The differences among records-and what’s legally required to be in them

March 15, 2019
Rachel V. Rose, JD, MBA
Rachel V. Rose, JD, MBA

Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.

Parsing out the various terms used in relation to a patient’s health record can be daunting. Here’s a primer to make the process less intimidating

“Lions and tigers and bears, oh my!” This line from The Wizard of Oz often comes to my mind when I present on the subject of the differentiating between a medical record, a designated record set, and a legal medical record. 

That’s only the first part of the equation. The second part involves the nuances of an electronic health record (EHR) versus an electronic medical record (EMR). Regardless of the term used, something that invariably arises with these presentations is a discussion about what information needs to be included in a patient’s medical record. 

Just getting started but thoroughly intimidated? Embarrassed to admit that after all these years you still don’t know what all these terms mean? Don’t be. Let’s begin with the basic definitions.

  • medical record, whether paper or electronic, can be thought of as the clinical aspects of patient care.

  • The designated record set is defined in 45 CFR § 164.501 and is more comprehensive than a medical record because it includes the billing items and releases.

  • The legal medical record is a combination of both a clinical medical record and a designated record set. It is the most comprehensive record and serves as the organization’s complete business record across the continuum of care. This includes text messages and emails to patients.

  • An electronic medical record (EMR) is a digital version of a traditional paper chart that contains a patient’s entire medical history from one practice.

  • An electronic health record (EHR) is a more comprehensive report of the patient’s overall health.

Now that you know the basics, let’s dig in to what a medical record must contain.

At a minimum, a medical record must include the patient’s identifying information, including name, date of birth, Social Security number, address, contact information, insurance information, emergency contact information, HIPAA Authorization, and advance directives.

Beyond those basics, the medical record must also include adequate clinical documentation that substantiates medical necessity, such as SOAP notes:

  • Subjective –a description of the patient’s current condition in narrative form, e.g., chief complaint or reason for seeking diagnosis or treatment

  • Objective–documents objective; repeatable and traceable facts about the patient’s status; and includes vital signs, labs, and other findings from the physical exam

  • Assessment–medical diagnosis for the medical visit and the date the note was written

  • Plan–the plan of treatment, next steps, and follow-up. 

The information included in the medical record should meet medical treatment protocols, which are based on scientific evidence and professional standards of care. (See §88.15, public health service.)

Tantamount to an accurate, complete and up-to-date medical record is an appreciation for the sensitive and personal information these records contain. It is important to always remember a patient’s right to privacy. It’s not just a HIPAA issue, it is a Constitutional issue. The Texas Court of Appeals ruling In re Columbia Valley Regional Medical Center, 41 S.W.3d 797, 802 (2001) established that, “there is a constitutional right of privacy in this case. Apart from any statutory or evidentiary privileges that apply, the medical records of an individual have been held to be within the zone of privacy protected by the United States Constitution.” 

Medical records must be comprehensive enough to substantiate medical necessity; appropriately identify the patient; accurately document insurance information; and have adequate technical, administrative, and physical safeguards in order to protect a patient’s privacy. 

Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.