Risk Management Considerations for Record Retention and Release in Healthcare
Disclaimer: This article is intended for informational purposes only and is not to be considered legal advice.
Professional liability lawsuits against healthcare entities are becoming increasingly less favorable for providers. A lack of policies, procedures, and risk management strategy surrounding record retention and release practices can affect whether or not a particular event rises to the level of a liability claim, as well as the outcome of that claim.
It’s easy to put record retention and release practices to the side of your strategic priorities, as you are probably not thinking about a potential lawsuit that may rear its head months, or even years, down the road.
However, if you were to see the claims that come across my desk, it would click just how critical record retention and release practices are to mitigate potential damages after an incident occurs.
Let’s explore from a risk manager’s perspective what you can do in the here and now to mitigate risk if, and when, a records request or request for information turns into a lawsuit.
Medical Record Requests – Antennas Go Up
While there are non-legal reasons for a party to request medical records, a request for medical records may be a precursor to future litigation and should serve as a red flag for your organization and be communicated internally up the chain of command. This is especially critical if the request followed a sentinel event or an incident that could give rise to a negligence claim.
What is a Sentinel Event?
An event such as the following that causes significant harm to a patient/client and significant risk to an organization:
- Fall with severe injury
- Facility-acquired pressure injury
- Medication error resulting in harm
- Unanticipated death
- Resident-to-Resident violence resulting in harm
Considerations for Medical Records Retention and Release Practices
HIPAA-Compliant Release Authorization
Require a HIPAA-compliant record release authorization form as part of your medical records release policy to be used consistently across the organization for parties to request records in writing. Utilizing a standard HIPAA-compliant form creates consistency in your process and provides insight into the purpose or reason behind the request.
Legal Access to Records
Confirm with each record request if the person requesting has the legal right to obtain that information. An example we commonly see is the designated Power of Attorney for a patient/client requesting records. If that Power of Attorney is not activated, the patient/client needs to provide written consent for that person to obtain records. In the case of a record request for a deceased patient/client, the rules of who has access to the record changes, potentially expanding the number of individuals who may have legal access to the record.
Content of a Medical Record
It is imperative to understand the required components of a medical record per state statute, such as DHS 132.45(5) for Wisconsin skilled nursing facilities and DHS 83.42 for Wisconsin CBRFs. It is recommended to formulate organizational standards of what is to be released based off of these statutes. Ensure grievance, investigation, or quality assurance information is not included with medical record content for release. For additional considerations regarding medical record content, contact your risk management partner.
Review Before Release
Prior to a record being released, a thorough review of its content is recommended, ideally by medical records and clinical personnel. Again, you want to ensure only contents to be considered a medical record are included, as well as to identify any potentially concerning events or documentation. Plaintiff attorneys are on the lookout for gaps in documentation, lack of documentation, conflicting documentation, and narrative charting with subjective information. If, upon your review, you identify such a concern, put your insurance broker and defense attorney on alert.
Quality Assurance Involvement
Identify if there have been any sentinel events with this patient/client (falls with major injury, elopements, pressure injuries, abuse/neglect allegations, etc). If such incidents had not yet been investigated, reviewed, and addressed by the Quality Assurance (QA) Committee, ensure this is completed and an action plan implemented.
You want to ensure that as soon as you are notified of each and every incident, you take the opportunity to address direct and root causes and clean up opportunities for improvement to rectify the situation as soon as possible. If a sentinel event occurred with a patient/client and a record request is received for that individual, that is an indication that there may be litigation in the works.
Make Copies, Bates Numbering, Note Release
It is highly recommended to make copies of contents of the released medical record. A strategy of plaintiff attorneys is to submit multiple different records requests prior to and during litigation, and, oftentimes due to staff turnover, it is different employees handling the release. This may lead to different record sets being pulled. If the records are different each time they are released, this can be problematic. Keeping a copy allows you to refer back to what was previously released and be consistent with what is being provided. If you find that you did not send something that you should have, notify your broker and defense attorney.
You may also consider labeling each page of the released record in numerical order, which my attorney friends call “Bates numbering”. Additionally, it is a requirement of HIPAA to note in the patient/client record to whom the record was released and when.
Allowable Time for Release
The allowable time for an entity to provide a copy of the medical record following a written request varies slightly based on the setting. For skilled nursing facilities, federal regulations require that a copy of a resident record be provided within two working days, if the resident is currently in your care. For other settings, generally the copies are to be provided as soon as practicable and not to exceed 30 days. If the request is for records of a resident/patient/client who is no longer in your care, you have 30 days to fulfill that request, and can ask for a 30 day extension if needed.
Entities may feel pressure to release the medical record quickly after a request is received, however, it is important to take the allowable time to review the record to ensure the necessary contents are there (nothing more), and to also have the clinical review of the record as previously mentioned. Based on the clinical review, you may want to get your broker, carrier, and defense attorney involved who will in turn need time to review the record.
Charging for Records
Use extreme caution if charging for copies of medical records. Although HIPAA allows for charging of records, Wisconsin state statute and court interpretation (Wisconsin Supreme Court Case of Moya vs. Aurora Health Care) of the statute is stricter than what is allowable by HIPAA. Therefore, when a signed HIPAA compliant release form is received, it is not recommended to charge residents, representatives, or third parties for copies of medical records. If you decide you do want to charge for records, consider seeking legal advice on allowable fees and be very diligent that calculations are correct.
Develop and maintain a formal record retention schedule
Develop and maintain a formal record retention schedule to outline how long different categories of records are kept (medical records, employee files, financial and business records, etc.). You do not want to be involved in a lawsuit and come to find that you maintained more records than what you were required to, or that you should have had more records that were inadvertently destroyed. Know that you may need to suspend this policy if there is litigation which is considered a “litigation hold” or “legal hold”.
Coroner and Law Enforcement Requests
There may be other parties who ask for records such as law enforcement, coroner, or medical examiner. These requests come with additional considerations. Seek out your broker or defense attorney if this occurs.
Records Destruction: The HIPAA Privacy Rule is not all that prescriptive when it comes to requirements for the disposal of medical records. It broadly states that covered entities must implement reasonable safeguards to dispose of PHI that limit incidental and avoid prohibited uses and disclosures. HIPAA covered entities must ensure that policies and procedures are implemented to address the final disposal of electronic PHI and/or the platform on which it is stored. Additionally, any workforce member involved in disposing of PHI, or who supervises others who dispose of PHI, must receive training on disposal. In general, examples of proper disposal methods may include, but are not limited to:
- For PHI in paper records – shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.
- Using a disposal vendor as a business associate to pick up and destroy the PHI.
- For PHI on electronic media- clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding).
Be sure to reference your state statute on medical record destruction for additional requirements. For example, some states require a record destruction log.
Wis. Stat. 804.12(4m) supports that electronically stored information that has been properly destroyed as a result of routine, good-faith operation may not be discoverable.
Personnel File Maintenance
Just as you should have a retention schedule for patient/client medical records, records created throughout the course of employment for an employee should also be maintained per a schedule and in the appropriate files. While your internal investigation files may be privileged and off limits to a plaintiff attorney, it’s important to note that employee personnel records are never protected. The only way to maintain privilege with HR investigations is by using an attorney to complete the investigation, but you may still need to turn over factual findings. It is not unusual for plaintiff attorneys to obtain information about a patient/client incident through obtaining personnel files. Be very cautious not to store materials produced due to an investigation in an employee’s personnel file.
A “personnel file” should not encompass all documents created throughout the course of employment. Consider a filing system such as the following for Human Resource records:
- Personnel file – Pre-employment documents (application, reference checks, etc.), training records, performance reviews, disciplinary & employment action, resignation
- Payroll file – Wages, taxes, garnishments
- Confidential Medical file – Medical evaluations, fit test records, vaccinations, physician notes, workers’ compensation claim info
- Confidential Legal file – Investigative material such employee/witness statements, interview notes, final investigation report
The legal landscape/environment for professional liability in healthcare is not a favorable one, and is likely not going to be turning around any time soon. The time spent on the front end working toward incorporating these risk management techniques into your organizational practices will prevent or lessen the effects of harmful litigation.
Reach out to an M3 Account Executive or Risk Manager for additional tools and regarding strategies to mitigate risk with record retention and release practices.
Additional Related Resource: Documentation Do’s and Don’ts