Setting the Record Straight: Dispelling 15 Common Medical Record Myths

The responsibility of managing medical records can provoke anxiety in any physician's office. Medical records are confidential and personal documents, and the rules that govern them are often complex and confusing. Physician practices encounter many unique situations involving medical records. This article will help dispel the common and pervasive myths that surround the retention, release, and management of patient health information.

MYTH 1: PHYSICIANS MUST ALWAYS SUPPLY PATIENTS WITH COPIES OF THEIR MEDICAL RECORDS FREE OF CHARGE.

TRUTH: How much a physician can charge for copies of medical records is a commonly asked question. According to the Texas Medical Board (TMB) Rules, "The physician responding to a request for such information shall be entitled to receive a reasonable, cost-based fee for providing the requested information. A reasonable fee shall be a charge of no more than $25 for the first twenty pages and $.50 per page for every copy thereafter." (1)

The physician is entitled to this fee before releasing the information, unless requested by a licensed Texas health care provider or a physician for purposes of emergency or acute medical care. If a request for information is received other than for emergency or acute medical care, the physician can retain the copies until payment is received.

However, if the physician does not receive payment with a proper request—within 10 calendar days after receiving the request (if not for an emergency or acute medical care)—the physician must notify the requesting party in writing of the need for payment, and keep a copy of the letter in the patient's medical record.

In an emergency situation, physicians should not withhold copies of the medical records until payment is made. (2) If the request involves a claim for disability benefits, the records must be provided free of charge. (2)

MYTH 2: PHYSICIANS CAN DENY ACCESS TO A PATIENT'S MEDICAL RECORD BECAUSE OF A PAST DUE ACCOUNT.

TRUTH: Copies of a patient's medical records cannot be withheld because of outstanding medical bills. According to the TMB, "Medical and/or billing records requested pursuant to a proper request for release may not be withheld from the patient, the patient's authorized agent, or the patient's designated recipient for such records based on a past due account for medical care or treatment previously rendered to the patient." (1)

MYTH 3: PHYSICIANS MUST GIVE COPIES OF MEDICAL RECORDS TO FAMILY MEMBERS OF DECEASED PATIENTS, NO QUESTIONS ASKED.

TRUTH: Relatives do not always have access to a deceased patient's medical records. Access to these medical records is restricted by law to someone who is designated as a "personal representative" of the deceased. A "personal representative" is someone specifically named by the Texas Probate Code as having the authority, when appointed as such by the probate court, to transact business on the part of the estate. (3)

"Rather than comply unquestioningly with a request of this sort, ascertain that you have the written authorization of the right person. Ask for evidence of the person's legal capacity to obtain the deceased's records. Often the duly authorized representative will have court-issued papers, called Letters Testamentary or Letters of Administration, reflecting his or her appointment as legal representative on behalf of the deceased." (2)

MYTH 4: MEDICAL RECORDS MUST BE KEPT UNDER "LOCK AND KEY."

TRUTH: While medical records do not need to be locked away, they should be stored in an area that is inaccessible to patients. Medical records should not be stored in hallways, waiting rooms, exam rooms, or in any area where unauthorized individuals could access the records.

MYTH 5: A PHYSICIAN IS NOT REQUIRED TO RELEASE A MINOR'S MEDICAL RECORD TO THE MINOR'S PARENT IF THE MINOR WAS TREATED FOR A CONDITION THAT DOES NOT REQUIRE PARENTAL CONSENT, SUCH AS PREGNANCY.

TRUTH: Provisions in the Texas Family Code Section 32.003 allow for a minor to consent to his or her own treatment if the minor:

• is on active duty with armed forces of the United States;
• is 16 years of age or older; resides separately and apart from his or her parents, managing conservator or guardian; and manages his or her own financial affairs, regardless of the source of income;
• consents to the diagnosis and treatment of any infectious, contagious, or communicable disease that is required to be reported;
• is unmarried and pregnant, and consents to hospital, medical or surgical care, other than abortion, related to her pregnancy;
• consents to examination and treatment for chemical addiction, chemical dependency, or any other condition directly related to chemical use; and/or
• consents to counseling or counseling in conjunction with treatment by a physician, psychologist, counselor, or social worker if the treatment and/or counseling is for sexual abuse, physical abuse, suicide prevention, chemical addiction, dependency or abuse. (2)

However, a minor's ability to consent to treatment may not preclude a parent's access to any related medical records. Under the Texas Family Code (Section 153.073) the parent of a minor has access at all times to the medical, dental, psychological, or educational records of his or her child. HIPAA does not preclude this access under state law. (2)

Minor patients being treated for conditions that do not require parental consent should be warned that if their parent/guardian demands release of their medical record, the law requires the physician to do so. However, physicians may deny access to the minor's medical record if they believe that release of the information would be harmful to the physical, mental, or emotional health of the patient. (2)

MYTH 6: WHEN A PHYSICIAN RECEIVES A REQUEST FROM ANOTHER PHYSICIAN FOR A PATIENT'S MEDICAL RECORD, STAFF SHOULD JUST COPY AND SEND THE ENTIRE RECORD.

TRUTH: Provided that the physician received valid written authorization for disclosure of the health information from the patient or an authorized representative, he or she must send everything contained in the record except any records that relate to mental health care. Mental health care records cannot be released unless the physician receives a specific HIPAA-compliant authorization.

The mental health exception includes any information that the physician may have received from a mental health professional—psychiatrist, psychologist, or licensed professional counselor—related to treatment for a "mental or emotional condition or disorder, including alcoholism and drug addiction." (2)

"If you are not a mental health care provider, but receive records, correspondence, etc. from the mental health providers of your patient, divide these records from the remainder of your patient care records (e.g. with a divider) so they will not inadvertently be copied and forwarded with the other records when complying with a record request." (2)

MYTH 7: PRIVACY LAWS DO NOT ALLOW PHYSICIANS TO RE-DISCLOSE COPIES OF MEDICAL RECORDS THAT THEY HAVE RECEIVED FROM OTHER HEALTH CARE PROVIDERS.

TRUTH: According to the Texas Medical Practice Act, if the physician receives a valid medical records request, that physician must furnish copies or a summary of his or her own medical records, and copies of records received from other physicians or health care professionals involved in the care or treatment of the patient. The re-disclosure of information must be "consistent with the authorized purpose for which the information was first obtained." (2)

"If your office has acquired records from another physician or health care provider to supplement your medical care of the patient, then you may re-disclose the information to another physician or health care provider for the same reason." (2)

Precautions already outlined in Myth 6 about mental health information still pertain. Mental health records cannot be released unless the physician receives a specific HIPAA-compliant authorization. (2)

MYTH 8: PHYSICIANS MUST KEEP MEDICAL RECORDS FOR ALL PATIENTS FOR 10 YEARS.

TRUTH: According to TMB rules, all medical records for adult patients must be kept for at least seven years from the date of the last encounter. Records for minor patients must be kept for at least seven years from the date of the last encounter or until the child turns 21, whichever is longer. (4) These same guidelines apply to the retention of medical records for deceased patients. (2)

MYTH 9: PHYSICIANS CAN DISCARD THE MEDICAL RECORDS THAT THEY ARE NO LONGER REQUIRED TO KEEP BY THROWING THEM IN THE TRASH.

TRUTH: According to the American Health Information Management Association (AHIMA), medical records should be destroyed so there is no possibility of reconstruction of information. Appropriate methods include burning or shredding. The AHIMA also recommends that physicians:

• "Develop methods to destroy computerized data permanently and irreversibly. (Pulverization is an appropriate means.)
• Reassess destruction methods annually.
• Document the destruction as follows:
• Date of destruction,
• Method of destruction,
• Description of disposed series, and
• Inclusive dates covered." (5)

MYTH 10: A PHYSICIAN WHO IS CLOSING A PRACTICE AND WILL NO LONGER BE TREATING PATIENTS CAN GIVE HIS OR HER PATIENTS THE ORIGINAL COPIES OF THEIR MEDICAL RECORDS.

TRUTH: Patients should never be given original copies of medical records. If a lawsuit occurs at any time in the future, the physician will not have a copy of the medical record available to defend the case.

The TMB has specific rules that physicians must follow when closing their practices, including notices to patients providing an opportunity to obtain copies of medical records. These rules also include information on the transfer of ownership of medical records. Please refer to TMB rules sections 165.1 to 165.5. (4,6)

MYTH 11: HIPAA RULES DO NOT ALLOW PHYSICIANS TO FAX COPIES OF MEDICAL RECORDS.

TRUTH: Copies of medical records can be faxed. However, the law "requires adoption and implementation of reasonable safeguards for security of all health information. This includes safeguards for the transmission of health information via computer, facsimile and other modes of communication. Procedures for utilizing the fax machine should make every effort to prevent the release of confidential medical records and reports to unauthorized persons. Medical information should only be faxed for urgent or emergent care." (2)

Risk management tips for faxing medical records include the following:

• develop policies and procedures for sending and receiving faxed information;
• print a confirmation that the fax was received;
• tell the individual who will be receiving the fax when the records will be faxed so the person can secure the information;
• do not fax sensitive information such as HIV, mental health, or alcohol/drug abuse records unless necessary for emergency care;
• use a fax cover sheet that indicates the need to maintain confidentiality; and
• install your fax machine in an area away from patient traffic. (2)

MYTH 12: WHEN A PATIENT REQUESTS COPIES OF HIS OR HER MEDICAL RECORDS, THE PHYSICIAN HAS 30 DAYS FROM THE DATE OF REQUEST TO SUPPLY THE COPIES.

TRUTH: According to TMB rules, "The requested copies of medical and/or billing records or a summary or narrative of the records shall be furnished by the physician within 15 business days after the date of receipt of the request and reasonable fees for furnishing the information. (1) Please see Myth 2 for information on how much a physician can charge for copies of medical records.

MYTH 13: PHYSICIANS ARE ALLOWED TO "CLARIFY" PAST ENTRIES IN MEDICAL RECORDS AFTER AN UNEXPECTED OUTCOME OR NOTICE OF CLAIM.

TRUTH: The TMB documentation rules do not allow physicians to alter medical records unless they clearly indicate that this is what they are doing. "Any amendment, supplementation, change, or correction in a medical record not made contemporaneously with the act or observation shall be noted by indicating the time and date of the amendment, supplementation, change, or correction, and clearly indicating that there has been an amendment, supplementation, change, or correction." (4)

Additionally, altering a medical record after an unexpected outcome can be detrimental. The changes may look suspicious or it may appear that the physician is "beautifying" the medical record to cover up damaging information. "Addendums to the medical record may be allowed if done in a timely manner and clearly identified. Include the date and time, a reference to the date and time of the actual encounter, reason for the addendum, the added information, and author's signature." (7)

MYTH 14: PHYSICIANS DO NOT NEED TO INITIAL OR SIGN ENTRIES IN MEDICAL RECORDS.

TRUTH: TMB rules require that, "each licensed physician of the board shall maintain an adequate medical record for each patient that is complete, contemporaneous, and legible." This includes the "date and legible identity" of the physician or other observer who made the entry. (4)

Signing an entry in the medical record is necessary to reflect the identity of each person and to clearly reveal what is done by those who are allowed to document information in the record.

MYTH 15: USING AN ELECTRONIC MEDICAL RECORD (EMR) SYSTEM MEANS THAT MEDICAL RECORDS CANNOT BE STOLEN OR LOST.

TRUTH: EMRs are not impervious to theft, tampering, or loss. The U.S Department of Health and Human Services (HHS) offers the following suggestions for EMR security:

1. "Use a log-in password that is not easily guessed. Make it at least 8 characters long and composed of upper- and lower-case letters, numbers, and symbols such as '#' and '&.'
2. Immediately change the default password on new laptops.
3. Never set the log-in dialog box to remember your password.
4. Use a password-protected screen saver that comes on after several minutes of inactivity.
5. Keep antivirus and spyware programs up-to-date, and use them.
6. Keep operating-system and application software patched with the latest security fixes.
7. Back up your data to a location other than the laptop hard drive. Keep CDs and floppy disks separate from your laptop.
8. Disable the infrared port. Laptops can read other laptops' data from across a conference table. Cover the infrared port with black electrical tape." (8)

Additionally, it is recommended that users should never share passwords and patient encounter notes should be locked after the entry is complete. (9)

Special care should be taken with laptops. In February 2008, a laptop was stolen from a researcher at the National Institutes of Health. The laptop contained medical information on more than 3,000 people who were participating in a study. American Medical News called the incident "an example of why physicians and other health care professionals must remain vigilant about the security of patient data." (10)

HHS offers the following suggestions on how to prevent the loss or theft of a laptop that contains medical information.

1. " Do not leave your laptop unattended in an unsecured environment — even for a few seconds. When considering precautions, remember that thieves look for easy targets.
2. In the office, store the laptop in a locked drawer and lock your door.
3. Consider attaching a security cable, and wrap the cable around an unmovable, unbreakable object.
4. Most laptops come with a socket that can be attached to a security cable. If yours doesn't, your cable may come with an adhesive-backed attachment that will fasten the cable to the laptop. On the cable itself, a cylinder lock is stronger than a combination lock. While cable cutters could easily slice through the wire cables, from a thief's perspective, they are conspicuous.
5. Instead of using a laptop carrying case — especially one with the manufacturer's name on the outside — consider putting the laptop in a padded case, then in a backpack, briefcase, or other ordinary-looking holder.
6. Never leave a laptop visible in a vehicle. Cover it with something, such as a blanket, or put it in the trunk. Do not leave laptops in vehicles for extended periods. Winter lows can freeze and split LCD screens. Summer temperatures can melt components.
7. Think about additional security devices, such as laptop alarms and hard-drive locks. Remember that while they work, they add bulk and cost, and delay your use of the computer. Some machines come with fingerprint readers." (8)

To protect against the loss of data in an EMR system, ensure that data is being backed up reliably. Back-ups can and do fail, and this could result in the loss of all patient records.

"Creating a back-up data set is only the first step. The back-up record must be tested regularly to ensure that all appropriate data are being copied, and that data restoration is possible. Testing should occur for all back-up types, including in-house creation on a removable hard drive or for processes that send the information over the Internet for offsite storage. Even if an EMR vendor is providing offsite back up, physicians are advised to confirm that the data is created appropriately." (9)

SOURCES

1. Texas Medical Board. TMB rules Section165.2. Medical Record Release and Charges. Available at http://www.tmb.state.tx.us/rules/rules/bdrules_toc.php. Accessed June 23, 2008.
2. Texas Medical Liability Trust. Heath information release for ambulatory health care facilities. Available at http://www.tmlt.org/publications/riskpubs/Health_Information_Release.pdf. Accessed April 24, 2008.
3. Texas Medical Association. TMA FAQs. Access to medical records of a deceased patient. Available at http://rightnow.texmed.org/Scripts/rightnow.cfg/php.exe/enduser/std_alp.php?p_prod_lvl1=3. Accessed June 23, 2008.
4. Texas Medical Board. TMB rules Section165.1. Medical Records. Available at http://www.tmb.state.tx.us/rules/rules/bdrules_toc.php. Accessed June 23, 2008.
5. Texas Medical Association. TMA FAQs. Destruction of eligible medical records. Available at http://rightnow.texmed.org/Scripts/rightnow.cfg/php.exe/enduser/std_alp.php?p_prod_lvl1=3. Accessed June 25, 2008.
6. Texas Medical Board. TMB rules Section165.5. Transfer and disposal of medical records. Available at http://www.tmb.state.tx.us/rules/rules/bdrules_toc.php. Accessed June 23, 2008.
7. Brockway L. 10 things that get physicians sued. the Reporter. September-October 2006. Available at http://www.tmlt.org/publications/resources/. Accessed June 23, 2008.
8. Department of Health and Human Services. Laptop computer security. May 2, 2007. Available at http://www.hhs.gov/ocio/securityprivacy/laptop_computer_security.pdf. Accessed June 23, 2008.
9. Brockway L. Potential pitfalls risk management for the EMR. the Reporter. March-April 2007. Available at http://www.tmlt.org/publications/resources/. Accessed June 23, 2008.
10. Hansen D. Stolen laptop compromises privacy of NIH study subjects. Am Med News. April 21, 2008. Available at http://www.ama-assn.org/amednews/2008/04/21/gvsd0421.htm. Accessed June 23, 2008.