The medical records must be kept secure and accessible only to authorized personnel in order to prevent loss, tampering, disclosure of information, alteration, or destruction of the record. Authorized personnel are those employees within the physician’s office, health plan, and medical group or persons authorized through a legal instrument, such as a subpoena.
This includes the following steps:
1. Store active medical records in one central area that is accessible only to authorized personnel.
2. Ensure only assigned personnel, responsible for the maintenance of medical records, have access to medical records.
3. Explicitly state expectations about the confidentiality of patient’s information and records in all physician contracts.
4. Ensure all staff with access to medical records have a signed confidentiality agreement on file in the physician’s office.
5. Store and/or dispose of all inactive medical records and patient information in a manner that continues to protect confidentiality. A medical record is considered inactive when a patient has not attended the clinic for more than three years.
•Physicians must confirm that a patient’s medical record is inactive.
•The physician produces a summary of the medical record and advises administration staff of the need for archiving.
•Office staff arrange for archiving of inactive material that is to be retained by contacting storage company.
•Review archived records annually, and destroy as required.
•Dispose of or destroy all medical records and patient information in a way such that information is not identifiable (e.g., shredded) when it is no longer in use, unless it is retained for regulatory purposes (SB 19).
6. Unauthorized sharing of medical information is prohibited (SB 19). Physicians are expressly prohibited from the following:
•Negligent disposal of medical information.
•Intentional sharing, sale, or use of medical information for any purpose other than to provide health care services to the patient, except as otherwise authorized.
7. Physicians are prohibited from requiring a patient, as a condition to receive services, to sign an authorization, release, consent, or waiver permitting the disclosure of any medical information in accordance with requirements to maintain confidentiality (SB 19).
8. A health care service plan or provider of health care may disclose medical information for the purpose of disease management if they are:
•An entity contracting with a health care service plan or the health care service plan’s contractors to monitor or administer care of enrollees for a covered benefit, provided the disease management services and care are authorized by a treating physician.
•A disease management organization that complies with the physician authorization requirements of Health and Safety Code Section 1399.902, provided that the health care service plan, or its contractor, provides or has provided a description of the disease management services to a treating physician or to the health care service plan’s or contractor’s network of physicians (AB 2414 - Confidentiality of Medical Information Act (Civil Code Section 56.10(c)(17) ).
•A provider of health care, health care service plan, or contractor is prohibited from disclosing medical information unless the patient has signed an authorization. In certain specific circumstances, disclosure of medical information by providers of health care, health care service plans, or contractors is mandated under Civil Code Section 56.10(a) and Civil Code Section 56.10(b).
•Except to the extent expressly authorized by the patient or as provided
in Civil Code Section 56.10(b) and (c), no corporation nor its subsidiaries and
affiliates will intentionally share, sell, or otherwise use any medical
information for any purpose not necessary to provide health care services to the
patient (SB1903) per Civil Code Section 56.10(d).
A provider of health
care, health care service plan, or contractor is not permitted to disclose
medical information without the patient’s authorization to providers of health
care, health care service plans, or contractors except:
•For purposes of diagnosis or treatment of the patient per Civil Code Section 56.10(c)(1).
•To an insurer, employer, health care service plan, employee benefit plan, governmental authority, contractor or any other person or entity responsible for paying for health care services rendered to the patient, to the extent necessary to allow responsibility for payment to be determined and payment to be made per Civil Code Section 56.10(c)(2).
•To an independent medical review organization and their reviewers (AB2094) per Civil Code Section 56.10(c)(4).
•Further disclosure of medical information regarding a patient or the provider of health care or an enrollee of a health care service plan (SB1903) per Civil Code Section 56.10(e).
9. Only release medical records under the following conditions:
•Patients, attorneys, or representatives of the patient or attorney receive a copy of the medical records only after presenting a signed authorization from the patient or his/her legal representative.
•The patient presents identification when requesting a copy of their medical record.
•With patient authorization, outside health care providers, federal, state, county, or city agencies, employers, insurance companies, or their representatives may receive a copy of the patient's record.
•With a subpoena, an officer of the Federal, State, or municipal court may gain access to a patient’s records.
•Agencies, such as the FDA, or other authorities that comply with reporting requirements in Title 17 of the California Code of Regulations also may gain access to confidential information.
•If a requestor receives a court order, the requester may gain access to confidential information. Any release of information in response to a court order or to other authorized persons is to be reported to the patient within five (5) working days.
10. Release patient records to qualified personnel for the purpose of conducting scientific research, whether or not authorized by the enrollee. However, to prevent divulging confidential information, the reports received for research are not to identify, directly or indirectly, any individual patient or otherwise disclose a participant’s identity in any manner.
11. For the purpose of sharing enrollee information with any organization with which the enrollee may subsequently enroll, the physician/organization must provide copies of all the patient’s records to the new physician. Deliver the records in a timely fashion so that continuity of care is not impeded (QISMC 3.6.4).
12. When requesting participation in outpatient behavioral health treatment, the requesting physician must submit a written request to the provider of services and notify the patient of the specific confidential information requested (AB416).
13. Only assigned personnel responsible for the maintenance of medical records may provide written documents or copies of patient records.
14. Authorization forms permitting release of medical records specify to whom the information may be released, the type of information being requested, and the date and signature of the patient or representative. The patient’s name, medical record number, name and organization of the requester, date of request, and the date the record was released is documented and filed in the patient’s medical record.
15. Minors have the right to confidential services without parental consent. Therefore, medical records and/or information regarding medical treatment specific to defined confidential services cannot be released to parents without the minor’s consent.
16. Ensure all medical records released to authorized parties are legible documents.
17. Patients are given the opportunity to approve or refuse the release of identifiable personal information, except when such release is required by law.
18. Do not disclose confidential patient information by means other than hard copies of medical records. Do not release information over the telephone.
19. All patient medical records obtained for use by the health plan or medical group for utilization management, quality management, or claims purposes are protected from disclosure.
20. Physicians can request a reasonable reimbursement for the cost of copying a patient’s medical records.
You can see a sample Authorization for Release of Medical Information.