficult to navigate. Here are answers to your questions regarding the management, retention, and release of medical records.
What is considered a medical record?
A medical record includes any records pertaining to the history, diagnosis, treatment, or prognosis of a patient. The Texas Medical Board (TMB) rules (Chapter 165) outlines elements that should be included in the medical record, and also states that salient records received from another physician or health care professional involved in the care or treatment of the patient shall be maintained as part of the medical record.
How long do I need to keep medical records in Texas?
For adults — all records must be kept for at least seven years from the date of the last treatment. Keep in mind, “treatment” might include a phone call, a prescription refill, or other contact with the patient. (Hospitals are required to keep records for 10 years, and some physicians may also choose to keep office records for 10 years.)
For minors — records for minor patients must be kept for at least seven years from the date of last treatment or until the child turns 21, whichever is longer.
Medical records that relate to any civil, criminal, or administrative proceeding may be destroyed only if the physician knows the proceeding has been finally resolved.
For more information, please see Chapter 165 of the Texas Medical Board rules.
Who “owns” the medical record?
The physical documents are the tangible, personal property of the person or entity that created them. However, by law patients have the right to obtain copies of their medical records. The only clear exception in Texas law is in the Medical Practice Act, which states: “If the physician determines that access to the information would be harmful to the physical, mental or emotional health of the patient.” This guideline is outlined in the TMB rules (Chapter 165.2). The physician might be asked to explain why the records or information may be harmful to the patient. See the next question below for details on what is required when denying records to a patient.
Never release the original record, except under subpoena and then retain a copy. See more below.
Is there a deadline for providing requested medical records?
Texas law gives a deadline of 15 business days to provide medical records upon receipt of a request and any agreed upon fees.
This same deadline also applies if the physician feels it would be harmful to release copies of medical records to a patient. The physician or health care entity has a deadline of 15 business days to provide a written, signed, and dated statement that details the reason for the denial and provides instructions to the requestor on how to file a complaint with the Department of Health and Human Services (HHS) and the TMB. A copy of the denial statement should be placed in the patient’s medical and/or billing records.
How should I respond to a subpoena for a medical record?
If you are a TMLT policyholder, please contact TMLT's Claim Department to inquire about how to respond to a subpoena. In addition, if you are a Texas physician, the Texas Medical Association offers a resource, Subpoenas for Medical Records. (TMA log-in required).
Can a patient electronically access their electronic health information (EHI) at no cost?
On April 5, 2021, the ONC Cures Act Final Rule for health care providers went into effect. The rule includes a provision requiring that patients be able to electronically access all their electronic health information (EHI), structured and/or unstructured, at no cost. Health care providers may review the ONC Cures Act to ensure compliance with the rules for release of EHI. More information can be found here.
The ONC Cures Act further gives patients the right to immediate electronic access to their health records. This includes test results, medication lists, referral information, and physicians’ notes. If you are not sure about how this access is granted in your EMR, consult with your software vendor.
What is the proper procedure for the release of medical records to a patient?
An individual has the right to review or obtain copies of their health records, and there are steps for physicians or health care entities to follow to provide copies while maintaining HIPAA guidelines and state law. The following information outlines different scenarios.
As required by the Medical Practice Act/Texas Occupations Code 159.006, a physician or health care entity shall provide copies of medical and/or billing records requested or, if the individual prefers, a summary or narrative of the records pursuant to a written release of the information as provided by the Medical Practice Act 159.005.
Additionally, a physician or health care entity may require individuals to use the entity’s own supplied authorization form, provided use of the form does not create a barrier to or unreasonably delay the individual from obtaining access to their PHI.
The Privacy Rule requires a physician or health care entity to take reasonable steps to verify the identity of an individual making a request for access. The Rule does not mandate any specific method of verification (such as obtaining a copy of a driver’s license), but rather generally leaves the type and manner of the verification to the discretion and professional judgment of the physician or health care entity, provided the verification processes and measures do not create barriers to or unreasonably delay the individual from obtaining access to their PHI. Additional guidance is available on the HHS site.
Form and format
The Privacy Rule requires physicians or health care entities to provide the individual with access to the PHI in the form and format requested, if readily producible in that form and format.
Requests for paper copies
If an individual requests a paper copy of PHI maintained by a physician or health care entity, it is expected that the physician or health care entity will be able to provide the individual with the paper copy requested. This applies to medical records that are paper or maintained electronically.
Requests for electronic copies
If an individual requests an electronic copy of PHI that a physician or health care entity maintains only on paper, the physician or health care entity is required to provide the individual with an electronic copy if it is readily producible electronically.
If an individual requests an electronic copy of PHI that a physician or health care entity maintains electronically, the physician or health care entity must provide the individual with access to the information in the requested electronic form and format, if it is readily producible. The physician or health care entity is not required to purchase new software or equipment to accommodate every possible individual request, however the physician or health care entity must have the capability to provide some form of electronic copy of PHI.
Practices should comply with federal and state laws regarding required timelines for release. Texas law gives a deadline of 15 business days to provide medical records upon receipt of a request.
Is a written authorization required to release medical records directly to a patient?
In Texas, if a patient or other authorized requester is requesting copies of records (versus electronic access), they must submit this request in writing. A form to disclose protected health information (PHI) is also available for physicians and health care entities to provide to patients for this purpose.
The written request must contain the following elements:
- identify who is authorized to make the disclosure (such as the physician);
- identify who may receive the PHI (such as self, relative, another treating physician, etc.);
- identify who may make the authorization;
- identify the specific information to be disclosed, particularly for sensitive information, such as HIV/AIDS testing and treatment, mental health treatment, and substance abuse treatment;
- describe the purpose of the disclosure;
- note when the authorization expires; and
- contain a signature and date (of the patient or personal representative).
A valid authorization must also have these statements:
- the patient has the right to revoke the authorization, with instructions on how to revoke;
- clarification that under most circumstances medical care may not be conditional on the signing of the authorization; and
- a warning that the PHI may be re-disclosed by the receiving entity.
The patient must receive a copy of the authorization and the physician or health care entity must also maintain a copy.
When can protected health information (PHI) be released without an authorization?
The HIPAA privacy rule permits, but does not require, a physician or health care entity, to use and disclose protected health information, without an individual’s authorization, for the following purposes or situations:
Treatment, Payment, Health Care Operations. A physician or health care entity may use and disclose protected health information for its own treatment, payment, and health care operations activities.
Treatment is the provision, coordination, or management of health care and related services for an individual by one or more health care providers, including consultation between providers regarding a patient and referral of a patient by one provider to another.
Payment encompasses activities of a health plan to obtain premiums, determine or fulfill responsibilities for coverage and provision of benefits, and furnish or obtain reimbursement for health care delivered to an individual and activities of a health care provider to obtain payment or be reimbursed for the provision of health care to an individual.
Health care operations are any of the following activities: (a) quality assessment and improvement activities, including case management and care coordination; (b) competency assurance activities, including provider or health plan performance evaluation, credentialing, and accreditation; (c) conducting or arranging for medical reviews, audits, or legal services, including fraud and abuse detection and compliance programs; (d) specified insurance functions, such as underwriting, risk rating, and reinsuring risk; (e) business planning, development, management, and administration; and (f) business management and general administrative activities of the entity, including but not limited to: de-identifying protected health information, creating a limited data set, and certain fundraising for the benefit of the physician or health care entity.
- Public Interest and Benefit Activities — The HIPAA Privacy Rule permits use and disclosure of PHI, without an individual’s authorization or permission, for these 12 national priority purposes as follows:
- Required by Law — Information may be provided by a physician or health care entity to law enforcement officials to fulfill a court order, statute, or legal regulation.
- Public Health Activities — Physicians or health care entities can reveal protected health information to:
- Public health officials who are responsible for monitoring and stopping the spread of disease or injury.
- FDA-regulated companies if there is data that would support the monitoring of effectiveness or adverse events related to their products.
- Individuals who may have been exposed to transmittable diseases that are tracked by the government and require reporting.
- Information may be released to employers regarding employees to evaluate work-related illnesses or claims, manage workers compensation claims, and OSHA violations.
- Positive HIV tests (without the patient's name) and AIDS diagnoses (with the patient's name) to the Texas Department of State Health Services and local health department.
- Victims of Abuse, Neglect, or Domestic Violence — In cases of suspected abuse, it is permissible to report the incident to suspected child and elder abuse to the Texas Department of Protective and Regulatory Services and law enforcement.
- Health Oversight Activities — Personally identifiable health information may be released to government agencies that are responsible for providing oversight for the health care system, including government health programs, such as Medicare and Medicaid, Texas Department of State Health Services, the Texas Attorney General's Medicaid Fraud Control Unit, Texas Medicaid Health Partnership, and the Department of Protective and Regulatory Services. Medicare and Medicaid records must be made available promptly to representatives of the Department of Health and Human Services.
- Judicial and Administrative Proceedings — PHI may be disclosed to the court system in response to a subpoena, court order or administrative tribunal. Notice should be sent to the subject of the order that their information has been shared.
- Law Enforcement Purposes — Protected health information may be shared with law enforcement officials under the following circumstances:
- As required by law to adjudicate warrants or subpoenas.
- To locate a suspect, witness, or fugitive.
- Provide law enforcement officials with information on the victim, or suspected victim, of a crime.
- To notify law enforcement in the case of a suspicious death, which may have resulted from criminal activity.
- As evidence of a crime that occurred in the facility of a physician or health care entity.
- A physician or health care entity may provide PHI in the case of an emergency involving one of its patients, even if the incident occurred offsite. Also, to inform law enforcement about a possible crime, victims, perpetrators, or location thereof.
- Decedents — In the case of death, PHI can be disclosed to the coroner's office for identification purposes, and to determine the cause of death. PHI many also be released to the funeral home as needed.
- Organ Donation — PHI can be released by physicians or health care entities to facilitate the donation of cadaver organs and tissue.
- Research — PHI can be released in the case of medical research, provided the researchers warrant that the information is necessary for the preparation or execution of the research study and will not be used in any other way.
- Serious Threat to Health and Safety — PHI can be released without consent to law enforcement officials to aid in the capture of an escaped prisoner or a violent criminal. Protected health information can also be released if there is credible reason to believe that there is an imminent threat to an individual or the public at large.
- Essential Government Functions — Physicians and health care entities can release protected health information for the completion of government duties and functions, including military missions, national security initiatives, protection of the President, for evaluating State Department employees and providing health services to inmates.
- Worker's Compensation — Physicians or health care entities may release PHI without authorization while evaluating and certifying employee injury claims.
Physicians and health care entities should share their Notice of Privacy Practice with patients to educate them about how their protected health information (PHI) will be used.
Additionally, while the disclosures outlined above are permitted without a patient authorization, the physician or health care entity is encouraged to ensure that the request is valid prior to release. For example, if a subpoena looks suspicious, confirm the validity. If requests for records are being made by a government official, such as CPS, Medicare, or Medicaid, verify the identity of the requestor.
Who can authorize the release of medical records?
Per the Texas Occupations Code, the authorization to release medical records may be signed by:
- an adult patient;
- a parent or legal guardian if the patient is a minor;
- legal guardian of the patient if the patient has been adjudicated incapacitated to manage his/her own personal affairs;
- an attorney ad litem appointed for the patient; and
- a personal representative if the patient is deceased.
Where can I find the Authorization to Disclose Protected Health Information form developed by the Attorney General of Texas?
May I charge the patient for copying medical records?
As mentioned in a previous question, the ONC Cures Act Final Rule for health care providers includes a provision requiring that patients can electronically access all their electronic health information (EHI), structured and/or unstructured, at no cost.
There are differences in allowable charges dependent upon whether records are requested for release directly to the patient or to a third party. The Office of Civil Rights (OCR) has updated guidelines on patients'/individuals' rights to obtain their medical records and how much a physician or health care entity can charge for copies. Given the intricacies of the rules, it is recommend that physicians or health care entities review these FAQs and Chapter 45 of the Code of Federal Regulations Section 164.524 before deciding whether to charge and choosing one of the fee methods outlined in the next section. Additionally, the fee method should be outlined in the physician or health care entity’s HIPAA Privacy and Security policy and procedure manual.
Fees to release directly to the patient/individual
According to federal law, a physician or health care entity may use one of the following methods to charge a patient a reasonable fee for copies of their medical records:
Actual cost: the physician or health care entity may calculate and charge the actual allowable cost to fulfill each patient request. Allowable refers to costs related to the labor, supplies, postage, and any preparation of an explanation or summary of the patient’s PHI; or
Average cost: the physician or health care entity may develop a schedule of costs based on average, allowable labor costs to fulfill standard requests; or
Flat rate of $6.50: the physician or health care entity may charge a flat fee of no more than $6.50 (this covers all labor, supplies, and postage) for requests of electronic copies of the patient’s protected health information (PHI). Charging a flat fee not to exceed $6.50 per request is an option for physicians or health care entities that do not want to go through the process of calculating actual or average allowable costs for requests for electronic copies of PHI.
A patient requests a paper copy of the records from their last office visit and lab work results. The office staff prints 10 pages of a medical record.
Labor for copying only: 15 min/$15 per hour = $3.75
Supplies: 10 cents per page/10 pages = $1
Postage: Priority mail = $6.65
Labor for copying: 20 min/$15 per hour = $5
Supplies: 10 cents per page/10 pages = $1
Postage: Priority mail = $6.65
According to the U.S. Department of Health and Human Services (HHS), the physician or health care entity must also inform those patients or individuals requesting copies in advance of the approximate fee for this service and should post on their websites or otherwise make available an appropriate fee schedule for copy requests.
Physicians and health care entities are urged to err on the side of caution when determining fees for release of records directly to the patient. While the HHS has published the guidelines above, these rules are intended to increase patients’ access to their own records. This is demonstrated by language found in the HHS FAQs:
“ . . . while the Privacy Rule permits the limited fee described above, physicians or health care entities should provide individuals who request access to their information with copies of their PHI free of charge. While physicians or health care entities should forgo fees for all individuals, not charging fees for access is particularly vital in cases where the financial situation of an individual requesting access would make it difficult or impossible for the individual to afford the fee. Providing individuals with access to their health information is a necessary component of delivering and paying for health care.”
For more information, please see these FAQs along with Chapter 45 of the Code of Federal Regulations Section 164.524.
What about fees to release to a third party (attorney, insurance company, etc.)?
For direct requests from a third-party, the physician or health care entity should follow TMB rules for release of PHI.
The TMB rules include guidelines for allowable charges, but any fees charged should reflect the actual cost to produce the copies. Physicians and health care entities should understand that the TMB charges should be considered maximum allowable charges. Please review the TMB rules in Chapter 165.2 Medical Records Release and Charges.
Below is an excerpt from the TMB rules:
(e) Allowable Charges.
(1) Paper Format.
B. A reasonable fee for providing the requested records in paper format shall be a charge of no more than $25 for the first twenty pages and $.50 per page for every copy thereafter.
(2) Electronic Format.
B. A reasonable fee for providing the requested records in electronic format shall be a charge of no more than: $25 for 500 pages or less; $50 for more than 500 pages.
(3) Hybrid Records Format.
B. A reasonable fee for providing the requested records in a hybrid format (partially in electronic format and partially in paper format) may be a combination of the fees as set forth in paragraphs (1) and (2) of this subsection.
(4) Other Charges.
If an affidavit is requested, certifying that the information is a true and correct copy of the records, whether in paper, electronic or hybrid format, a reasonable fee of up to $15 may be charged for executing the affidavit.
A physician may charge separate fees for medical and billing records requested.
Allowable charges for copies of diagnostic imaging studies are set forth in §165.3 of this title (relating to Patient Access to Diagnostic Imaging Studies in Physician's Office) and are separate from the charges set forth in this section.
(5) A reasonable fee for records provided in a paper, electronic or hybrid format may not include costs associated with searching for and retrieving the requested information, and shall include only the cost of:
copying and labor, including, compiling, extracting, scanning, burning onto media, and distributing media;
cost of supplies for creating the paper copy or electronic media (if the individual requests portable media) that are not prohibited by federal law;
postage, when the individual has requested the copy or summary be mailed; and
preparing a summary of the records when appropriate.
Are there any other circumstances under which we should NOT charge a fee for supplying records?
While the Privacy Rule permits fees as described above, there are other limited circumstances under which a physician or health care entity should not charge copying fees. For example:
- when the records are requested by a licensed Texas health care provider or any American or Canadian licensed physician for acute or emergency medical care; and
- to support an application for disability or other benefits or assistance under: Aid to Families with Dependent Children, Medicaid, Medicare, Supplemental Social Security Income, Federal Old-Age and Survivors Insurance, and Veteran's Benefits.
For more information, please review the most recent version of the TMB rules Chapter 165.2 Medical Records Release and Charges .
May I withhold copies of medical records due to inability to pay for copies or unpaid bill for health care services?
A physician or health care entity may not withhold or deny an individual access to their PHI because the individual has not paid the bill for health care services provided or is unable to pay fees for copies.
What about mental health records?
Pursuant to HIPAA regulations, if the medical record contains any notes sent from a mental health professional those records cannot be re-disclosed without specific patient authorization, even under subpoena. HIPAA defines mental health professionals as psychiatrists, psychologists, and licensed professional counselors.