How do you manage patient records?
The expectations for practices and health professionals when dealing with patient records can be confusing and often overwhelming. While these expectations are understandable given the nature of the information, it can leave practices often asking more questions. In light of recent developments and changes in the way some practices operate, it is important to review how you manage your patient records.
How do I collect patient information?
From a patient's first contact with the practice, it should be clear how the practice is collecting, storing, using and otherwise dealing with the patient's information. Practitioners should ensure that there is a privacy policy on the practice website explaining how the personal information will be collected, used and stored, and the patient's registration/consent form completed on arriving to the practice authorising such collection and use of their personal information.
How do I store patient records and how long do I need to store them for?
Patient records must be stored as either a physical or electronic file (or both) that can be easily accessed and in a manner which:
- Protects the records from damage, loss or theft/unauthorised access (including (including if stored electronically having measures in place to protect against cyber theft and data breaches).
- Preserves the patient's confidentiality and privacy.
All records for adults should be stored for at least seven years from the date you last saw/dealt with the patient. Where a patient is under the age of 18, the record should be kept until they would have reached 25 years old. When storing electronic copies of patient records, we recommend engaging with an IT Provider medical practice specialist who will be able to support you with active data protection measures (including encryption, multi-factor authentication and regular backups (within Australia).
What do I do if someone requests a copy of the patient record?
Before you can disclose a patient's records, you must ensure that you have the patient's consent to do so, or are otherwise authorised by law to do so" to take into account the situations where you can disclose patient information without consent.
The patient's consent should be signed and specify:
- Who they are authorising a copy of the file be provided to (e.g. their doctor, their lawyer or themselves); and
- What records they are authorising to be released (i.e. specific records or their entire file).
Once you have the patient's consent, you can provide the copies as directed in the authorising consent.
You are entitled to charge your reasonable costs of making the records available. This can include fees that your practice management software provider charges to extract the records from your system. Subject to where your practice is located, there may be specific regulations addressing the recovery of fees.
Who owns the patient records?
The issue of ownership of patient records is complex. It depends on many factors, including the terms of the contract between the practice and practitioner, and has several practical implications, particularly when a practitioner leaves a practice. If a practitioner is part of a partnership or incorporated practice, multiple practitioners may be entitled to a copy of the records.
Ownership of records and access to records are two separate issues. Regardless of who actually owns the record, patients have a right to request access to their records, subject to any exceptions under the privacy legislation, and records can only be disclosed with the patient's consent or as otherwise authorised by law.
What if I work in a hospital or for a government entity?
As a general principle, if you work in a public hospital/facility, the patient records will be managed by that hospital and its policies. If you also see a patient privately then you would need to ensure that you are complying with the legislation and rules which apply to your private practice as well.
What do I do if I sell the practice?
In selling your practice, you may need to obtain the consent of a patient to the release/transfer of their records to the new practice owner subject to where your practice is located.
As part of any settlement period, practitioners will need to be careful to protect the records and maintain patient confidentiality. In some circumstances a consent may not be required and there are several exceptions that may apply. For example, where a practitioner sells their interest in the company that owns the practice as the entity running the practice will remain the same.
It is important to note that in some states/territories, there is specific legislation that details how records are to be dealt with when selling a practice. In Victoria and the ACT, practices must advertise in a local newspaper the sale of the practice and how records will be dealt with in the process.
The practice and practitioners will also need to be mindful of retaining patient records for the required periods outlined above and for their own off-risk purposes.
What do I do if I close the practice or am no longer able to operate the practice?
Similar to the sale of a practice, in some states/territories there is specific legislation that details how records are to be dealt with when closing or shutting down a practice. In Victoria and the ACT, practices must advertise in a local newspaper the closure of the practice and how patients will be able to access their records once closed.
The practice and practitioners will also need to be mindful of retaining their patient's records for the required periods outlined above and for their own off-risk purposes.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.