Medical Records Laws

Medical Records Policy

Medical records laws and the rights of patients. HIPAA medical record policy with regard to privacy, security, ownership, and access of patient health records.

What Is A Medical Record?
A medical record is documentation of a patients medical history and care. These records can be in paper or electronic form. It may also be referred to as a medical chart or health record.

The medical record differs from the personal health record in that the medical record is typically created and stored by health care providers where the personal health record is a more portable record maintained by the patient.

The privacy and security of medical records has become important due to the very personal nature of the information contained in these records. This has raised issues regarding access, accuracy, storage, and disposal of medical records.

The information contained in the medical records is beneficial in allowing different health care providers to know the medical history and treatment of a patient. This helps prevent duplication and insure continuity of care.

A secondary use of medical records is in research and education or for quality assurance reasons by health care facilities such as hospitals. In these cases the medical records should be made autonomous to remove patient information.

Medical records have traditionally been kept on paper. However with the popularity of electronic medical records software, many are now maintained electronically. Medical records laws don’t necessarily govern the form or media medical records are stored on.

HIPAA (Health Insurance Portability and Accountability Act) medical records laws in the United States establish requirements for the ownership of medical records data. The information contained in the medical record belongs to the patient. The media containing the information or data belongs to the organization maintaining the record – this could be a hospital, physicians practice, clinic, etc.

HIPAA and most state medical records laws establishes patients rights to access their data. They also have the right to make sure the information contained in their medical records is correct and can ask the provider to correct the information.

Medical records are considered legal documents and are governed by the laws of the country and state where they are created. Because of this there are differences in the medical records laws with regard to creation, ownership, access, and destruction of medical records – details not covered by HIPAA or other federal medical record laws.

In the United States, the federal medical records laws address many issues for medical records is HIPAA – Health Insurance Portability and Accountability Act. However most states have medical records laws that entitle the patient certain rights regarding their medical records.

HIPAA medical records laws establishes the rules regarding access in the United States. The basic guidance regarding medical record access are that only the patient and health care provider directly involved in the patients care have the right to view the records. However the patient may give consent for any person or entity to evaluate the record. The complete rules on access and security for medical records are defined in more detail by HIPAA as discussed below.

In general, most medical records laws allow access to the patients medical records when they are physically unable to. If a patient is not legally able to make decisions about their medical care, a legal guardian as determined by relation or the court may access the patients records. This is intended so the guardian or relative can make decisions on behalf of the patient when they are incapacitated.

In a medical emergency where the patient is not able to communicate consent to access medical records is assumed unless otherwise documented.

As established by the U. S. Supreme Court in Jaffe vs. Redmond, a patients medical information may be shared with authorities for issues in which harm or death could result to the patient or others. But this information cannot be used to charge a person for a crime – for example drug testing results cannot be used to bring charges against someone for possession of illegal substances in this case.

Those conducting research or audits may also access medical records. However data that identifies the patient is not accessible.

State Medical Records Laws
Most states have medical records laws that address issues such as record retention, access to records, what providers may charge for providing copies to a patient, etc. This may also include patient rights in amending their records, filing complaints, and what happens if you are denied access. These medical record laws will typically complement the HIPAA requirements and address details not otherwise addressed in the federal guidance. The easiest way to determine what your states medical records laws is by doing a Google (or Yahoo or Bing) search for medical records laws in your state.

In most states or jurisdiction of the United States, medical records laws consider falsification of medical records a felony.

HIPAA Privacy Medical Records Laws
The HIPAA privacy standard establishes requirements for disclosing what the HIPAA privacy law calls Protected Health Information (PHI). PHI is any information on a patient about the status of their health, treatment, or payments. It can include name, social security number, address, birth date, insurance ID, telephone number, etc. – pretty much anything related to a patients medical history.

Most protected information is required by providers and insurance payers to process claims. Anyone requiring PHI is required to obtain the patients authorization prior to disclosing any of this information. However the HIPAA privacy standard does not require health care providers to get authorization to use patient information for submitting claims to insurance. Most providers do have patients sign an authorization to use this information for processing insurance claims, and informing them of their rights regarding release of their health information.

HIPAA privacy medical records laws give patients the right to keep their information from being disclosed to others. When their information is disclosed, it must be treated confidentially by all who view or use it. Patients have a right to request their information be corrected if they feel it is not accurate.

For individuals who do restrict access to their PHI, many providers get their signed consent saying they accept financial responsibility of this decision. If insurance claims are not paid because the payer cannot access the patients information, the patient bears the financial responsibility.

Penalties for Violating HIPAA Medical Records Laws
Violating the HIPAA privacy standard can result in costly penalties. The penalties are:

  • $100 per person per violation. This cannot exceed $25,000 per person per year for violation of one standard.
  • $50,000 and/or a maximum of one year in prison for anyone who knowingly obtain and release protected information.
  • $100,000 and/or a maximum of 5 years in prison for anyone who deceitfully obtains information under false pretenses and releases this information.
  • $250,000 and a maximum of 10 years in prison for anyone who tries to sell protected information for profit or gain.

The Department of Health and Human Services requires the health care provider to use appropriate administrative, technical, and security measures to protect the patients information.

Examples of privacy violations are leaving patient charts in open areas where anyone passing by can view or office staff openly discussing patient information where everyone can hear – like a reception area. Providing information to your employer without your authorization is also a violation.

Patient information can be shared for payment of providers or facilities for their services, with family authorized by you, to protect the public from outbreaks of contagious diseases, or in support of law enforcement investigations.

In summary the HIPAA privacy medical records laws provide patients with more access to their medical records and how this information is used and disclosed. The HIPAA privacy standard also defines the responsibilities of providers and insurers when using patient information for treatment and payment of health care.

HIPAA Security Medical Records Laws
The HIPAA security medical records laws or standards compliments HIPAA privacy requirements. HIPAA privacy requirements apply to all patient Protected Health Information (PHI), HIPAA security medical records laws apply more specifically to electronic information.

Security standards provide guidance for establishing and implementing policies to guard and deal with compromises to security. Use of Electronic Protected Health Information (EPHI) is critical to a providers business and important to patient care.

The HIPAA policy for security standards define three safeguard compliance categories; administrative, physical, and technical.

Administrative Safeguards
Administrative safeguards require implementation of policies and procedures to prevent, detect, contain, and correct security violations. Identify electronic patient information the provider creates, receives, or transmits. This may be on computer workstations, laptops, or PDA’s.

The provider should insure that security measures are in place. These may be administrative, physical, or technical – like locking doors to rooms containing EPHI, password protect computers or files, or locating monitors away from public areas.

The provider should also develop and implement policies that define specific actions when security is violated.

Healthcare providers should conduct security awareness and training for all members of its workforce (including management).

A Contingency Plan should also be established with policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.

This would apply to electronic information from sources that should be backed up such as practice management software, accounting systems, electronic medical records, digital recordings of diagnostic images, electronic test results, or other electronic documents containing patient information. This information should preferably be backed up to a physically separate location.

A covered entity (the healthcare provider) may permit a business associate to create, receive, maintain, or transmit electronic protected health information on their behalf only if the covered entity obtains satisfactory assurances that the business associate will appropriately safeguard the information.

This would mean having written contracts with the provider’s vendors that documents their compliance with HIPAA security standard. Typically this would apply to software vendors, billing services, etc.

Physical Safeguards
Facility Access Control – Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.

The provider office should have means to prevent unauthorized physical access, tampering, or theft of electronic patient health records. This would include locking doors, warning signs, surveillance cameras, alarms, identification numbers, and security cables on computers. It is also suggested that the practice document specifically how modifications to the facility or building protect patient records.

Workstation Use – Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.

This would involve having security measures to protect workstations with electronic patient information such as having privacy screens, password protection screen savers, and logging off the workstation when not present.

Device and Media Controls – Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.

The HIPAA security standard requires destruction of electronic patient information on equipment or media that is no longer used. An example would be software to erase hard drives when upgrading computers. Other provisions of this standard require creation of a retrievable exact copy of patient files before the equipment it is stored on is moved.

Technical Safeguards
Access Control – Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights.

Each user of the practice management system should have a unique identifier so their activity can be tracked/logged by the system to comply with the HIPAA security standard. The system should automatically log-off users after inactivity to ensure unauthorized users don’t have access.

Transmission Security – Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.

In summary, compliance with the HIPAA security standard can be demanding even for the small practice. A good idea is to become familiar with these standards and conduct an assessment of the practice (or business if it’s a business associate) systems to identify areas where changes need to be made in to meet the intent of the HIPAA security standard.

Revisions to Privacy Rules
The federal government has proposed changes to HIPAA privacy rules. These proposed new rules established by HHS would provide the patient right to an access report shat shows who accessed their electronic health information. This includes medical records, billing records, or any other information used to make payment or treatment decisions – that is maintained electronically.

Currently healthcare providers must keep track of everyone who accesses medical records, but they do not have to provide this info to the patients. With the new rules, patients can request a n access report that shows the identities of anyone who electronically viewed their medical information.

These changes add requirements to the current HIPAA regulations and are authorized by the recent HITECT Act which was part of the 2009 stimulus package.


In summary medical records laws are established to protect the privacy and security of patient information. They also set the rights of a patient in determining who has access, how this information is used, and challenging the accuracy of their medical records.

Return from Medical Records Laws to HIPAA Laws