Penalties for mismanaging medical records are steep. Punitive damages (not covered by insurance policies) and court-imposed sanctions are two of the penalties often assessed for the failure to produce a medical record at trial. Mismanagement of records or improper disclosure of protected health information (PHI) can lead to regulatory sanctions, network exclusions, and could affect licensure, accreditation, and Medicare and Medicaid reimbursement and participation. To complicate things, medical record management is governed by a myriad of laws on both the state and federal levels. Legal requirements for medical record management are not universal for all physician group practices — the rules vary depending on the type of medical practice that you operate and your practice's home state.
What is a "medical record?"
It is important to define what is included in a patient's medical record. This definition will not only determine the overall scope of the policy, but will also raise awareness among your staff of its responsibility to protect and appropriately manage all components of the patient's medical record — not just those components with which they are most familiar.
In defining "medical record" for your practice's policy, keep in mind that a "record" is any recorded information, regardless of medium or characteristics. A "medical record" includes both clinical and non-clinical information, from the patient's medical history and demographics to relevant clinical research and financial data. There is no one-size-fits-all definition, and your practice should clearly define a "medical record" as it relates to the systems in place at your individual practice.
Is the medical record stored in a secure, yet easy-to-access manner?
To protect against unauthorized access and release, your practice's medical record management policies should address the physical security of paper-based documents, electronic record system security measures, and personnel access to both electronic and paper records. Consult with your practice's legal counsel to determine whether your policies comply with state and federal laws regarding the storage and release of PHI. In doing so, make sure you and your lawyer talk about the following issues:
• Creating policies and procedures pertaining to both the on-site and off-site storage of medical records.
• Accurately labeling and storing records to aid in record retrieval and prevent improper access and/or destruction.
• Establishing functional redundancy to allow for medical record storage system back-up should the primary storage system fail.
• Entering into Business Associate Agreements with any outside vendors with whom the practice may contract to store, retrieve, and/or destroy medical records on behalf of the practice.
• Tailoring policies and procedures to address special considerations pertaining to the electronic medical records (e.g., protections by password and encryption, storage and protection of metadata, etc.).
How long should the medical record be retained?
Retention requirements vary by state, but a general rule is to hold records for 10 years from the date of the last visit for adult patients, and 10 years from the date the patient turns 18 for minor patients. Keep in mind that your state may place additional requirements on retention of certain records (e.g., register of deaths, advance directives, immunization records). Work with your practice's legal counsel to develop an easy-to-follow retention schedule. When possible, request a written copy of retention guidelines from medical malpractice carriers to ensure compliance.