Record Access and Retention Requirements

When using EHRs, keep patient record access in mind.

Risk Management

Record Access and Retention Requirements Create New Risks for D.C.

Many healthcare practitioners are transitioning to electronic health records. One temporary consequence is that many D.C.s are finding it difficult to meet requirements for record retention and patient access to their records.


Under the HIPAA Privacy Rule, a covered entity must provide patients a copy of their clinical records within 30 days and no later than 60 days of the patient’s request. As defined by HIPAA, a covered entity is a healthcare provider that transmits any health information in connection with transactions of billing and payment for services or insurance coverage. The request for records also becomes part of the patient’s record.

Patients Have a Right to Access Their Records

It is generally accepted that the D.C. or practice is the legal owner of clinical records generated during the care and treatment of patients. However, most states recognize patients have the right to access their own records.

A D.C.’s office must comply with patient requests to view their own clinical records (or to authorize someone other than the patient to have access to the record on behalf of the patient). At the same time, the practice has a duty to protect confidential information contained in the patient’s clinical record and should have protective policies and procedures in place to prevent inadvertent or unauthorized disclosure of the information.

These policies and procedures should also address the disposal of such information no longer needed. Documentation of these procedures and workforce training must be retained. Covered entities must notify any HIPAA business associate of any protected health information that no longer needs to be retained.

When patients request their records, they or their representatives should complete and sign the appropriate clinical record release form. (A representative may include a parent or legal guardian for a minor patient, someone holding power of attorney for the patient, or the executor of a deceased patient’s estate.)

Once the appropriate release has been signed, the D.C. should give the patient a copy—never the original—of the record in a timely fashion. If patients request a copy of their own records to transfer to another healthcare provider or for personal purposes, most states permit healthcare entities to charge a “reasonable” copying fee. One caveat—a patient’s record should never be held hostage to recoup outstanding charges. (For example: “We won’t release your records until your account is settled.”) Despite an outstanding balance or lack of payment for the copied records, a practice must comply with HIPAA and provide a copy of a patient’s records.

Most record statutes specifically address situations in which patient information may be released without the patient’s express permission. The records may be released, for example, in workers’ compensation cases, for court-ordered treatment and as required by statute.

Training Can Help

HIPAA, patient confidentiality and release of patient information and their documentation must be routine topics in new staff orientation, as well as staff in-service training.

Practices are required to implement policies and protocols to address requests for patient information and record releases without breaching patient confidentiality. Training should include how to handle requests from patients, other healthcare providers or facilities, third-party payers, or patients’ attorneys (in response to a subpoena or court order). D.C.s and their staff must tailor their record release policies and authorizations according to state requirements and maintain documentation of the handling of patient complaints.

State Regulations on Record Retention

Clinical record retention regulations often reflect the state’s statute of limitations, which are laws that set the maximum time after an event within which a legal action may be initiated. This helps ensure that necessary documentation will be available in the event of a lawsuit. If a lawsuit is filed against a D.C. and there are no clinical records for the patient on the incident in question, the defense of the D.C. will be next to impossible.

It is common for the statute of limitations to be extended to allow a minor patient to bring a clinical malpractice action for a designated period of time after reaching the age of majority. For that reason, D.C.s should have special retention procedures and schedules for the records of minor patients.

There are also states where the statute of limitations is extended when a patient did not learn of the causal relationship between an injury and the care rendered until later. In these cases, the statute begins to “run” upon discovery, not on the date on which the care or procedure occurred.

Moreover, some state regulations allow microfilming or other photographic reproduction of records, while others do not. Some states also may specifically address the retention of records for deceased patients or practices that have closed.

HIPAA Requirements

Although the HIPAA Privacy Rule does not specifically include clinical record retention requirements, its administrative simplification rules do. A covered entity must retain required documentation for six years from the date it was created or was last in effect, whichever is later.

HIPAA also requires that covered entities apply “appropriate administrative, technical, and physical safeguards to protect the privacy of clinical records and other protected health information (PHI) for whatever period such information is maintained by a covered entity, including through disposal.” HIPAA requirements preempt state laws only if states require shorter retention periods.

In addition, the Centers for Medicare & Medicaid Services require records of providers submitting cost reports to be retained in their original or legally reproduced form for a period of at least five years after the closure of the cost report. Because the stakes are high for noncompliance, it is prudent to have the practice’s legal counsel review policies for retention of compliance documentation.

Regardless of Storage Space, Confidentiality is Key

In addition to statutory requirements, a practice should consider its available resources and the cost to maintain documents for an extended period of time. Some practices may have all patient charts stored on-site; others may have to store some charts off-site due to physical storage space limitations.

With the transition to electronic records, physical storage space for patient records will become much less of an issue. However, electronic storage brings with it security and patient privacy risks. Backing up electronic clinical records is imperative, as is keeping the back-up documents off-site for safeguarding.

D.C. practices must protect patient information from breach or destruction—regardless of format. Security procedures should ensure that on-site or off-site physical storage environments for clinical records, whether in hard copy or electronic format, are kept secure. They also must be protected from physical damage, destruction or unauthorized disclosure so that patient confidentiality is not jeopardized. The importance of record encryption cannot be stressed enough with electronic health records.
 


Most states permit healthcare entities to charge
a reasonable copying fee for patient records.



The information in the NCMIC Learning Center is offered solely for general information and educational purposes. It is not offered as, nor does it represent, legal or professional advice. Neither does this information constitute a guideline, practice parameter or standard of care. You should not act or rely upon this information without seeking the advice of an attorney familiar with the specific legal requirements of the state(s) in which you practice. If there is a discrepancy between the site and an insurance policy you have with NCMIC, the policy will prevail.