By Claire Turcotte, Esq.
Most physician practices have policies and procedures, whether formal or informal, for maintaining, producing and retaining medical records. Often things are done “the way we have always done them.” While this approach is probably adequate most of the time, many physician practices remain unclear about certain legal requirements affecting medical record-keeping. As a result, they are not confident that their current practices meet legal requirements. To help address this problem, this article clarifies many commonly ill-understood aspects of medical record-keeping.
What is Included in a Medical Record? Surprisingly, just what constitutes the “medical” record is often a point of confusion for physician practices. Under Pennsylvania law a medical record is all “clinical information pertaining to the patient which has been accumulated by the physician, either by himself, or through his agents.” According to the Pennsylvania Medical Society, the patient’s medical record includes results of diagnostic tests, x-rays, physician notes, and any records from prior treating or consulting physicians. This means that when a patient brings records from one physician to another physician, those records should become part of the latter physician’s medical record. In addition, Pennsylvania law does not expressly include a patient’s billing or business records in the medical record. As a result, some practices elect to maintain business records separately from medical records.
How Should My Practice Respond to Subpoenas or Other Requests for Records?
Patient Requests. As most physician practices are aware, the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) gives patients the right to access their own medical records. Post-HIPAA, the best practice is to require the patient to sign a HIPAA Authorization requesting a copy of the medical record.
Original Records or Not? Under Pennsylvania law, the physician owns the medical record, but the patient has a right to access or obtain a copy of the original medical record. HIPAA also gives patients the right to access their original medical record or to receive a copy. However, neither federal nor Pennsylvania law gives a patient the right to remove the original medical record.
In the case of requests by attorneys, neither HIPAA nor applicable State or federal rules of civil procedure require a physician practice to give the requesting attorney the original record, unless a subpoena or court order so indicates. Generally, a photocopy of the medical record is sufficient.
HIPAA and Subpoenas. HIPAA requires a health care provider to obtain “satisfactory assurances” that the patient whose records are being requested has received notice of the subpoena or request and has not objected to it. Therefore, physician practices must ensure that they obtain HIPAA “satisfactory assurances” before they produce the records. In many instances, “satisfactory assurances” will have been obtained before the subpoena is received by the physician practice.
For example, Pennsylvania (county court) rules require a party to a lawsuit to receive prior notice that a subpoena will be issued and to have an opportunity to object. The requestor can issue the subpoena only after the allotted time to object has expired. Thus, the physician practice can infer from its receipt of the subpoena that a party (patient) received prior notice and did not object. By contrast, in federal court cases, a physician practice should request proof that the patient or his attorney was served with a copy of the subpoena at least 20 days prior, and did not object, before producing the records. Occasionally, the patient may not be a party to the lawsuit. In those cases, the best approach is to first obtain a HIPAA Authorization signed by the patient or the patient’s “personal representative” (discussed further below).
Requests For Deceased or Incapacitated Patients’ Records. Physician practices should not assume that they are free to give copies of a deceased patient’s medical records to an attorney or family member. As discussed above, HIPAA gives the right of access to the individual whose records are involved. If the individual is legally unable to act, such as after death, then a physician practice may disclose the individual’s records only to the individual’s “personal representative,” as defined in HIPAA. For a deceased individual, a “personal representative” is “an executor, administrator, or other person [who] has authority to act on behalf of a deceased individual or of the individual’s estate.” Therefore, before a physician practice can disclose a decedent’s records, the practice must obtain proof, such as a “short certificate” from the county register of wills appointing the executor. With that paper in hand, it may release the records to the decedent’s “personal representative.” This same approach applies if an adult patient lacks the legal capacity to give consent to medical treatment. The physician practice may release the incapacitated adult’s medical records only to a “personal representative,” who must be someone with authority under Pennsylvania law to make health care decisions for the incapacitated adult.
Requests For Minor Patients’ Records. A patient may exercise the right to access records under HIPAA only if the individual is old enough to consent to treatment under state law. In Pennsylvania, for most purposes, this is age 18. Otherwise, the minor’s parent, or another person who has the legal right under Pennsylvania law to consent to the minor’s medical treatment (the “personal representative” as discussed further above), such as the minor’s court appointed legal guardian or another person acting in loco parentis, may receive the records.
What Should My Practice Charge for Record Requests?
Charging Patients. Each year Act 26 sets fees that physicians may charge for retrieving and copying medical records. However, HIPAA prohibits a physician practice from charging the patient for the costs of locating and retrieving the medical record. As a result, when a patient requests a medical record, a physician practice cannot charge the patient the “retrieval fee” established under Act 26. Of course, neither HIPAA nor Pennsylvania law requires charging patients for medical records. Accordingly, physician practices may elect to charge or not to charge patients for records at their discretion.
Charging Attorneys and Insurers. HIPAA does not prohibit charging attorneys or insurers a search and retrieval fee.
Charges may also be assessed for the actual cost of postage, shipping, and delivery. The charge list does not apply to an X-ray or any other portion of a medical record that is not susceptible to photo static reproduction. Moreover, different rules apply to records requests by the government, such as a district attorney’s office.
How Should My Practice Handle “Superconfidential Records?“
So-called “superconfidential” medical records containing drug and alcohol, mental health and HIV information are subject to more stringent federal and State laws governing confidentiality and release. As a result, physician practices must take steps to determine if the medical records requested contain “superconfidential” information and to comply with applicable requirements. Below is a brief overview of the most common requirements for release of “superconfidential” records.
Drug and Alcohol and Mental Health Records. Drug and alcohol records and mental health records include any records of a drug or alcohol or mental health treatment, facility or program. Arguably, even references to such treatments, facilities or programs contained in a physician practice’s medical records are “superconfidential.” Generally, a physician practice can release these “superconfidential” records only upon a court order or upon receipt of a HIPAA Authorization signed by the patient indicating that the records to be released contain drug and alcohol or mental health record information. Note that special HIPAA requirements apply to psychotherapy notes.
HIV or AIDS Information. A physician practice can release HIV or AIDS records only upon a court order or upon receipt of a HIPAA Authorization signed by the patient indicating that the records to be released contain HIV or AIDS information. In addition, requests with patient consent must be accompanied by a specific statement as follows:
“This information has been disclosed to you from records protected by Pennsylvania law. Pennsylvania law prohibits you from making any further disclosure of this information unless further disclosure is expressly permitted by the written consent of the person to whom it pertains or is authorized by the Confidentiality of HIV-Related Information Act. A general authorization for the release of medical or other information is not sufficient for this purpose.”
If the records contain “superconfidential” information, the physician practice may elect to produce the records with the “superconfidential” portions of the record redacted, accompanied by a letter stating that the physician practice is in possession of additional records containing information that it believes cannot be released without a court order or the patient’s written consent. Alternatively, it may retain the whole record and send a similar explanatory letter.
In Pennsylvania, physician offices must retain patient records for seven years after the last treatment or visit. Physicians generally must retain records of minors for the longer of two years after the patient reaches age 18 or seven years. In addition, because a physician practice is also a business, physician practices should adopt records retention policies that address retention requirements for both medical and business records.
Claire Turcotte, Esq. is Senior Attorney/Of Counsel at Bricker & Eckler LLP, Cincinnati-Dayton, Ohio where she represents hospitals and hospital systems, physician practices, and other health care providers. She formerly practiced in Northeastern Pennsylvania.