Responsible Office: Institutional Compliance Office
Last Review: 04/01/2021
Next Review: 04/01/2024
Contact: Melanie Burlison, Privacy Officer
Related Policies: FI0160 – HIPAA Re-designation and General Policy
To establish guidelines for the contents, maintenance, and confidentiality of patient Medical Records that meet the requirements set forth in Federal and State laws and regulations, and to define the portion of an individual’s healthcare information, whether in paper or electronic format, that comprises the medical/dental record.
The procedure addresses common situations regarding disclosure of patient information, release of information and the protection of patient confidentiality. It is not intended to be inclusive of every issue which might arise. When unusual or questionable situations present, contact the UTHSC Privacy Officer for clarification.
The Privacy Act of 1974, Tenn. Code Ann. 63-2-101 and the Health Insurance Portability and Accountability Act of 1996 mandate rights of persons wishing to gain access to individual records. Medical and dental offices need to follow policy regarding the patient’s request to view or be provided a copy of his/her record.
According to Tenn. Code Ann.63-2-101, “Notwithstanding any other provision of law to the contrary, a health care provider shall furnish to a patient or a patient’s authorized representative a copy or summary of such patient’s medical records, at the option of the health care provider, within ten (10) working days upon request in writing by the patient or such representative”.
- Confidential Information – includes legal medical record components and designated record set components. Also, includes any directory type information or any document that contains patient-related and personal information.
- Designated Record Set – the designated record set is created to respond to patient’s requests concerning the information used in making decisions about them. The designated record set is comprised of subsets of health information and may be maintained in various locations or files. Includes medical/dental and billing records maintained for or by UTHSC, and any health information used, in whole or part, by UTHSC to make decisions about the patient. Includes any photographs, videotapes, or other images that identify the patient. Includes records from other providers.
- Legal Health Record – the legal health (medical) record substantiates the care provided to the patient. Includes the actual paper or electronic health record maintained by the UTHSC. Includes any photographs, videotapes, or other images that identify the patient. Does not include billing records. The term “health record” includes, by definition, all records generated for medical, dental, psychological patient care, exclusive of psychotherapy notes.
- Protected Health Information – individually identifiable health information, including demographic data that is maintained in any medium that relates to:
- The individual’s past, present or future physical or mental health or condition,
- The genetic information of the individual,
- The provision of health care to the individual, and/or
- The past, present, or future payment for the provision of health care to the individual and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.
- Protected health information does not include individually identifiable health information of persons who have been deceased for more than 50 years.
- Medical Record – any information that includes protected health information and is maintained collected, used, or disseminated by the UTHSC.
- Disclosure – release, transfer, provision of access to, or divulging in other manner of information outside UTHSC.
- Medical Record Custodian – the person or department responsible for the maintenance, retention, access, integrity, and quality of protected health information; including protecting patient privacy, providing information security, and complying with standards and regulations regarding protected health information.
Medical Records are the property of UTHSC but subject to professional ethics, federal and state laws the patient has ownership and control of the information and who may gain access. Unless restricted by other state or federal law, UTHSC must furnish to a patient or a patient’s authorized representative, without unreasonable delay, such part or parts of the patient’s medical record requested. UTHSC may require advance payment of the reasonable costs of copying and mailing medical records.
The medical record contains information acquired in a doctor-patient relationship which is considered to be a confidential and sometimes privileged communication. UTHSC is responsible for preventing access to or unauthorized disclosure of a patient’s medical record by unauthorized persons. Release of information should be carefully screened and disclosed or given out only in response to proper inquiry.
Locations of medical records systems include, but are not limited to, the following practice sites:
- College of Dentistry
- Speech & Audiology-Knoxville
- Family Medicine-Knoxville
- Internal Medicine-Knoxville
- University Therapists
- Boling Center for Developmental Disabilities
Security And Storage
UTHSC must reasonably safeguard all protected health information from any intentional or unintentional use or disclosure. UTHSC must reasonably safeguard protected health information to limit incidental uses or disclosures made in the course of providing an otherwise permitted or required use or disclosure.
All paper health records, as defined above, must be maintained in secured areas. The files, cabinets, or storage areas must be locked after hours or when staff is not present. Areas in which patient information is stored must not be left unattended. Patient information should not be readily accessible to the general public, or to other individuals who do not have a need to view such information, such as laying out on desks or counters, on fax machines, copy machine, etc.
Electronic health information must be maintained according to UTHSC security guidelines. Computer screens potentially displaying patient information must not be accessible to anyone not authorized to view such information. Staff must follow UTHSC procedures regarding use of computer passwords and logging off. Health information shall not be maintained on laptops and portable devices unless for short periods of time and on an approved encrypted, University-owned device. Health information should never be downloaded on personal devices.
Verbal exchange of patient information between care providers and those involved with the patient’s care, payment, or other health care operations, must occur to ensure appropriate and timely care to the patient. Individuals who exchange verbal information must ensure that they are in areas where they cannot be overheard by others who are not involved in the patient’s care and do not have a right to hear the information. Staff must be particularly diligent in ensuring confidentiality when exchanging patient information in treatment areas, over the telephone, and in areas accessible to common areas such as hallways and elevators.
Removal of Records from UTHSC Premises
Records should not be removed from the various practice sites without the consent of the business or clinic manager. The availability of the record for treatment and review is compromised when providers remove records without providing notification. Records found in non-practice sites should be returned to the appropriate records area upon discovery.
Original medical records should be removed only by court order or subpoena. In such cases, a complete copy of the record should be made prior to removal. Upon return, the original should be compared to the copy prior to storage. Any alterations to the original should be noted and brought to the attention of the UTHSC Privacy Officer.
Retention of Medical and Dental Records
Medical and dental records shall be kept for adult patients for a period of 10 years from the provider’s last professional contact with the patient. For minor patients, medical and dental records should be kept for a period of 10 years from the provider’s last professional contact with the patient or 1 year after the minor reaches the age of majority (i.e., until patient turns 19) whichever is longer. After this time records can be destroyed by shredding, burning or other approved means. Records should be destroyed in the ordinary course of business and a log (including the date of destruction, method of destruction and a description of the records destroyed) of these records should be maintained for future reference.
CONFIDENTIALITY OF MEDICAL INFORMATION
Patient information from medical records, dental records, letters, notes and other documents is regarded as confidential. HIPAA refers to medical information as protected health information or PHI. Information may not be released to any persons outside of UTHSC without valid patient authorization. Information may not be released verbally or in writing to anyone inside of UTHSC unless that person is involved in the direct care of the patient. There is an exception as it relates to TPO (Treatment, Payment, Operations). Per the HIPAA Rule, authorization is not required for TPO. Breach of the confidentiality agreement will result in disciplinary action and/or termination.
Only authorized persons in clinics should release medical information. The release of information by other UTHSC personnel is strictly prohibited.
Release of Information
A valid authorization for disclosure of health information must contain at least the following elements and must be written in plain language:
- A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.
- The name or other specific identification of the person or class of persons authorized to make the requested use or disclosure.
- The name or other specific identification of the person or class of persons to whom the covered entity may make the use or disclosure.
- A description of each purpose of the requested use or disclosure. The statement, “at the request of the individual” is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose.
- An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure.
- Signature of the individual and the date.
- If a personal representative of the individual signs the authorization, a description of such representative’s authority to act for the individual.
The authorization may contain elements or information in addition to the required elements, provided that such additional elements or information are not inconsistent with the required elements. When the authorization is for electronic disclosure it may be made in written or electronic form, or in oral form if documented in writing by the medical record custodian.