The responsibility of managing medical records can provoke anxiety in any physician's office. Medical records are confidential and personal documents, and the rules that govern them are often complex and confusing. Physician practices encounter many unique situations involving medical records. This article will help dispel the common and pervasive myths that surround the retention, release, and management of patient health information.
MYTH 1: PHYSICIANS MUST ALWAYS SUPPLY PATIENTS WITH COPIES OF THEIR MEDICAL RECORDS FREE OF CHARGE.
TRUTH: How much a physician can charge for copies of medical records is a commonly asked question. According to the Texas Medical Board (TMB) Rules, "The physician responding to a request for such information shall be entitled to receive a reasonable, cost-based fee for providing the requested information. A reasonable fee shall be a charge of no more than $25 for the first twenty pages and $.50 per page for every copy thereafter." (1)
The physician is entitled to this fee before releasing the information, unless requested by a licensed Texas health care provider or a physician for purposes of emergency or acute medical care. If a request for information is received other than for emergency or acute medical care, the physician can retain the copies until payment is received.
However, if the physician does not receive payment with a proper request—within 10 calendar days after receiving the request (if not for an emergency or acute medical care)—the physician must notify the requesting party in writing of the need for payment, and keep a copy of the letter in the patient's medical record.
In an emergency situation, physicians should not withhold copies of the medical records until payment is made. (2) If the request involves a claim for disability benefits, the records must be provided free of charge. (2)
MYTH 2: PHYSICIANS CAN DENY ACCESS TO A PATIENT'S MEDICAL RECORD BECAUSE OF A PAST DUE ACCOUNT.
TRUTH: Copies of a patient's medical records cannot be withheld because of outstanding medical bills. According to the TMB, "Medical and/or billing records requested pursuant to a proper request for release may not be withheld from the patient, the patient's authorized agent, or the patient's designated recipient for such records based on a past due account for medical care or treatment previously rendered to the patient." (1)
MYTH 3: PHYSICIANS MUST GIVE COPIES OF MEDICAL RECORDS TO FAMILY MEMBERS OF DECEASED PATIENTS, NO QUESTIONS ASKED.
TRUTH: Relatives do not always have access to a deceased patient's medical records. Access to these medical records is restricted by law to someone who is designated as a "personal representative" of the deceased. A "personal representative" is someone specifically named by the Texas Probate Code as having the authority, when appointed as such by the probate court, to transact business on the part of the estate. (3)
"Rather than comply unquestioningly with a request of this sort, ascertain that you have the written authorization of the right person. Ask for evidence of the person's legal capacity to obtain the deceased's records. Often the duly authorized representative will have court-issued papers, called Letters Testamentary or Letters of Administration, reflecting his or her appointment as legal representative on behalf of the deceased." (2)
MYTH 4: MEDICAL RECORDS MUST BE KEPT UNDER "LOCK AND KEY."
TRUTH: While medical records do not need to be locked away, they should be stored in an area that is inaccessible to patients. Medical records should not be stored in hallways, waiting rooms, exam rooms, or in any area where unauthorized individuals could access the records.
MYTH 5: A PHYSICIAN IS NOT REQUIRED TO RELEASE A MINOR'S MEDICAL RECORD TO THE MINOR'S PARENT IF THE MINOR WAS TREATED FOR A CONDITION THAT DOES NOT REQUIRE PARENTAL CONSENT, SUCH AS PREGNANCY.
TRUTH: Provisions in the Texas Family Code Section 32.003 allow for a minor to consent to his or her own treatment if the minor:
However, a minor's ability to consent to treatment may not preclude a parent's access to any related medical records. Under the Texas Family Code (Section 153.073) the parent of a minor has access at all times to the medical, dental, psychological, or educational records of his or her child. HIPAA does not preclude this access under state law. (2)
Minor patients being treated for conditions that do not require parental consent should be warned that if their parent/guardian demands release of their medical record, the law requires the physician to do so. However, physicians may deny access to the minor's medical record if they believe that release of the information would be harmful to the physical, mental, or emotional health of the patient. (2)
MYTH 6: WHEN A PHYSICIAN RECEIVES A REQUEST FROM ANOTHER PHYSICIAN FOR A PATIENT'S MEDICAL RECORD, STAFF SHOULD JUST COPY AND SEND THE ENTIRE RECORD.
TRUTH: Provided that the physician received valid written authorization for disclosure of the health information from the patient or an authorized representative, he or she must send everything contained in the record except any records that relate to mental health care. Mental health care records cannot be released unless the physician receives a specific HIPAA-compliant authorization.
The mental health exception includes any information that the physician may have received from a mental health professional—psychiatrist, psychologist, or licensed professional counselor—related to treatment for a "mental or emotional condition or disorder, including alcoholism and drug addiction." (2)
"If you are not a mental health care provider, but receive records, correspondence, etc. from the mental health providers of your patient, divide these records from the remainder of your patient care records (e.g. with a divider) so they will not inadvertently be copied and forwarded with the other records when complying with a record request." (2)
MYTH 7: PRIVACY LAWS DO NOT ALLOW PHYSICIANS TO RE-DISCLOSE COPIES OF MEDICAL RECORDS THAT THEY HAVE RECEIVED FROM OTHER HEALTH CARE PROVIDERS.
TRUTH: According to the Texas Medical Practice Act, if the physician receives a valid medical records request, that physician must furnish copies or a summary of his or her own medical records, and copies of records received from other physicians or health care professionals involved in the care or treatment of the patient. The re-disclosure of information must be "consistent with the authorized purpose for which the information was first obtained." (2)
"If your office has acquired records from another physician or health care provider to supplement your medical care of the patient, then you may re-disclose the information to another physician or health care provider for the same reason." (2)
Precautions already outlined in Myth 6 about mental health information still pertain. Mental health records cannot be released unless the physician receives a specific HIPAA-compliant authorization. (2)
MYTH 8: PHYSICIANS MUST KEEP MEDICAL RECORDS FOR ALL PATIENTS FOR 10 YEARS.
TRUTH: According to TMB rules, all medical records for adult patients must be kept for at least seven years from the date of the last encounter. Records for minor patients must be kept for at least seven years from the date of the last encounter or until the child turns 21, whichever is longer. (4) These same guidelines apply to the retention of medical records for deceased patients. (2)
MYTH 9: PHYSICIANS CAN DISCARD THE MEDICAL RECORDS THAT THEY ARE NO LONGER REQUIRED TO KEEP BY THROWING THEM IN THE TRASH.
TRUTH: According to the American Health Information Management Association (AHIMA), medical records should be destroyed so there is no possibility of reconstruction of information. Appropriate methods include burning or shredding. The AHIMA also recommends that physicians:
MYTH 10: A PHYSICIAN WHO IS CLOSING A PRACTICE AND WILL NO LONGER BE TREATING PATIENTS CAN GIVE HIS OR HER PATIENTS THE ORIGINAL COPIES OF THEIR MEDICAL RECORDS.
TRUTH: Patients should never be given original copies of medical records. If a lawsuit occurs at any time in the future, the physician will not have a copy of the medical record available to defend the case.
The TMB has specific rules that physicians must follow when closing their practices, including notices to patients providing an opportunity to obtain copies of medical records. These rules also include information on the transfer of ownership of medical records. Please refer to TMB rules sections 165.1 to 165.5. (4,6)
MYTH 11: HIPAA RULES DO NOT ALLOW PHYSICIANS TO FAX COPIES OF MEDICAL RECORDS.
TRUTH: Copies of medical records can be faxed. However, the law "requires adoption and implementation of reasonable safeguards for security of all health information. This includes safeguards for the transmission of health information via computer, facsimile and other modes of communication. Procedures for utilizing the fax machine should make every effort to prevent the release of confidential medical records and reports to unauthorized persons. Medical information should only be faxed for urgent or emergent care." (2)
Risk management tips for faxing medical records include the following:
MYTH 12: WHEN A PATIENT REQUESTS COPIES OF HIS OR HER MEDICAL RECORDS, THE PHYSICIAN HAS 30 DAYS FROM THE DATE OF REQUEST TO SUPPLY THE COPIES.
TRUTH: According to TMB rules, "The requested copies of medical and/or billing records or a summary or narrative of the records shall be furnished by the physician within 15 business days after the date of receipt of the request and reasonable fees for furnishing the information. (1) Please see Myth 2 for information on how much a physician can charge for copies of medical records.
MYTH 13: PHYSICIANS ARE ALLOWED TO "CLARIFY" PAST ENTRIES IN MEDICAL RECORDS AFTER AN UNEXPECTED OUTCOME OR NOTICE OF CLAIM.
TRUTH: The TMB documentation rules do not allow physicians to alter medical records unless they clearly indicate that this is what they are doing. "Any amendment, supplementation, change, or correction in a medical record not made contemporaneously with the act or observation shall be noted by indicating the time and date of the amendment, supplementation, change, or correction, and clearly indicating that there has been an amendment, supplementation, change, or correction." (4)
Additionally, altering a medical record after an unexpected outcome can be detrimental. The changes may look suspicious or it may appear that the physician is "beautifying" the medical record to cover up damaging information. "Addendums to the medical record may be allowed if done in a timely manner and clearly identified. Include the date and time, a reference to the date and time of the actual encounter, reason for the addendum, the added information, and author's signature." (7)
MYTH 14: PHYSICIANS DO NOT NEED TO INITIAL OR SIGN ENTRIES IN MEDICAL RECORDS.
TRUTH: TMB rules require that, "each licensed physician of the board shall maintain an adequate medical record for each patient that is complete, contemporaneous, and legible." This includes the "date and legible identity" of the physician or other observer who made the entry. (4)
Signing an entry in the medical record is necessary to reflect the identity of each person and to clearly reveal what is done by those who are allowed to document information in the record.
MYTH 15: USING AN ELECTRONIC MEDICAL RECORD (EMR) SYSTEM MEANS THAT MEDICAL RECORDS CANNOT BE STOLEN OR LOST.
TRUTH: EMRs are not impervious to theft, tampering, or loss. The U.S Department of Health and Human Services (HHS) offers the following suggestions for EMR security:
Additionally, it is recommended that users should never share passwords and patient encounter notes should be locked after the entry is complete. (9)
Special care should be taken with laptops. In February 2008, a laptop was stolen from a researcher at the National Institutes of Health. The laptop contained medical information on more than 3,000 people who were participating in a study. American Medical News called the incident "an example of why physicians and other health care professionals must remain vigilant about the security of patient data." (10)
HHS offers the following suggestions on how to prevent the loss or theft of a laptop that contains medical information.
To protect against the loss of data in an EMR system, ensure that data is being backed up reliably. Back-ups can and do fail, and this could result in the loss of all patient records.
"Creating a back-up data set is only the first step. The back-up record must be tested regularly to ensure that all appropriate data are being copied, and that data restoration is possible. Testing should occur for all back-up types, including in-house creation on a removable hard drive or for processes that send the information over the Internet for offsite storage. Even if an EMR vendor is providing offsite back up, physicians are advised to confirm that the data is created appropriately." (9)