UNIVERSITY OF HOUSTON
COLLEGE OF OPTOMETRY
UNIVERSITY EYE INSTITUTE
CLINIC BUSINESS OFFICE • POLICY 10.0
May 21, 2008
The Medical Record Department's primary purpose is to provide "service" in support of
good patient care. To provide the best service, it is essential that accurate record keeping
be maintained and that the clinic records are readily available.
A medical record is a legal document that should be sufficiently detailed and contain all
significant clinical information pertaining to the patient. Clinic records of patients treated
at the College of Optometry are the property of the University Eye Institute and are not to
be removed or reproduced without proper authorization or in accordance with a subpoena,
court order, or statute.
Unauthorized removal of patient records from the Clinic/College is grounds for
The clinic record serves several purposes. It is used to:
1. Document the course of the patient's treatment
2. Communicate between the doctors and other professionals contributing to patient
3. Provide continuity of care on subsequent visits by the patient
4. Review, study, and evaluate patient care by clinic or faculty/staff committees
5. Provide data for: third parties concerned with the patients; other doctors and
health care facilities; insurance companies; compensation carriers; attorneys;
6. Provide data to assist in protecting the legal interest of the patient, the University
Eye Institute, faculty/staff
7. Provide data for research, study, and education
The Medical Record Department offers its services Monday through Friday from 8:00
a.m. to 5:00 p.m.. to those who utilize medical records for any of the above purposes.
Any employee in the Clinic Business Office will be able to assist in the retrieval of
medical records. One or more of these individuals are available to assist in the provision
of the following:
Master Patient Index
For every patient there exists a clinic record number. A "folder number" is established,
which means all data for a patient is filed in one folder under one number. To locate a
patient's clinic record it is essential to have the correct spelling of the person's name and
personal identification (such as date of birth) to differentiate between persons with the
same names. Issuing new clinic record numbers and cataloguing them is a daily function
in the Medical Record Department.
Records are pulled on a routine basis for scheduled clinic appointments. Additional
records for this or other purposes may be requested by telephone or in person in the
Medical Record Department. The following information must be provided, in order for a
record to be pulled promptly and accurately:
1. The patient's full name.
2. The clinic record number, if known.
3. Date of birth.
4. Approximate date of last visit.
6. Name of person and/or Clinic responsible for the record.
Note: Items 3, 4, and 5 are not required, if the folder number is known.
The procedure that must be followed whenever a record is transferred from the original
requester to another professional is to take the record to the Service Coordinator who will
transfer the record to the correct Service. Records may remain outside the Medical
Record Department for a maximum of seven days for purposes other than immediate
patient care. The requester will be held responsible for the record until its return to the
Medical Record Department. If the record is needed at any time by the Record
Department, the requester must return the record immediately.
Guidelines for Medical Record Documentation
The following are important guidelines for health professionals because they preserve the
integrity of a clinical record. Without the cooperation of all personnel, the accuracy of
the records may suffer.
1. The patient's name and clinic folder number must be clearly visible on every form
generated for the record. Without this proper identification, the data is
2. All entries on the medical record must be dated on the day the entry is made and
signed by the responsible individual. These entries must be written in black or
dark blue ink to photocopy or microfilm satisfactorily.
3. Erasures and other alterations of the record must be avoided. To correct an error,
rule lightly through the error so that it can be easily read. All corrections must be
initialed and dated by the person making the correction.
Processing a Clinical Record
Following a patient visit, the clinical record must be reviewed for appropriate
documentation and signatures by the Service Coordinators or their designee. Incomplete
records are filed in the appropriate doctor's file within a particular Service. Deficiencies
must be eliminated within 48 hours of the appointment and the record returned to the
Medical Record Department. The Medical Record Department requires that all
outstanding records, not completed in the individual clinics within seven days, be
returned to the Medical Record Department on the eighth day. After 8 days, doctors must
request and complete their charts from the Medical Record Department. If, after seven
more days the incomplete records in the Medical Record Department have not been
completed, the coordinator of the Clinic Business Office will inform the Executive
Director of the UEI.
Failure to comply within this period will constitute a breech of policy as set forth by the
Clinic Council and will be addressed by the Executive Director of the UEI.
Quality Review of Record Documentation
In order to maintain consistent, comprehensive record documentation, a system of Peer
Review is utilized. Following procedures and criteria established by the Clinic Faculty,
records are reviewed routinely for content and completeness. Deficiencies are monitored
and corrective measures are implemented at the discretion of the Executive Director of
Release of Information
The patient is entitled to the protection of his/her personal and medical information. All
patient care information is regarded as confidential and is available only to authorized
Due to the varied nature of the requests and the desire to provide the best continuation of
care for the patient, all requests received by the Medical Record Department for patient
information will be referred to the appropriate doctor or Service Coordinator for
processing. The clinic record will be pulled and delivered to the Service along with the
written request and authorization if one is provided.
Requests made by telephone will also be referred to the appropriate Service with
available information to aid in making the return call.
Authorization for Release of Information.
A valid authorization for release of information should contain:
1. Name of the institution that is to release the information.
2. Name of the individual/institution to receive the information.
3. Patient identification to include full name, address, and date of birth.
4. Purpose or need for the information.
5. Extent or nature of the information to be released (inclusive date of treatment).
6. Date that consent is signed.
7. Signature of patient or the patient's legal representative.
A legible photocopy of an authorization is considered valid.
Record Retention Policy
Clinical records are retained in hard copy (original form) on all patients for five (5) years
past the date of the last exam or visit, at which time they are considered inactive.
Annually, all inactive records are purged from the active files and scanned to electronic
image storage. The hard copy files will then be destroyed. This is in full compliance
with the Statute of Limitations of the State of Texas.
TO: Clinical Faculty
FROM: Nick Holdeman, O.D., M.D.
Director of Clinics
SUBJECT: Patient Medical Records: A Guide for Physicians
DATE: March 11, 1992
(Update: July, 1996)
(Update: February, 2007)
(Update: January, 2008)
The Harris County Medical Society has prepared for physicians the following guidelines
on patient medical records. The information has been taken from several publications in
an attempt to provide physicians with a simple and condensed reference on the subject.
Specific questions or legal advice should be obtained from the physician's attorney, the
Office of the General Counsel of the Texas Medical Association 1-800-880-1300, x 1340,
or x 1341, or the attorney for the carrier of your professional liability insurance.
1. Is a physician obligated to forward to another physician the medical records
of a former patient? A physician who formerly treated a patient should not
refuse, for any reason, to make his records of that patient promptly available on
request to another physician presently treating the patient. Proper authorization
for the use of records must be granted by the patient.
2. Should a physician obtain a written release from a patient before releasing
medical records? Proper authorization for the use of records must be granted by
the patient. Before releasing medical records, the physician must receive from the
patient a signed, written authorization which states (1) the records which are to be
covered by the release, (2) the reasons or purposes for the release, and (3) the
person to whom records are to be released.
The record is a confidential document involving the physician-patient relationship
and should not be communicated to a third party without the patient's prior
written consent, unless required by law or to protect the welfare of the individual
or the community.
3. What is included by the term "medical records"? Medical records means any
records pertaining to the identity, diagnosis, evaluation, or treatment of a patient
by a physician that are created or maintained by a physician.
4. Who owns a patient's medical records? Notes made in treating a patient are
primarily for the physician's own use and constitute his/her personal property.
However, a physician shall furnish (1) copies of medical records, (2) a summary
or (3) a narrative report of the medical records, pursuant to a written consent for
release of the information.
5. May the physician charge a fee for the time and expense involved in
forwarding this information? The physician shall furnish the information
within a reasonable period of time and may charge reasonable fees for furnishing
the information to be paid by the patient or someone on his behalf.
6. Is a physician obligated to forward medical records to an attorney -- or
anyone other than the patient -- without a subpoena? On proper written
authorization from the patient, a physician should provide a copy or a summary of
the record to the patient or to another physician, an attorney, or other person
designated by the patient.
7. Are there situations when it would be appropriate for a physician to legally
refuse release of records? Texas law provides that a physician may refuse to
release medical records if the physician determines that access to the information
would be harmful to the physical, mental, or emotional health of the patient.
Please note that a physician may delete confidential information about another
person who has not consented to the release.
8. What should a physician do with patients' records upon retirement or
relocation? If the physician is leaving his practice for any reason (retirement,
relocation, etc.) patients should be notified that copies of their records will be
made available to them or to another physician if they provide the signed, written
authorization described above.
9. Is it legal for a physician to sell his practice? It is both legal and ethical to sell
a medical practice. However, the purchaser must agree to make records of any
patient treated by the selling physician available to subsequent physicians, or to
other persons the patients' designate. If a physician is selling his medical practice,
he may wish to duplicate all files to be maintained in his possession to provide
information in the future and to aid in his defense should he be sued. If such
duplication is prohibitive in terms of expense, then he may wish to enter into an
agreement with the physician purchasing his practice to maintain the records.
Patients may designate the recipient of their records -- even if it is the patient
himself. In any event, the physician should send a copy of the records to the
physician or patient and maintain the original records in his possession.
10. How long should a physician keep patient records? The statue of limitations
of liability suits is two years for adults; however, the courts have created various
exceptions. Therefore, it is suggested that the physician maintain the records for a
greater length of time -- perhaps 10 years. This provides additional time for those
injuries which may not be discoverable (injuries as a result of foreign objects left
in the body, vasectomies, fraudulent concealment, radiation treatment, etc.) within
the two year limitations period. The medical records for care provided to minors
should be retained at least until the minor's 20th birthday, i.e., age 18 plus two
years. A physician may wish to check with his/her professional liability insurance
carrier to determine if the carrier has recommendations regarding a retention
period for medical records.
11. May a physician refuse to forward medical records if a patient has an
outstanding bill? It is unethical for a physician to refuse or to delay improperly
in responding to a valid request for transfer of a former patient's medical records
because of an unpaid bill.
12. Is a physician obligated to forward the information if an attorney calls and
requests medical records on a patient who is suing that physician or that
physician's colleague(s)? A patient is entitled to obtain complete and unaltered
copies of his medical records from the physician he/she is suing. Therefore, if a
patient's attorney who is suing a physician requests records, that physician should
comply with the request with proper written authorization from the patient and
after notifying his professional liability insurance company. If a patient's attorney
who is suing a colleague requests medical records, the physician should comply
with the request after being provided with a written authorization from the patient.
13. Do the same general rules apply to retention of records on a deceased
patient? It is suggested that all adult records be kept 10 years whether the patient
is deceased or not.
14. What should a physician do if his office is served with a subpoena for
medical records? The physician should call the patient or patient's attorney and
state that he has been served with a subpoena for that patient's records. The
physician should then ask for the attorney or the patient to supply him with a
written authorization releasing those records. Following this procedure assures
that the patient will not later claim that the subpoena was defective and that the
physician released confidential information. If a patient's attorney does not want
the records released, he/she should move the court to quash the subpoena so that
the physician will not have to reveal the medical records.
A brochure on this subject is available through the Texas Medical Association.
Titled "Code for Physician and Attorneys of Texas," the brochure was developed
by the TMA Committee on Liaison with the State Bar of Texas and the State Bar
Committee on Coordination with other professional groups and is designed to
achieve a better understanding between the medical and legal professions.
This condensed information contains quotations from the Medical Practice Act of Texas,
the Current Opinions of the Texas Medical Association Board of Councilors (November
1986), and Current Opinions of the Council on Ethical and Judicial Affairs of the
American Medical Association (1986).
Also referenced in the preparation of this publication were "Medicine and the Law"
articles in Texas Medicine, "Medical Records--Retention and Release" (October 1983)
and "Is there a statute of limitations in a medical professional liability lawsuit?" (April
(Update: July, 1996)
The Texas State Board of Medical Examiners (TSBME) has approved fees that
physicians may charge for providing patients with copies of their medical records. The
fees are $25 for the first 20 pages and 15 cents per page thereafter, plus the cost of
mailing, shipping, or delivery.
Amendments to the Medical Practice Act of Texas adopted by the Texas Legislature last
year define medical records as “any records pertaining to the history, diagnosis, treatment
or prognosis of the patient, including copies of medical records of other health-care
practitioners contained in the records of the physician to whom a request for release of
records has been made.” The amendments provide that:
1. Physicians shall furnish copies or a summary of the records within 30 days after
receiving a written request unless he or she determines that access to the
information would be harmful to the patient‟s physical, mental, or emotional
health. The physician may delete confidential information about another person
who has not consented to the release.
2. If the request is denied, either in whole or in part, the physician must give the
patient a signed and dated written statement giving the reason for the denial and
place a copy of it in the patient‟s medical records.
3. Physicians may not charge for copies of records if the request comes from a
licensed Texas health-care provider or physician licensed by any US state or
territory or Canada for the purpose of emergency or acute medical care.
4. If a proper request is received for purposes other than emergency or acute care, the
physician may withhold the records until payment is received. If payment is not
made at the time of the request, the physician has 10 calendar days to notify the
requesting party in writing of the need for payment, and a copy of the letter must
be part of the patient‟s file. Records cannot be withheld because of past-due
accounts for medical care.
5. Physicians are not required to provide copies of billing records pertaining to a
patient‟s care unless specifically requested as part of the request for the release of
For more information, physicians may call TSBME at (512) 305-7065.
(Update: February, 2007)
Business of Medicine
Refusing a patient because of past due account?
Can a physician refuse to see established patients because they have past due accounts?
What about refusing to release medical records in this case? The Office of the General
Counsel of the Texas Medical Association (TMA) states „No‟ in both situations.
First, a physician should not deny an established patient an appointment or cancel an
appointment because of an unpaid balance. This results in a person being considered a
patient one day and not the next, depending on how the office staff feels about the size of
the unpaid balance. As long as the patient-physician relationship is established and not
definitively terminated, a physician owes the patient the duty of care; otherwise, there is a
danger of abandonment (or at least a successful liability claim based on delay in
Medical malpractice law holds physicians to a higher standard of care than an ordinary
business person because physicians historically have held themselves to a higher level of
conduct. Thus, a person is a patient for all purposes, regardless of his or her pay status,
until the relationship is terminated. Of course, it is appropriate to warn a patient with an
unpaid balance that termination is possible if the matter is not rectified. In some cases, the
termination of the patient-physician relationship may be justifiable as long as the proper
steps in the termination process are followed. Contact the TMA Knowledge Center at
firstname.lastname@example.org, or 800-880-7955 for a copy of TMA‟s Office of the General
Counsel position paper on proper patient-physician relationship termination.
Second, medical records may not be withheld from a patient, the patient‟s authorized
representative or the patient‟s designated recipient based on a past due account for
medical care or treatment previously rendered. Texas Medical Board (TMB) rule is in line
with an opinion of the American Medical Association Council on Ethical and Judicial
Affairs, which states “medical reports should not be withheld because of an unpaid
balance for medical services.” The Texas Medical Association‟s position is that it is
unethical for a physician to refuse or to delay improperly in responding to a valid request
for transfer of a former patient‟s medical records because of an unpaid bill. The
physician‟s first responsibility is the care and welfare of the patient. Other alternatives are
available for collecting fees.
For more information about the patient-physician relationship, go to
Presented by the HCMS Board on Socioeconomics
(Update: January, 2008)
Health Insurance Portability and Accountability Act (HIPAA)
Article Reviewed: Ann E. Rice, MS, RHIA.
Confronting HIPAA. –Special Presentation.
Take-Home Pearl: The government has the authority to
impose penalties to anyone who violates HIPAA.
The privacy of the patient’s specific information
When discussing patient privacy, particularly in the office setting, you have to confront
HIPAA, the Health Insurance Portability and Accountability Act. HIPAA is a multi-part
regulation that includes both privacy and security of patient information in medical
records, as well as governing billing information.
The Office for Civil Rights (OCR), a branch of the Department of Health and Human
Services, is the governmental agency that oversees HIPAA. There is no private cause of
action for a breach of HIPAA, meaning if you violate HIPAA and disclose personal
information about a patient, the patient can‟t sue you and say that you violated HIPAA.
However, you can be sued under various state laws, either statute or case law, for
violating patient confidentiality and privacy. So what does the OCR have to do with
The government has the authority to impose penalties to anyone who violates HIPAA.
Penalties include those of the financial nature, as well as potential jail time. A person can
be fined up to $25,000 in 1 year, and an offense requiring them to go to prison could
cause a person to serve up to 10 years. To this point, no one has been punished under that
statute or those regulations. These regulations have been in effect since March 2003, and
some changes are being made. Just recently, the OCR was given the right to have
subpoena authority and can require documentation, as well as conduct different
inspections and investigations.
One of the things under HIPAA is something called protected health information (PHI).
PHI is simply anything and everything we know about the patient. The information they
give us, the information we get from other sources, such as lab results or diagnostic
studies, or information we receive from other consulting physicians. It‟s anything and
everything. . .their demographic information, their medical information, even the fact that
a physician has a relationship with the patient is considered PHI. A general rule of thumb
is that you don‟t disclose PHI unless the patient authorizes it, although there are certain
exceptions. You can release the information for purposes of payment, treatment, and
operations when you‟ve notified the patient in the Notice of Privacy Practices, when you
have the patient‟s consent, or when you are required to do so by law, such as reporting
different health diseases to health care agencies such as the Department of Health.
Take-Home Pearl: The patient has a right to file a
complaint whenever they think their privacy has been
compromised or violated.
Patients Can File Complaints When Necessary
The Office for Civil Rights‟ (OCR) web site has an enormous amount of information,
including the regulations themselves. One interesting component is information about
patient complaints. The patient has a right to file a complaint whenever they think their
privacy has been compromised or violated. Between April 14, 2003, and April 30, 2007,
there were 45,408 complaints filed with the OCR. Of these, 32% were found to be
unsubstantiated, which means the majority were founded. The top 5 complaints were as
follows: (1) impermissible uses and disclosures, meaning that someone either released
information or used it improperly; (2) a lack of safeguards for protected health
information (PHI); (3) not permitting the patient to have access to their own PHI; (4)
using or disclosing more than the minimum necessary; and (5) using invalid
authorizations to use or disclose PHI. However, there is room for human error.
You have to very carefully document, investigate, and show that an error was made. A
person who transposes a number when faxing PHI is looked at differently than a person
who steals PHI and sells it to someone, to steal their identity for example.
Use or disclosure of more than the minimum necessary PHI: This part of the statute says
that you can release or use only the minimum amount of information that is needed to
satisfy the purpose for the release of information. An example of that would be if a
physician needs to ask his medical assistant (MA) to come in and set up an exam, such as
to do some culturing, perhaps during a gynecological exam. All the physician needs to
tell the MA is to come in and set them up to do the exam, or to put the equipment out.
The physician doesn‟t need to explain to the MA why he is doing that exam. If a patient
shared something personal with the physician that‟s leading him to do this test, it is not
necessary to share that information with the MA for her to come in and do her job.
Lack of safeguards of PHI: When it come to PHI, it is important to think about the many
forms it is in. We have paper forms that contain PHI and we have electronic data.
Safeguards for electronic data are things such as passwords, firewalls, and protection
around that data. For paper records and information, safeguards include keeping PHI in a
locked office and not throwing pieces of paper into a regular trash can but having them
properly destroyed or shredded.
Take-Home Pearl: The physician‟s office is
obligated to protect the integrity of a patient‟s
medical chart when that patient wants to sit down
with their medical record for review.
Patients Have a Right to Access Their Records
Lack of patient access to their PHI: The patient has a right under HIPAA to have access
to their medical records. Giving a patient access involves not only the process but the
terms and times the physician can deny access. Let‟s start with the process. The patient
has to notify you formally in writing, so typically you would want to have a form or
formal document that the patient can fill out. Once that‟s done, it should be reviewed by
the physician alongside of the chart because there are reasons the patient could be denied
the right to access their medical records, and then the physician would want to set up an
appointment with the patient. Someone should be with the patient at all times. When a
patient wants to sit down with their medical record for review, you are still obligated to
protect the integrity of that chart, so a patient cannot be allowed to sit in a room by
themselves and review a chart. They could deface it or take something out of it, so you
want to protect that chart. You want to set up an appointment and have the patient come
in. You can allow patients to come in during non-visiting hours so that the physician‟s
time is not lost.
Lay people might have trouble reading or interpreting the records, so the physician would
be able to answer questions the patients may have. This is why the physician should
carefully look at the request from the patient as well as the chart and ask himself these
questions: Is this a patient who has a lot of questions or has a complicated history?
Should I be the one to sit down with this patient? Is it possible for me to delegate this
authority to a nurse or an assistant? If it‟s acceptable to the physician to delegate that
authority to a clinical person (an MA or even a clerical staff person), they can sit in the
room with the patient and can ensure the integrity of the chart. However, a clinical
person is not qualified to answer any questions. So this clinical person would write down
any questions the patient might have and give them to the physician, who would answer
at a later time. You may charge the patient for the physician‟s time, but not for a clerical
person‟s time. This way, the patient can come in and view their chart without charge,
their questions can be recorded, and the physician can answer the questions at their
Take-Home Pearl: Some states have a strict
regulation that limits the amount of time that an
authorization for release of protected health
information is valid.
Take Note of Your State’s Regulations for Releasing PHI
There are no requirements when it comes to forms for access to medical records.
However, there are a lot of requirements when it comes to releasing information to
another person or health care organization. The authorization to release protected health
information (PHI) must contain several components: (1) the patient‟s name and the name
they used at the time service was rendered, (2) a specific and meaningful description of
the PHI that is to be released, such as discharge summary, lab results, or office notes, (3)
the name and specific identification of the person who is receiving the records, (4) a
description of the purpose of the disclosure (eg, patients will often ask that records be
sent to an attorney for legal purposes, but it should be more specific), and (5) an
expiration date on the patient‟s signature must be included. People should take note of
their state‟s regulations. Some states have a strict regulation that limits the amount of
time that an authorization is valid.
It‟s an anomaly of the HIPAA regulation that if state regulations are more stringent, then
you are supposed to follow them, but if state regulations are more lenient than HIPAA,
then you have to adhere to the HIPAA regulation. In some states, there are laws that
protect the patient‟s medical records, and the authorization form is something that is
clearly specified, so it is important to know the regulations in your state. As with most
everything nowadays, you should consult with lawyers about federal and state regulations
to make sure you are complying with whichever is the stricter of them. In fact, the
Georgia Supreme Court just decided on a case on May 14, 2007 (Allen vs. Wright),
where the Georgia High Court found that a state statute was preempted by HIPAA
because the statute was less stringent than HIPAA and, unlike HIPAA, the state statute
did not expressly require the patient‟s authorization to contain a notice of the right to
revoke the authorization.
Take-Home Pearl: Patients should be informed that
once protected health information is copied and released,
it is possible for that information to be re-disclosed by
the organization that receives it, and the organization that
released it originally cannot be held liable.
Keep Track of PHI Releases
The patient needs to sign and date the patient privacy authorization form, but new things
have come about because of HIPAA. There has to be a statement included covering the
individual‟s right to revoke the authorization. The patient should be told how to revoke
it, if they decide to. A statement should be included about the ability or inability of the
covered entity to condition treatment, payment, or eligibility for benefits on the
authorization. For instance, if you are a health care organization, you cannot say to the
patient “I will treat you only if you release your records from another organization to me.”
Lastly, the authorization form should include a statement informing the patient that once
the information is copied and released, it is possible for that information to be re-
disclosed by the organization that receives it, and the organization that released it
originally cannot be held liable.
When you release information without the patient‟s consent and for purposes other than
payment, treatment, or health care operations, you must keep track. Some examples
include releasing information to the Department of Health, or when a patient is diagnosed
with a new seizure disorder, the physician is required by state law to notify the
Department of Transportation. You do not need the patient‟s permission to do this, but
you are required under HIPAA to log that information. If the patient asks where you have
released their information, you must be able to tell them, which is why it is a good idea to
keep a database of such disclosures.
Regarding substantiated complaints, several entities are guilty of violating HIPAA, and
corrective action has been or will be taken. These entities include private practices or
physician practices, general hospitals, outpatient facilities, health plans, and pharmacies.
Most health care organizations will fit into one of these categories, but private practices
top the list. If an entity has been found to not be in compliance, or if a complaint has
been substantiated, the Office of Civil Rights (OCR) requires corrective action. If a
process is found to be broken or if a policy is not being enforced, the OCR will require an
organization to either create policies or enforce the ones they have. You may have to
revamp a process and rework it so that it‟s in compliance. The OCR wants to see
education offered, because things may happen simply because an employee didn‟t know
or wasn‟t aware. Additionally, if there is a turnover in staff, there should be a process in
place to orient or educate new employees as well as reinforce the message for all
Take-Home Pearl: HIPAA requires that a Notice of
Privacy Practices be handed out to all patients.
Notice of Privacy Practices Is Required Handout
When a patient goes to a doctor or a hospital, they may be given a multi-page handout
about a privacy notice. This is called the Notice of Privacy Practices and is a required
component. HIPAA requires an organization to create this document, and its purpose is
to explain to the patient how, when, and why their information would be used. There is
some language that is absolutely required. This information is easily accessed on the
OCR‟s web site (www.hhs.gov/ocr). It‟s a simple statement that reads, “This notice
describes how health information about you, as a parent of this practice or a patient of the
practice, may be used and disclosed, and how you can get access to your individually,
identifiable health information. Please review this information carefully.” The
Department of Health and Human Services requires this statement to be on every Notice
of Privacy Practices, but they also suggest that you have a commitment statement in
place, a statement telling the patient that you are committed to protecting their privacy.
This must be in written form and must be offered to every patient only once. It behooves
you to document when you give it to them and to have some sort of proof that you gave it
to them, for instance, having the patient initial that they were offered and provided the
Notice of Privacy Practices.
It is not necessary to keep the signed Notice of Privacy Practices in the medical record
because it doesn‟t change. However, as you become aware of things or as new
technology comes along, you certainly can make an addendum to this document, because
you clearly want to tell the patient how you use their information. For example, if your
organization participates in research projects or education, or if you have residents and
things of that nature, you want to include this information in the Notice of Privacy
Practices because it tells the patient that you are sharing their information with students.
Suppose that last year you were not working with students, but this year you start working
with them. You would want to amend your Notice of Privacy Practices and let the patient
know that you share information with students. If you do create a new one, then you do
have to start all over again and offer the new one to every patient.
Take-Home Pearl: Patients have the right to
authorize disclosure of their protected health
information, and they can ask you to restrict
certain uses or disclosures.
HIPAA Offers Several Rights to Patients
There are several rights the patient has under HIPAA that the patient should be notified of
officially. The patient has a right to receive a copy of your notice and a right to ask for a
copy of the notice anytime they want, even if you have already given them one. They
have the right to authorize disclosure of their health information, and they can ask you to
restrict certain uses or disclosures of protected health information (PHI). The patient also
has the right to request confidential communications with you, so for example, perhaps a
patient would say “I don‟t want you to phone me at home, I want you to phone me only at
work.” You‟re not obligated to meet that requirement, but the patient has the right to
make this request, and then you would need to tell them whether or not you could meet
that request. You also want to let them know, in the Notice of Privacy Practices, that they
have a right to inspect a copy of their PHI, that they have a right to request an amendment
to their information, that they have a right to request an accounting of disclosure, and they
have a right to complain about alleged privacy violations.
Often when a patient asks for access to their medical records, there are times they may
ask for an amendment because the information contained is incorrect. There was a
situation where a patient became very upset after looking at her medical record. She had
been seeing this physician for 20+ years, and she looked at her record and she saw that
this physician called her an “SOB”. This very proper woman became very angry that her
physician would call her an SOB, so she made a request to have her medical record
amended. Now, of course, the physician is listening and probably chuckling because he
was not calling her a nasty name but was referring to the fact that she had shortness of
breath. In this case, the physician wanted to make his patient happy, so he amended the
note and put in the margin that the patient was suffering from shortness of breath. He
made his customer happy and educated the patient, so it was a win-win situation.
Take-Home Pearl: Only the author of a note
in a patient‟s medical record can make a
change to that note.
Don’t Amend a Medical Record on a Whim
You do not have to amend a patient‟s medical record anytime and every time a patient
asks you do so. If a patient wants you to amend or change his/her record, and if you don‟t
think the change is appropriate, then you must notify the patient that you can‟t or won‟t
make the amendment. You would tell the patient that, in your professional judgment, the
information is correct as is, or that you were not the person who created the document.
Sometimes the medical record contains information from other providers, and only the
author of a note can amend it. So if a patient came in and reviewed their chart and was
actually looking at a document that was created by, perhaps, a consulting physician and
the patient asks you to change that document, you could not do it. Only the consulting
physician, or the author of that note, could make the change. You would then explain
formally, in writing, the reason you cannot amend it. If the information is felt to be
correct, if you are not the author, or if the information was created for a reason outside of
clinical care, you would not have to change it. If perhaps, you were doing expert
testimony and created a document, you would not make a change to that document. The
physician would notify the patient in writing and the patient then has the right to write a
statement disagreeing with a denial. The physician can write a rebuttal to the patient‟s
statement of disagreement. Both documents would be found in the medical record, along
with the paper or the document that the patient was requesting be amended.
All this paperwork should be placed in the patient‟s chart. The physician should include
a copy of the original document that was sent to the patient stating that they are denying
the request, the patient‟s statement of disagreement, and if the physician so chooses to
write a rebuttal stating that they still further disagree, they would file that in the medical
record as well. If in fact, the original document that the patient disagreed with is released
in the future, the office would also have to release the patient‟s statement of disagreement
and the physician‟s rebuttal statement.
Take-Home Pearl: Each covered entity (each
organization that is responsible to abide by HIPAA)
has to name a privacy officer and provide this
information to the patient, telling them that they can
complain to the privacy officer.
Give the Patient Info on How/Where to Make a Complaint
One of the rights a physician should inform the patient of is the right to complain about
an alleged privacy violation. The patient must be told how to make that complaint and to
whom and where to make that complaint. Each covered entity (each organization that is
responsible to abide by HIPAA) has to name a privacy officer and provide this
information to the patient, telling them that they can complain to the privacy officer.
They must also provide the patient with information on how to file a complaint with the
Office of Civil Rights (OCR), and they can do that simply by providing the OCR‟s
telephone number as well as the telephone number of their privacy officer.
In addition to complaining to the OCR (the federal agency), the patient can also complain
to state authorities, such as the state Department of Health or the state Medical Board if
they think there has been a violation of privacy. Obviously, a person can complain to
anyone about anything. Hopefully if they complain to an organization such as the ones
mentioned, those organizations are familiar enough to send the patient to the OCR.
However, most physicians would prefer the patient come back to them to make a
complaint so they can investigate and deal with it, without having the authorities
intervene. A physician should want to do what he can to correct the situation or to
explain it to the patient. Perhaps the patient doesn‟t understand something, so it‟s as
simple as taking the time and explaining to them what occurred and how or why this
something occurred, and they will remain happy. Of course, we all want our patients to
If the Federal Government does come in and investigate a complaint and finds there has
been a violation, and if corrective action is undertaken, they have the right to come back
and revisit on a regular basis or require you to update them on whatever you have been
doing to make sure things are safeguarded against. They also have the right to subpoena
you and obtain this information.
Take-Home Pearl: Most medical associations have
an excellent web presence, and they have a lot of
questions and answers posted on their web sites, as
well as a whole section of forms, templates for
different forms, the privacy notice, and different
consent forms that you may need.
Just Be Discreet
Physicians should be discreet regarding what they say about a patient or what information
they release about a patient, and where and how they say or release it. There are a lot of
publications out there about this. The Health Information Management Association has
published a significant number of books that are all extremely valuable, and you can
access information about those particular publications by going to the American Health
Information Management Association‟s web site (www.ahima.org). Most medical
associations have an excellent web presence, and they have a lot of questions and answers
posted on their web sites, as well as a whole section of forms, templates for different
forms, the privacy notice, and different consent forms that you need. Your state or local
medical associations would have a significant amount of information. There is also the
OCR web site (www.hhs.gov/ocr) to assist you.
One more statistic that may be of interest: there is a web site that lists security breaches.
These are voluntarily hosted. People go out and inform the Privacy Rights Organization
(www.privacyrights.org) of instances of breaches. Between January 2005 to May 2007, there
were 154.1 million instances of security breaches. These weren‟t all in health care, but I
think if we follow some simple guidelines, as mentioned above, we could help to keep
that number from growing.
Take-Home Pearl: It is better to have a
patient‟s protected health information on a
network or a shared drive rather than on an
individual C drive.
Physician Offices Can Be Victims of PHI Disclosure Crimes
It may be easier for a smaller practice to make sure their web site is clean and doesn‟t
have any protected health information (PHI) on it. However, recently, a faculty member
at an institution placed one of his speeches, a PowerPoint presentation, on the department
web site. Unfortunately, it did contain some PHI. A reporter from a paper found it and
brought it to the institution‟s attention, only after writing a big story about it. Of course,
the web site was taken down, and each patient was communicated with about what had
happened. Since their social security numbers were on this web site, they were offered
credit protection. If they went out and bought credit protection, they were reimbursed for
that cost for 1 year and, of course, they were told how they could monitor their credit
reports and get in touch with the different credit agencies to be sure they were not victims
of identify theft because of this inadvertent disclosure.
Physician offices can be the victims of a crime. An office was broken into: it was
burglarized and 16 computers were taken. Unfortunately, an employee had saved a file
on the hard drive of one of those computers, and it included patient names, addresses, and
telephone numbers. There were approximately 600 patients on that list. All these
patients had to be notified and shown that the office was a good corporate citizen and that
they were concerned about their patients‟ information and protecting that information.
They offered credit watch protection and advised them on how to protect their identity
and how to follow up with major companies such as Equifax to keep an eye on their
credit. There have also been occasions where dictation devices have been stolen, right
during office hours, containing verbal dictations. So, sometimes it happens not because
the practice has done anything wrong, but because they, too, can be victims of crime.
It‟s easy to think of PHI in terms of the paper chart, and criminals aren‟t going to break
into an office and steal file cabinets or take files out of offices usually, but you have to be
very careful about the data stored on computers. . .not only your safeguards with
passwords and firewalls, but the physical and/or hardware components as well. Make
sure these computers are either clean or that you know what‟s on there so you can protect
your patients. A good suggestion is to have a network or shared drive and to not have
information on an individual C drive. This way, if the computer gets stolen, no one can
gain access to information because it wouldn‟t be stored on that machine.
Take-Home Pearl: When you have a web
site, you cannot put patient-specific
information on there unless you have the
Remember. . .Web Sites Are for the General Public
In addition to the medical record or paper chart, a lot of medical practices or entities have
web sites. Web sites certainly are very valuable, but a web site is there for the general
public, and protected health information (PHI) is not something we can just disclose at
whim. When you have a web site, you should not put patient-specific information on
there unless, of course, you have the patient‟s consent. If a physician has a well-known
patient, he may approach that patient and ask for their consent or their permission to use
their information or picture, or to use their satisfaction with their service, on their web
site, which would be acceptable. Otherwise, you cannot use or disclose information, and
that‟s exactly what it would be if you put information about a patient on a web site. . .a
disclosure. You also cannot blame your web master for putting patient information on
there because you would have given the web master the information; you would have to
disclose it in order for the web master to get it.
If you do need to disclose information to someone, such as a person setting up a web site,
you can enter into an agreement with that person to allow access to information, but that
person would have to keep it protected and safeguarded. There are lots of companies or
businesses that a physician‟s office or a health care organization would do business with.
One example is a transcription company. You hire the transcription company to type up
your reports, which are in essence PHI. So there is an agreement that you can put in
place, the Business Associate Agreement. This is an agreement that the vendor and the
covered entity enter into, and the vendor says “I will abide by your requirements. I will
follow your requirements, and I will protect this information as you would. I will notify
you if there are any breaches or if anything were to occur or happen to the data.” Another
example would be housekeeping. If you are in an office building and you purchase
cleaning services, you would have to enter into a Business Associate Agreement with that
company because it‟s possible they would be exposed to the PHI of your patients when
they are in the office. You would include in your Notice of Privacy Practices that you
have a Business Associate Agreement in place with the companies with which you do
Take-Home Pearl: With a secured web site,
patients can safely and securely communicate
with their physician, request appointments,
obtain lab results, and become a more active
participant in their care in a safe environment.
Email. . .Effective, Efficient, but Not Secure
It‟s acceptable to most patients when you explain that you‟re obligated to protect their
information and that you take this obligation very seriously. In today‟s world of identity
theft, most people are pleased to hear that you are taking very strict steps to make sure
their information stays confidential.
Email is popular and an effective, efficient means for communication, but as discussed as
with the cell phone, the information is not necessarily secure. An organization can‟t
ensure the integrity and security of the information once they email it, so it‟s advisable to
talk about this with the patient. Before using the Internet for this type of communication,
advise the patient of this concern and have them acknowledge that they assume all
responsibility. At some organizations, patients are asked to sign a contract that explains
that the information may be intercepted and may not remain confidential. There is also a
special disclosure you can use as part of the signature line on an email that explains to the
patient that once the information leaves your Internet, you cannot ensure the security of
that information. However, there is another way that you can use electronic formats to
communicate with a patient, which is by having a secured web site. . .a type of patient
portal where the patient actually logs into your secure web site, and communication is
done within that web site. A lot of electronic health records today are accessed by using
these patient portals. Patients can safely and securely communicate with their physician,
request appointments, obtain their lab results, and become a more active participant in
their care in a safe environment, as opposed to sending an email through the Internet,
which certainly could be intercepted or delivered to the wrong email address.
Just remember, email does not ensure patient privacy, so you should not send anything
that‟s urgent or emergent over email to the patient, and the patient shouldn‟t do it to you,
because there is no way to know when emails are going to be checked or what someone
will do in reaction to whatever is in there. So, anything urgent or emergent should not be
sent by email.
Take-Home Pearl: Extreme care must be
used if physicians are carrying patient
information on thumb sticks because they
could easily lose them.
Thumb Sticks Offer Benefits. . .and Risks
The other part of HIPAA, the security component, addresses sending information
electronically, ie, submitting claims electronically to insurance companies. They have
very strict requirements. There is a specific format the bill must be in so that it‟s felt to
be secure. It‟s referred to as HL-7.
A physician has the same obligations to both electronic and paper records. Obviously, on
the user‟s side, things need to be done a little bit differently with regard to the paper or
the electronic routes. Some things we have seen is that the electronic world has made
protected health information portable. People can store it on what‟s referred to as thumb
sticks or external drives that are no bigger than a finger. These devices can hold 10 times
as much electronic data as a hard drive computer, and they can walk around with it.
Extreme care must be used if they are taking what used to be in boxes and boxes of
medical records on a little thumb stick and carrying it around because they could easily
Take-Home Pearl: A patient must be notified if
their records have been subpoenaed.
Civil Subpoena Doesn’t Require Patient Authorization
Subpoenas can be issued for civil reasons or for criminal reasons. We should separate the
two of them because there are some different components on the side of civil cases. Civil
cases are where private parties are suing each other, usually for money damages.
Criminal cases, on the other hand, are usually the state against a criminal defendant who
is accused of committing some kind of crime.
In a civil case, a subpoena is valid only for “medical information.” A subpoena is not
valid for “sensitive information,” ie, mental health, drug and alcohol use, HIV, or any of
those sensitive kinds of information. So when we talk about the subpoena and releasing
information, we are talking about only medical information.
When you receive a civil subpoena, it does not require authorization from the patient.
This is one thing that separates it from a typical request. However, the patient has to be
notified that their records have been subpoenaed. Typically, the patient is given 20 days;
when the subpoena is issued, the person who receives the subpoena is entitled to receive a
“Notice of Service.” The Notice of Service is simply a document that proves that the
person issuing the subpoena notified the patient whose records are being requested under
that subpoena. After 20 days have passed, the patient has had time to decide if they
would like to object to that subpoena.
If the patient does not object within these 20 days, then it‟s okay to comply and release
the information. However, if the patient objects, then their attorneys will go through legal
processes and they will go before a judge. A motion to quash the subpoena will be
Take-Home Pearl: If you are presented with a
motion to quash a subpoena (a motion for a protective
order), this means to not release the records.
Subpoenas Can Be Quashed
If you are presented with a motion to quash the subpoena, that means to stop and do not
release the records. It may also be termed a motion for a protective order, but whatever
it‟s called, the lawyers for the patient should serve a copy on the physician, on the
practice, or on the hospital, whoever it may be, as well as on the lawyer who is
representing the party who is looking for that information. If you get that kind of a
motion, then just sit on the sidelines until the court decides on it and then you get an order
saying to release or not release the information.
In criminal cases, there won‟t be a Notice of Service. When a person has been charged
with a crime and they are looking for that person‟s records, the state is entitled to it as
part of their investigation, so you won‟t have that Notice of Service. In a criminal case, if
you get a subpoena, you can comply with that without waiting the 20 days to see if the
patient is going to object. Still, the subpoena is going to cover only medical information
and is not valid for sensitive information.
There are more stringent requirements for drug and alcohol records. There has to be a
court order, and there is a whole federal regulation regarding this. Mental health records
also have a higher degree of protection. In a criminal case, you will often get a subpoena
for records of the victim, meaning the state is looking for medical records of the victim of
the crime. Another thing you may see is the patient‟s lawyer writing to ask for a copy of
those records. Obviously, you can‟t just turn over records because the lawyer requests
them, but if the lawyer attaches a valid authorization signed by the patient, you can then
give those records to the lawyer.