Managing Medical Records Compliance

Checkpoint A — Records Management Assessment

Intake Questions

1. What EHR system(s) does the organization use, and has the organization undergone system migrations that created legacy data repositories?
2. What state(s) does the organization operate in, and what are the applicable record retention requirements?
3. Does the organization have a formal records retention and destruction policy?
4. How does the organization process HIPAA access requests—patient portal, paper copies, electronic media, third-party designee?
5. What is the average turnaround time for patient access requests, and does it meet the 30-day HIPAA requirement?
6. Does the organization have a process for amendment requests under HIPAA § 164.526?
7. How does the organization manage accounting of disclosures per § 164.528?
8. Does the organization charge fees for record copies, and are fees consistent with HIPAA and state fee limitations?
9. Has the organization been subject to OCR Right of Access Initiative enforcement?
10. How does the organization manage records for deceased patients, minors, and patients with legal representatives?

Required Documents

• Medical records retention and destruction policy
• HIPAA access request procedures and tracking logs
• Amendment request procedures and log
• Accounting of disclosures log and procedures
• Fee schedule for record copies
• EHR system documentation (data architecture, backup/recovery, audit trail configuration)
• Legacy system inventory (prior EHR systems, paper records, microfilm/microfiche)
• State-specific retention requirement matrix
• Release of information (ROI) policies and authorization forms
• Patient portal configuration and access documentation
• Medical records committee minutes (if applicable)

Step 1 — HIPAA Individual Rights Compliance

Evaluate the organization's compliance with HIPAA individual rights provisions:

Right of Access (§ 164.524):

• Verify the organization provides access to the designated record set within 30 days of request (one 30-day extension permitted with written notice to the individual).
• Confirm individuals can request records in the form and format of their choice if readily producible (e.g., electronic copy from EHR).
• Verify the organization processes requests to send records to third parties designated by the individual (per the 2013 Omnibus Rule and OCR guidance).
• Assess fee practices: HIPAA permits only reasonable, cost-based fees for copying, including labor, supplies, and postage. Many state laws impose stricter fee limits. Do not charge search or retrieval fees.
• Confirm the limited grounds for denial are properly applied: psychotherapy notes, information compiled for legal proceedings, certain research records, and information from non-healthcare provider sources obtained under promise of confidentiality.
• OCR Right of Access Initiative: Since 2019, OCR has aggressively enforced the right of access, settling over 45 cases for amounts ranging from $3,500 to $240,000. The most common violations are excessive delays and excessive fees.

Right to Amendment (§ 164.526):

• Verify the organization processes amendment requests within 60 days (one 30-day extension permitted with written notice).
• If the amendment is accepted, the organization must make the amendment, inform the individual, and make reasonable efforts to inform entities identified by the individual and entities known to have the inaccurate information.
• If denied, the organization must provide a written denial with the basis for denial, the individual's right to submit a statement of disagreement, and the right to file a complaint with OCR. The organization must append the denial, the individual's statement (if provided), and a rebuttal (if desired) to the record.

Right to Accounting of Disclosures (§ 164.528):

• Verify the organization tracks disclosures for the prior six years, excluding disclosures for TPO, to the individual, pursuant to authorization, as part of a facility directory, for national security purposes, and to correctional institutions.
• Confirm the organization can produce an accounting within 60 days of request.
• The accounting must include: date of disclosure, recipient name and address (if known), description of PHI disclosed, and purpose of disclosure or copy of the request.

Right to Request Restrictions (§ 164.522(a)):

• The organization is not required to agree to most restriction requests, but must agree to restrict disclosure to a health plan for services paid out-of-pocket in full (mandatory restriction under HITECH § 13405(a)).
• Verify the organization has a mechanism to implement and enforce agreed-upon restrictions within the EHR.

Step 2 — Record Retention Requirements

Map and apply retention requirements from all applicable sources:

• State Retention Laws: State laws vary significantly. Common adult medical record retention periods range from 5 to 10 years from last encounter. Some states (e.g., Nevada) require 25 years for hospital records. Identify the most restrictive requirement for each state.
• Minors: Most states require retention of minor records for the adult retention period plus the period until the minor reaches the age of majority (typically 18). This can extend retention to 28+ years from date of last encounter.
• Medicare CoP Requirements: CMS requires hospitals to retain medical records for 5 years per 42 CFR § 482.24(b)(1). For home health, 5 years after month of last billing (42 CFR § 484.110).
• Malpractice Considerations: Retention periods should account for malpractice statutes of limitation, including discovery rules, minority tolling, and fraud tolling that can extend limitation periods well beyond the standard period.
• ERISA and Tax Records: Records supporting Medicare cost reports must be retained per applicable tax record retention requirements.
• Practical Recommendation: Where multiple requirements apply, retain records for the longest applicable period. Document the rationale for the retention period chosen.

Step 3 — Record Integrity and EHR Compliance

• Authentication: Verify that all medical record entries are authenticated by the responsible provider within the timeframe required by medical staff bylaws and CMS/accreditation standards (typically 30 days for hospital inpatient records).
• Amendment vs. Addendum: Verify the EHR maintains the integrity of the original record when corrections are made. Late entries should be clearly identified as addenda. Corrections should follow the legal medical record correction standard—line through (or electronic equivalent), date, time, reason for correction, and identity of person making the correction. Original content must remain accessible.
• Audit Trail: Confirm the EHR maintains a complete audit trail showing all access, creation, modification, and deletion of records with timestamps and user identification.
• Copy/Paste Monitoring: Assess the organization's approach to copy/paste (also called "copy-forward" or "cloning") in the EHR. Excessive copy/paste creates documentation integrity issues, inflated billing risk, and patient safety concerns from perpetuated inaccurate information.
• System Migration: If the organization has migrated between EHR systems, verify that legacy data is accessible, searchable, and included in responses to access requests and legal discovery.
• Downtime Procedures: Verify procedures exist for documenting care during EHR downtime and reconciling paper documentation into the electronic record.

Step 4 — Release of Information (ROI) Management

• Authorization Requirements: Verify ROI processes require a valid HIPAA authorization per § 164.508 for disclosures not otherwise permitted. Valid authorizations must include: description of PHI, authorized persons/classes, purpose, expiration, and right to revoke.
• State Requirements: Many states impose additional ROI requirements—specific consent forms, witness requirements, notarization for certain disclosures, or separate authorizations for HIV, mental health, substance abuse, or genetic information.
• Turnaround Time: Monitor ROI turnaround times and ensure compliance with HIPAA's 30-day requirement and any shorter state-specific deadlines.
• Third-Party ROI Vendors: If the organization uses a third-party ROI vendor, verify the vendor has a BAA and processes requests in compliance with HIPAA and state law, including fee limitations.
• Legal Process Requests: Verify that records produced in response to subpoenas, court orders, or discovery requests are handled through proper channels—verifying the legal process is valid, applying any applicable privilege protections (peer review, attorney-client), and limiting production to the scope of the request.

Step 5 — Record Destruction

• Destruction Policy: Verify a formal destruction policy exists that specifies: retention periods by record type and applicable law, destruction method, documentation of destruction, and approval process.
• Destruction Methods: Confirm records are destroyed using methods that render PHI unrecoverable—shredding for paper, degaussing or physical destruction for magnetic media, secure erasure for electronic media per NIST SP 800-88.
• Destruction Documentation: Maintain certificates of destruction documenting: date, records destroyed (by date range, not individual patient), destruction method, and responsible party.
• Litigation Hold: Verify a process exists to suspend destruction when the organization receives notice of potential litigation, government investigation, or audit requiring record preservation.
• BAA Obligations: Upon termination of a BAA, verify the business associate returns or destroys PHI per the BAA terms and § 164.504(e)(2)(II)(J).

Checkpoint B — Compliance Validation

1. Confirm HIPAA access requests are processed within 30 days with fees limited to cost-based amounts.
2. Verify amendment request process includes all required elements (60-day timeline, written denial, disagreement rights).
3. Confirm accounting of disclosures is tracked for the prior six years with all required data elements.
4. Verify record retention periods meet the most restrictive applicable requirement (state law, CMS, malpractice SOL).
5. Confirm EHR audit trails are enabled and maintain complete access/modification history.
6. Verify ROI processes comply with both HIPAA and state-specific authorization requirements.
7. Confirm record destruction methods render PHI unrecoverable and destruction is documented.
8. Verify litigation hold process is defined and operational.

Quality Audit

• HIPAA access request turnaround time within 30 days (tracked and monitored)
• Fees for record copies limited to reasonable cost-based amounts per HIPAA
• Amendment request process meets 60-day timeline with written denial procedures
• Accounting of disclosures tracked with all required data elements
• Mandatory restriction for self-pay patients operationalized in EHR
• Record retention periods mapped by state with malpractice SOL considered
• Minor patient records retained through age of majority plus standard retention
• EHR authentication timelines monitored (30-day standard for inpatient)
• EHR audit trails enabled and complete for all records
• Copy/paste practices monitored and managed
• Record destruction follows NIST SP 800-88 or equivalent with documentation
• Litigation hold process defined and tested

Guidelines

• OCR's Right of Access Initiative has made patient access enforcement a priority. The most common violations—excessive delays and excessive fees—are easily preventable with proper processes. Do not underestimate OCR's willingness to pursue enforcement for access failures.
• "Readily producible" means the organization must provide records in the electronic format requested by the individual if the EHR can produce it. Requiring patients to accept paper copies when electronic copies are available is a HIPAA violation.
• Record retention is governed by the most restrictive applicable requirement. When in doubt, retain longer. The cost of storing records is far less than the cost of adverse inference in litigation or regulatory investigation due to missing records.
• Medical record corrections must preserve the original content. Under no circumstances should original entries be deleted, overwritten, or rendered inaccessible. EHR systems must be configured to maintain the original and display the correction with appropriate metadata.
• Copy/paste in EHRs is a significant compliance and patient safety concern. Perpetuated inaccurate information can lead to clinical errors, and inflated documentation can trigger FCA liability for overbilling.
• State laws often impose stricter requirements than HIPAA for specific record types—HIV records, mental health records, genetic information, and substance abuse records may require additional consent, separate forms, or longer retention periods.
• This skill produces medical records compliance assessment output, not legal advice. Records management decisions should involve qualified healthcare privacy counsel, particularly for legal process responses and destruction policies.