Patient Records Legal Primer

Here's a primer to assist your medical practice maintain its patient records and avoid any legal troubles.

Managing patient records these days is tricky business indeed. From OSHA and HIPAA to malpractice carriers and third-party payers, it seems everyone has a position on how healthcare providers must retain medical charts and to whom they can safely disclose them. If that’s not enough, most states have their own regulations for record retention - not to mention limits on how much practices can charge patients for copies of their chart. And now, with EHRs changing the rules of the game, it’s more important than ever that practices establish consistent record-keeping policies that minimize the risk of privacy violations, court sanctions, and even litigation.

“There are so many organizations out there with so many rules and regulations that it gets confusing,” says Cindy Dunn, a consultant with MGMA Health Care Consulting Group, adding that all practices should make record management a priority. “It’s best to put it down on paper. Make yourself a spreadsheet and list how long you’ll keep medical records, employment records, correspondence from vendors, and other important documents, and communicate your policy clearly to the staff.”

It helps, too, to put someone on staff (usually a CEO or administrator) in charge of compliance. After all, regulatory reform is a moving target. (For example, is your practice aware that under the Health Information Technology for Economic and Clinical Health Act of 2009 healthcare providers are now required to notify patients if their medical information was accessed by or disclosed to an unauthorized person?)

Here’s a look at some of the key points to remember when crafting a medical records policy that protects both your practice and your patients.

Record retention

For many providers, record retention is an endless source of confusion, in part because it falls under the purview of both federal and state regulators, but also because of the vast number of laws that address it - more than 10,000 federal, state, and local regulations specific to healthcare organizations, according to Mark Willard, a partner with Pittsburgh-based law firm Eckert Seamans Cherin & Mellott.

Typically, however, state health officials dictate a defined period for how long providers must maintain patient records, in what format they must be stored (secured databases for EHRs, locked and weather-proofed facilities for paper charts), and how they must be destroyed. Some states, including Michigan, also require providers to notify patients before their records are destroyed.

Absent state mandates, a good rule of thumb is to keep patient records for seven to 10 years after the last date of service, says Lydia Washington, director of practice leadership for the Chicago-based American Health Information Management Association.

There are a few exceptions. Records for minors, for example, should be held for two years past the patient’s age of majority, which is 20 in most states. Records related to workplace injuries in which the Occupational Safety and Health Administration was involved must be held for 30 years, and charts for veterans must be held for 75 years. If you have information that legal action is pending from one of your patients, you are also obligated to hold relevant records, or preserve them from destruction, “even if they’ve passed the retention deadline,” says Washington.

All practices should also be aware of their state’s statute of limitations for medical malpractice lawsuits, which may differ from the required record retention period, says Robert Iwrey, a healthcare attorney with The Health Law Partners in Southfield, Mich. “It’s very important that providers are cognizant of what those statutes are, because if you can be sued for malpractice over, say, a six-year period, you want to make sure that you keep those records at least that long regardless of any other state or federal requirement,” he says. Indeed, records are your best defense against future legal claims. “You might need to defend yourself based on your records and if you don’t have them it’s going to be a foregone conclusion.”

Lastly, providers should check the requirements of third-party payers (including Medicare) to ensure they keep their records for at least the length of time they can be requested. Under most contracts, insurance companies are entitled to audit your records for a fixed number of years. “If you don’t have those records, guess what? They get their money back,” says Iwrey. What’s worse, he notes, is if the insurance company detects a pattern of incomplete record keeping, it could result in civil monetary penalties, or even criminal charges. “If they start to question whether services were performed at all, they could go after you criminally for intent to defraud, says Iwrey.

Some states also require that every interaction with a patient be entered into their medical record. “That makes sense when someone comes to your office, but where physicians get into trouble is a scenario where a relative, friend, or patient runs into them outside the office and says, ‘Hey Doc, I’ve got a sore throat,’ and the doctor says, ‘No problem,’ and writes them off a quick prescription. Or, there’s a short e-mail communication where the doctor gives some type of advice or prescribes something,” he says. “In some states, those interactions must be entered into a medical record.”

Failure to do so in Michigan, for example, can lead to licensing action. “If something happens to that patient and there was no record of the prescription or interaction, not only did you violate statute, but you also cast further suspicion upon your prescribing practices which can lead to licensing issues,” says Iwrey. “In healthcare today, unfortunately, documentation is everything.”

Though much of the focus on record retention concerns keeping documents long enough to protect your practice, bear in mind there is also a potential risk in holding onto them too long - particularly electronic data, says Willard. Federal rules have been recently amended (and adopted by many states) regarding the storage of electronic information, including health records, e-mail, and instant messaging, and their use in court proceedings.

If your electronic data is not properly maintained and produced as part of litigation, you can be charged with spoliation, which is the tampering with or destruction of data, says Willard. “A good policy is to destroy those records after the retention period has passed to protect yourself,” he says. It’s equally important, though, to destroy records consistently. “If the court finds out you destroyed relevant documents because they were old or past their retention deadline, but you kept others that were just as old, it appears you destroyed them knowingly,” says Willard. “That’s the risk of keeping them around.”

There’s also the expense to consider. By law, you’re required to provide to the courts any records they request at your own expense. “Most of these services used to retrieve electronic data charge by the gigabyte so it can cost hundreds of thousands of dollars just to produce the documents,” says Willard. “The plaintiff’s attorney is quite aware of that and they may use it to induce a settlement.”

Be especially diligent about e-mail, which is often where the trouble lies, says Willard. “People use it like a conversation so the comments made can be misconstrued, taken out of context, and very damaging,” he says. “E-mail generally should have a shorter retention period, but still comply with state mandates and statute of limitations.”

Record requests

By far, however, the biggest threat to practices involves the transfer or disclosure of patient records. Practices receive requests for medical charts all the time from specialists, patients, attorneys, and even insurance companies which review records for audit and pay-for-performance purposes. Not all requests should be treated equally. “This is a very litigious area,” warns Iwrey.

Let’s start with the big one. HIPAA allows the disclosure of patient records without specific patient permission only for the purposes of treatment, payment, and operations, also known as the “TPO exclusion.” That said, you’re generally covered when you share records with payers and other providers for the purposes of patient care, particularly if you have your patients sign a HIPAA privacy notice when they join your practice, says Lance LoRusso, an Atlanta litigation attorney who specializes in medical malpractice.

Keep in mind that under most insurance contracts, you are obligated to provide medical charts to third-party payers upon request, but you can only provide records from patients who are members of their plan. Providing records for nonmembers constitutes a HIPAA violation. Remember, too, that insurance carriers often ask to see the patient’s entire chart, but legally they’re only entitled to view the services provided during the months and years that patient has been covered by their plan. Those processing such requests in your office should check the effective dates of that patient’s coverage and provide only those records that fall within that time frame. It may be an added burden on your staff, but it’s a HIPAA violation if you don’t.

As far as disclosure to a third party is concerned, you are also generally covered if you obtain the patient’s signed consent form. “You can release anything to anyone with the patient’s permission,” says LoRusso, noting that physicians should put a copy of the signed release into the patient’s chart and make sure the staff is aware of the parameters such as the date and the person to whom information may be released. “If anyone ever has a question about releasing information to a third party, the safest way to go is to always get the patient’s permission and make sure the document used to obtain the information meets federal and state guidelines.”

If you are contacted by a malpractice attorney who is requesting documents as part of a pretrial discovery or before a lawsuit is filed, and the patient has signed a consent form, you must legally provide those records within 30 days in most states. If they don’t have a consent form, do not comply. “Just tell them you’re not providing anything unless they have the signed authorization from the patient and let them know that whatever is being requested better fall squarely within the scope of that authorization,” says Iwrey. “You might get an aggressive attorney making all types of arguments that they’re entitled to the documents, but it’s important to stand your ground. Tell them that you need either a court order requiring you to produce it, or a signed authorization from the patient.”

And don’t forget to contact your insurance company immediately if you even think a lawsuit may be filed. Failure to notify them in a timely fashion could result in a denial of coverage if you get sued.

Copy charges

As patients are becoming more proactive about their own healthcare, individual requests for medical records are on the rise, creating an added cost burden for cash-strapped practices. There’s the labor hours involved in pulling and processing the chart, the time it takes to prepare an explanation or summary, and the expense of materials (postage, paper, computer disk, etc.).

While some practices chalk it up to business costs, others are now charging patients to reproduce their record. That decision is up to you, but how much you’re able to charge is anything but. According to HIPAA, practices may impose a “reasonable” cost-based fee for copying, including the labor costs of copying. The fee can also include the cost of any material used, including paper, computer disk, or postage, but practices may not charge for retrieving or handling the information or for processing the request.

HIPAA stopped short of setting per-page copy fees, leaving that up to the states. It varies, of course, but most states allow practices to charge anywhere from 25 cents to $1 per page. Check with your state medical society for copy fee limits in your state. Lastly, bear in mind that it’s neither legal nor ethical, according to the AMA, to withhold a patient’s medical record because of an unpaid bill.

Rules regulating patient records are in a constant state of flux, making it tough for smaller practices to comply. Yet, failure to do so can result in serious repercussions for providers. The best way to protect your office is to review your policies for record retention, document disclosure, and copy fees annually, with guidance from your state medical society or malpractice carrier. “Some practices are very good at this and others are sloppy,” says Dunn. “It’s up to the manager or CEO to set the guidelines for your employees. State laws are very clear and you need to define what they are for your practice.”

Shelly K. Schwartz, a freelance writer in Maplewood, N.J., has covered personal finance, technology, and healthcare for more than 12 years. Her work has appeared on,, and Healthy Family magazine. She can be reached via This article originally appeared in the May 2010 issue of Physicians Practice.

Related Videos
MGMA comments on automation of prior authorizations
Ike Devji, JD and Anthony Williams discuss wealth management issues
Erin Jospe, MD gives expert advice
A group of experts discuss eLearning
Three experts discuss eating disorders
Ike Devji, JD and Anthony Williams discuss wealth management issues
Navaneeth Nair gives expert advice
Navaneeth Nair gives expert advice
Navaneeth Nair gives expert advice
Matt Michaela gives expert advice
© 2023 MJH Life Sciences

All rights reserved.