The responsibility of managing medical records can provoke anxiety in any physician’s office. Medical records are confidential and personal documents, and the rules that govern them are complex and confusing.
Physician practices encounter many unique situations involving medical records. This article will help dispel the common myths about the retention, release, and management of patient health information.
MYTH 1 — Physicians must supply patients with copies of their medical records free of charge.
Truth — When determining allowable fees for copies of medical records, both federal and state regulations should be followed. Guidelines differ for release of records directly to the patient versus release of records to a third party. (1, 2)
The Office of Civil Rights (OCR) has updated guidelines on patients’ rights to obtain their medical records and how much providers can charge for copies. Chapter 45 of the Code of Federal Regulations Section 164.524 outlines patients’ rights to access their protected health information (PHI). Given the intricacies of the new rules, we recommend reviewing these FAQs and Chapter 45. Below are highlights from the rules. (1)
Fees to release directly to the patient
Flat-Rate of $6.50
The OCR has determined that a flat fee of $6.50 is a reasonable cost for the release of medical records directly to a patient. If the provider does not calculate a reasonable fee as outlined below, then the provider should charge the flat rate of $6.50 to the individual for copies of their PHI.
Charging more than $6.50
For any request from a patient, a covered entity (or business associate operating on its behalf) may calculate the allowable fees for providing patients with copies of their PHI:
- By calculating actual allowable costs to fulfill each request; or
- By using a schedule of costs based on average allowable labor costs to fulfill standard requests.
- Alternatively, in the case of requests for an electronic copy of e-PHI, covered entities may charge a flat fee not to exceed $6.50 (inclusive of all labor, supplies, and postage)
Charging a flat fee not to exceed $6.50 per request is an option for entities that do not want to go through the process of calculating actual or average allowable costs for requests for electronic copies of e-PHI.
When an entity chooses to use the average cost method or flat fee for electronic copies of PHI, the entity may receive an uncommon request that it had not considered when setting up its fee structure. In these cases, the entity may wish to calculate actual costs, and it may do so as long as the costs are reasonable and only of the type permitted by the Privacy Rule.
An entity that chooses to calculate actual costs must inform the individual in advance of the approximate fee that may be charged for providing the copy requested.
Health care professionals are urged to err on the side of caution when determining fees for release of records directly to the patient. While the HHS has published the guidelines above, these rules are intended to increase patients' access to their own records. (1,3)
MYTH 2 — Physicians can deny access to a patient’s medical record because of a past due account
Truth — A covered entity may not withhold or deny an individual access to their PHI because the individual has not paid the bill for health care services provided. While the Privacy Rule permits the limited fee as described, covered entities should provide individuals who request access to their information with copies of their PHI free of charge to avoid creating a barrier to access. (3)
Myth 3 — Physicians can withhold copies of medical records until the requested copies are paid for.
Truth — Physicians are entitled to receive the fee for records preparation before releasing the records, except in these situations:
- When the records are requested by a licensed Texas health care provider or any American or Canadian licensed physician for acute or emergency medical care; and
- To support an application for disability or other benefits or assistance under: Aid to Families with Dependent Children, Medicaid, Medicare, Supplemental Social Security Income, and Federal Old-Age and Survivors Insurance, and Veteran's Benefits. (2)
MYTH 4 — When a patient requests copies of his or her medical records, the physician has 30 days from the date of request to supply the copies.
Truth — The physician has 15 business days (from the date the request is received) to respond to the request. (2)
If a physician denies the request, the physician “shall furnish the patient a written statement, signed and dated, within 15 business days of receipt of the request stating the reason for the denial and how the patient can file a complaint with the federal Department of Health and Human Services (if the physician is subject to HIPAA) and the Texas Medical Board. A copy of the statement denying the request shall be placed in the patient's medical and/or billing records as appropriate.” (2)
MYTH 5 — By law, physicians must give copies of medical records to family members of deceased patients.
Truth — Relatives do not always have access to a deceased patient's medical records. Access to these medical records is restricted by law to someone who is designated as a “personal representative” of the deceased. A “personal representative” is someone specifically named by the Texas Probate Code as having the authority, when appointed as such by the probate court, to transact business on the part of the estate. (4)
Before complying with a request, determine if you have the written authorization of the right person. Ask for evidence of the person's legal capacity to obtain the deceased's records. Often the duly authorized representative will have court-issued papers, called Letters Testamentary or Letters of Administration, reflecting his or her appointment as legal representative on behalf of the deceased. (4)
MYTH 6 — A physician is not required to release a minor’s medical record to the minor’s parent if the minor was treated for a condition that does not require parental consent, such as pregnancy.
Truth — Provisions in the Texas Family Code allow for a minor to consent to his or her own treatment under certain circumstances. However, a minor’s ability to consent to treatment may not preclude a parent’s access to any related medical records.
Under the Texas Family Code Section 153.073 the parent of a minor has access at all times to the medical, dental, psychological, or educational records of his or her child. HIPAA does not preclude this access under state law. (5)
Minor patients being treated for conditions that do not require parental consent should be warned that if their parent or guardian demands release of their medical record, the law requires the physician to do so. However, physicians may deny access to the minor’s medical record if they believe that release of the information would be harmful to the physical, mental, or emotional health of the patient. (5)
MYTH 7 — Privacy laws do not allow physicians to re-disclose copies of medical records that they have received from other health care providers.
Truth — According to the Texas Medical Practice Act, if the physician receives a valid medical records request, that physician must furnish copies or a summary of his or her own medical records, and copies of records received from other physicians or health care professionals involved in the care or treatment of the patient. The re-disclosure of information must be “consistent with the authorized purpose for which the information was first obtained.” (2)
If your office has acquired records from another physician or health care provider to supplement your medical care of the patient, then you may re-disclose the information to another physician or health care provider for the same reason. (1, 2, 6)
Mental health care records cannot be released unless the physician receives a specific HIPAA-compliant authorization. This mental health exception includes any information that the physician may have received from a mental health professional — psychiatrist, psychologist, or licensed professional counselor — related to treatment for a “mental or emotional condition or disorder, including alcoholism and drug addiction.” (6)
“If you are not a mental health care provider, but receive records, correspondence, etc. from the mental health providers of your patient, separate these records from the remainder of your patient care records so they will not inadvertently be forwarded with the other records when complying with a record request.” (6)
MYTH 8 — Physicians must keep medical records for all patients for 10 years.
Truth — For adults, all records must be kept for at least seven years from the date of the last treatment. (Hospitals are required to keep records for 10 years, so some physicians may choose to keep office records for 10 years also.)
For minors, records for minor patients must be kept for at least seven years from the date of last treatment or until the child turns 21, whichever is longer. (2)
MYTH 9 — HIPAA rules do not allow physicians to fax copies of medical records.
Truth — Copies of medical records can be faxed. However, the law “requires adoption and implementation of reasonable safeguards for security of all health information. This includes safeguards for the transmission of health information via computer, facsimile and other modes of communication. Procedures for utilizing the fax machine should make every effort to prevent the release of confidential medical records and reports to unauthorized persons. Medical information should only be faxed for urgent or emergent care.” (1, 7)
Risk management tips for faxing medical records include:
- develop policies and procedures regarding faxed PHI;
- save the confirmation that the fax was received;
- tell the individual who will be receiving the fax when the records will be faxed so the person can secure the information;
- do not fax sensitive information such as HIV, mental health, or alcohol/drug abuse records unless necessary for emergency care;
- use a fax cover sheet that indicates the need to maintain confidentiality; and
- place your fax machine in an area away from patient traffic.
MYTH 10 — Physicians who use EMRs are less likely to be sued if a patient has a bad outcome.
Truth — EMRs come with their own set of caveats, and it’s important to address their risk management issues. (8, 9)
- Implement a strict policy regarding passwords and security. It is imperative that passwords only be used by the individuals to whom they were assigned.
- Ensure patient encounter records are locked. The information entered into the EMR is likely to be more accurate if done immediately after the visit. Include the date of dictation or date of transcription.
- Templates can import old or inaccurate information. Some EMRs re-populate the same data in their patient care templates for each subsequent visit. Or some programs may be set up so that specific complaints default to “resolved” if the physician or the patient does not renew that complaint on the next visit. Notes should be individualized for each patient encounter.
- Enable tracking mechanisms. Tracking systems can minimize exposure to allegations of failure to diagnose and can lead to better patient care.
- Establish a system to appropriately capture paper and other external clinical documents. These documents could include paper records used before implementing an EMR, diagnostic test results, consultant reports, hospital reports, or records from other physician offices.
- Prescriptions are not always captured in the EMR. If physicians who use EMRs are not e-prescribing, prescriptions should be captured by scanning the paper prescription into the EMR or fully documenting the name, dose, quantity, instructions, and refill amount.
- Ensure records are backed up reliably. The HIPAA security rule requires that patient data be backed up to ensure it can be retrieved if a hardware failure or other event occurs.
- Make sure the records are complete when providing printed copies. Be aware that clicking the print button on an EMR does not always provide a complete record.
1. Code of Federal Regulations. Chapter 45 Section 164.524. Available at https://www.govinfo.gov/content/pkg/CFR-2011-title45-vol1/pdf/CFR-2011-title45-vol1-sec164-524.pdf . Accessed April 15, 2021.
2. Texas Medical Board. TMB Rules Section 165.2 Medical Record Release and Charges. Available at https://www.tmb.state.tx.us/page/board-rules. Accessed April 15, 2021.
3. Texas Medical Liability Trust. Frequently Asked Questions, Risk Management, Medical Records. Available at https://www.tmlt.org/resources/frequently-asked-questions?risk-management,8. Accessed April 15, 2021.
4. Texas Medical Association. Access to medical records of a deceased patient. March 2015. Available at https://tma.custhelp.com/ci/fattach/get/74454/0/filename/Medical+Rec+Deceased+2015.pdf . Accessed April 15, 2021.
5. Texas Medical Liability Trust. Managing medical records releases for children and young adults. Webinar. July 30, 2020. Available at https://hub.tmlt.org/medical-records/managing-medical-record-releases-for-children-and-young-adults . Accessed April 15, 2021.
6. U.S Department of Health and Human Services. Individuals’ right under HIPAA to access their health information 45 CFR Section 164.524. January 21, 2020. Available at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html . Accessed April 15, 2021
7. Centers for Medicare and Medicaid Services Medicare Learning Network. Medical privacy of protected health information. October 2019. Available at https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/downloads/se0726factsheet.pdf . Accessed April 15, 2021.
8. Brockway L. Potential pitfalls: Risk management for the EMR. April 2021. Available at https://hub.tmlt.org/medical-records/potential-pitfalls-risk-management-for-the-emr . Accessed April 15, 2021.
9. Texas Medical Liability Trust. What every physician should know: EHR best practices. June 4, 2015. Available at https://hub.tmlt.org/medical-records/ehr-best-practices . Accessed April 15, 2021.