How do you manage medical records?
The expectations for practices and health professionals when dealing with medical records can be confusing and often overwhelming. While these expectations are understandable given the nature of the information, it can leave practices often asking more questions. In light of recent developments and changes in the way some practices operate, it is important to review how you manage your medical records.
How do I collect patient information?
From a patient's first contact with the practice, it should be clear how the practice is collecting, storing, using and otherwise dealing with the patient's information. Practitioners should ensure that there is a privacy policy on the practice website explaining how the personal information will be collected, used and stored, and the patient's registration/consent form completed on arriving to the practice authorising such collection and use of their personal information.
How do I store medical records and how long do I need to store them for?
Medical records must be stored as either a physical or electronic file (or both) that can be easily accessed and in a manner which:
- Protects the records from damage, loss or theft/unauthorised access (including if stored electronically having measures in place to protect against cyber theft and data breaches).
- Preserves the patient's confidentiality and privacy.
All records for adults should be stored for at least seven years from the date you last saw/dealt with the patient. Where a patient is under the age of 18, the record should be kept until they would have reached 25 years old. When storing electronic copies of medical records, we recommend engaging with an IT Provider medical practice specialist who will be able to support you with active data protection measures (including encryption, multi-factor authentication and regular backups (within Australia).
What do I do if someone requests a copy of the medical record?
Before you can disclose a patient's records, you must ensure that you have the patient's consent to do so, or are otherwise authorised by law to do so to take into account the situations where you can disclose patient information without consent.
The patient's consent should be signed and specify:
- Who they are authorising a copy of the file be provided to (e.g. their doctor, their lawyer or themselves); and
- What records they are authorising to be released (i.e. specific
records or their entire file).
Once you have the patient's consent, you can provide the
copies as directed in the authorising consent.
You are entitled to charge your reasonable costs of making the records available. This can include fees that your practice management software provider charges to extract the records from your system. Subject to where your practice is located, there may be specific regulations addressing the recovery of fees.
Who owns the medical records?
The issue of ownership of medical records is complex. It depends
on many factors, including the terms of the contract between the
practice and practitioner, and has several practical implications,
particularly when a practitioner leaves a practice. If a
practitioner is part of a partnership or incorporated practice,
multiple practitioners may be entitled to a copy of the
records.
Ownership of records and access to records are two separate issues. Regardless of who actually owns the record, patients have a right to request access to their records, subject to any exceptions under the privacy legislation, and records can only be disclosed with the patient's consent or as otherwise authorised by law.
What if I work in a hospital or for a government entity?
As a general principle, if you work in a public hospital/facility, the medical records will be managed by that hospital and its policies. If you also see a patient privately then you would need to ensure that you are complying with the legislation and rules which apply to your private practice as well.
What do I do if I sell the practice?
In selling your practice, you may need to obtain the consent of
a patient to the release/transfer of their records to the new
practice owner subject to where your practice is located.
As part of any settlement period, practitioners will need to be careful to protect the records and maintain patient confidentiality. In some circumstances a consent may not be required and there are several exceptions that may apply. For e.g, where a practitioner sells their interest in the company that owns the practice as the entity running the practice will remain the same.
It is important to note that in some states/territories, there is
specific legislation that details how records are to be dealt with
when selling a practice. In Victoria and the ACT, practices must
advertise in a local newspaper the sale of the practice and how
records will be dealt with in the process.
The practice and practitioners will also need to be mindful of retaining medical records for the required periods outlined above and for their own off-risk purposes.
What do I do if I close the practice or am no longer able to operate the practice?
Similar to the sale of a practice, in some states/territories
there is specific legislation that details how records are to be
dealt with when closing or shutting down a practice. In Victoria
and the ACT, practices must advertise in a local newspaper the
closure of the practice and how patients will be able to access
their records once closed.
The practice and practitioners will also need to be mindful of retaining their patient's records for the required periods outlined above and for their own off-risk purposes.
Want more information?
Medical records - the essentials
Storing, retaining and disposing of medical records
Planning for retirement: wat you need to know
Providing medical records to a third party
Medical records: Chapter two - legal requirements (member only eLearning course)
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.