Legal & Compliance

 >  Medical Records

Medical Records in North Carolina

Medical Records in North Carolina

Submitted By
401 North Tryon Street, 10th Floor
Charlotte, NC 28202

Are you confident your practice's medical records would survive scrutiny by an FBI or OIG auditor? Would your documentation provide a good defense in the event of a malpractice case? Does your practice have privacy protections in place that will prevent any HIPAA violations? If the answer is "no" to any of these questions, continue reading to find out how to improve your medical record documentation and processes.

Medical records have been and continue to be a subject of great discussion and concern in recent years. In NC, there are very few statutes that address medical records specifically. Federal law does not provide much guidance on medical records either. We have to rely on the NC Medical Board (the Board) Position Statements , principles from nationally recognized organizations such as the American Medical Association (AMA), the American Hospital Association (AHA), the American Health Information Management Association (AHIMA), Medico-Legal Guidelines, and case law. These sources help form the basis for standards in NC regarding documentation, patient access, privacy, and retention of medical records.

National standards, however, may be right around the corner. At least with respect to the privacy of medical records, there is now a federal regulation. That regulation, of course, is the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The publicity surrounding this law is bringing medical records into the news spotlight. Patients are learning their rights with respect to their records and what to do if they feel there has been a breach. This makes keeping good medical records more important than ever.

Health care providers should take time to examine their own policies regarding medical records and make some adjustments where needed. This article will delineate guidelines based on NC statutes and the NC Medical Board's Position Statements on what to include in medical records, a patient's right to access medical records, how to protect confidentiality, and how long to keep records. HIPAA will be addressed in very general terms.

Medical Record Documentation
A NC statute defines a medical record as, "personal information that relates to an individual's physical or mental condition, medical history, or medical treatment, excluding Xrays and fetal monitor records." Medical record documentation requirements are still somewhat of a mystery for many providers. The rules surrounding documentation have expanded considerably over the years. Physicians first began writing notes to refresh their own memory on a patient's health history. An entry might have been as simple as "Delivered baby, baby healthy." The records varied on completeness depending on the physician. Then, as the number of different medical specialties grew, records were used to provide background on a patient for other treating physicians. Records were getting more detailed. Finally, with the emergence of managed care, documentation to support billing became very important. Now, there are very specific rules as to what must be documented in order to receive payment (think E&M coding).

Coding is outside the scope of this article, but there are some general principles on documentation that are worth reviewing. The Board has a very specific list of the functions a medical record should perform. The medical record:

  • records pertinent facts about an individual's health and wellness;
  • enables the treating care provider to plan and evaluate treatments or interventions;
  • enhances communication between professionals, assuring the patient optimum continuity of care;
  • assists both patient and physician to communicate to third party participants;
  • allows the physician to develop an ongoing quality assurance program;
  • provides a legal document to verify the delivery of care; and
  • is available as a source of clinical data for research and education.

This is a rather large list. Clearly, medical records serve many purposes to a variety of people and entities. Therefore, it is essential that documentation is thorough in content, legible, and timely. In addition, there must be an appropriate process for authentication and corrections.

What exactly is a thorough medical record? It is a document that should record patient history, physical findings, an assessment of the findings, and a plan for treatment. There are many methods to document such items. The Board recommends the Problem Oriented Medical Record method known as SOAP (developed by Lawrence Weed). The S refers to "subjective information" (patient history and testimony about feelings). The O refers to objective material and measurable data (height, weight, respiration rate, temperature, and all examination findings). The A is the assessment of the subjective and objective material that can be the diagnosis but is always the total impression formed by the care provided after review of all materials gathered. And finally, the P is the treatment plan presented in sufficient detail to allow another care provider to follow the plan to completion. The plan should include a follow-up schedule.

The Board also identifies the following items that should be included in a record with every patient visit:

  • the purpose of the patient encounter;
  • the assessment of patient condition;
  • the services delivered--in full detail;
  • the rationale for the requirement of any support services;
  • the results of therapies or treatments;
  • the plan for continued care;
  • whether or not informed consent was obtained; and, finally,
  • that the delivered services were appropriate for the condition of the patient.

Other examples of items that should be included in the record are telephone calls from the patient, documentation regarding missed appointments, follow-up on test results, and any patient reminders.

The record should be legible. This may seem obvious, but physicians are notorious for having very poor handwriting. Medicare is very clear that when it comes to documenting services for billing purposes; if you cannot read it or if it is not there, it did not happen. Even if a physician spent an hour with a patient and can remember almost every word of the conversation, if an auditor can't read about the encounter the physician might not be paid for it.

To meet the definition of legible, an outside party (not the long-time office manager who serves as the doctor's handwriting interpreter) must be able to read any notes, signatures, dates, and times. If a provider is unable to meet that standard, dictation or an alternative method should be used. As practices convert to electronic medical records, this problem should decrease.

Legibility is also a function of the language a provider chooses to use. Clear and concise wording is important. All staff members providing treatment should be able to understand what is written. If abbreviations are used, there should be a list available for anyone who needs it.

Physicians should record entries in the medical record when a treatment is given or observations are made. Federal programs require that hospitals complete records within thirty days of discharge. Late entries can have negative consequences when defending a malpractice suit. Non-timely records are usually less accurate and will have less credibility. If an entry is made after a lawsuit is filed, it looks like it is self-serving for purposes of a defense and not for true documentation.

Authentication and Corrections:
There are no state law restrictions on who may write in the chart. This is usually a matter of facility policy. In general, any person providing care to a patient should be able to document it. Staff must be very careful to function within their scope of duties as limited by law or license. Certain individual entries should require a countersignature. A physician must authenticate the record with his or her signature. If signature is by method other than handwriting, safeguard measures should be implemented.

Likewise, NC does not have a rule regarding documentation of corrections. Certain states require that a single line be drawn through the mistake, it be marked as an error, corrected, and dated. It is a good practice to have rules regarding who can correct what type of error. These rules should be based on a person's scope of practice. For example, an RN should not amend an MD's medication order. Even though it is not mandated in NC, it is usually best not to erase errors, but rather use the single line mark-through approach. If patient requests a change, make sure it is noted that it is the patient's request. Note that HIPAA addresses the patient requested amendment process in detail. Remember, incorrect records can have a variety of consequences including loss of licensure, jail, fines, and sanctions.

Electronic Medical Records:
Electronic medical records (EMR) are permitted in NC, and a separate paper record need not be maintained. However, when consent to treatment or a release is on paper, it should be preserved and also noted in the EMR. Electronic signatures are acceptable, but the records still must maintain legibility, accuracy and confidentiality.

Electronic medical records have numerous advantages, and many practices are making the switch. Most electronic medical records companies assure providers of improved efficiency and better quality of care. For providers who have difficulties with documentation, EMRs proceed step by step through the decision-making process and record pertinent information.

A potential disadvantage of EMRs is increased exposure to liability for improper disclosure of personal health information. Special safeguards should be implemented to protect the system and the data within. These may include the use of passwords, audit trails, monitoring use and access of information, and encryption. Be sure to address security issues with your EMR vendor. HIPAA will also have an affect on what safeguards are required, as final security standards have been published.

Access to Physician Records
A patient has the right to access his or her medical records. This means that within a reasonable time of the request, a provider must supply a patient with either a copy or a summary of the medical record. If a summary is provided, it should be detailed enough to allow for continuity of care by another provider.

Patient access is an area where HIPAA impacts what must be provided to the patient. Providers will have to define what constitutes their "designated record set". For providers, a designated record set usually refers to treatment and billing records.

Providers should define what a designated record set will include as well as what it will exclude. For example, a provider may decide to assert that designated record sets will not include psychotherapy notes, education records exempt from HIPAA, and records put together in anticipation of litigation. Other things that a provider may choose to exclude are requests for prescription refills or call log records for appointment setting.

When providing a record to a patient, the physician may charge a reasonable fee for the preparation and/or the photocopying of the materials, with three exceptions explained below. The Board has requested that if a physician is going to charge a fee, that physician should be willing to review the materials with the patient if the patient makes such a request. A physician should never deny a patient 's request for their medical records for nonpayment issues.

There are three circumstances in which certain rules must be followed regarding charges for medical records. First, if records are sought in connection with personal injury or Social Security disability claims, there is a statutory maximum fee schedule that applies. The maximum charge for the first 25 pages is $0.75, $0.50 for the next 75 pages, and $0.25 for pages over 100. The statute also allows the physician to charge a reasonable fee for review and preparation of a narrative summary.

Second, if a physician is seeking a medical lien for payment of services rendered on any award the patient may receive, the medical record should be provided to the patient 's attorney free of charge. Finally, if records are sought in connection with a Workman 's Compensation case, the Industrial Commission may impose a maximum fee schedule.

Medical Records and Privacy
The security of patient information is of utmost importance. HIPAA even contains civil and/or criminal penalties for violations. There are some basic protections practices can implement now that can go a long way in preventing inadvertent disclosures. For example:
  • Records should not be removed from the premises unless there is a procedure in place for documenting who has the record and where it can be found.
  • Trained personnel should review copies of medical records prior to release to a patient.
  • If a patient is merely reviewing their record onsite, that patient should be supervised.
  • A practice should have a standard procedure to follow in the event there is a subpoena for a patient 's medical record.
  • Faxing records should be done carefully, realizing that you may not know who is on the receiving end.

One of the most important protections is having a signed statement from the patient describing what information can be released to whom. This may be one of the most essential forms used in the practice.

The Board and HIPAA both make very clear that the medical record is a confidential document and should only be released with proper written consent or authorization of the patient. Physicians should not distribute their patients' medical records to third parties unless there is an enforceable agreement that includes adequate provisions to protect patient confidentiality and to ensure patients' access to their records. A release should contain the following:
  • who may release the records,
  • what may be disclosed,
  • to whom the records may be released and for what purpose,
  • an expiration date, if applicable, and acknowledgement that consent may be revoked by the patient,
  • the signature of the patient,
  • and some additional language required by HIPAA.

HIPAA addresses releases in great detail, and makes a distinction between two types of releases: consents and authorizations. It is important to know the difference between them. A consent (very different from an informed consent which involves treatment risks and alternatives) is a general release signed by the patient stating that his or her health information may be disclosed for treatment, payment or healthcare operations. Consents are not mandatory as was stated in an early version of the rule. An authorization, which is required in certain circumstances, is a very specific release that must include an expiration date, a limit on what parts of the record may be released, or name a particular purpose of the release such as marketing. It is a limited release for a certain purpose.

There may be times that records are required to be released pursuant to a court order or a state statute. If there is not a release on file for the records requested, it is a good idea to have a legal professional review the order to be sure it is legitimate and the minimum necessary is released.

Minors and their records:
In general, a parent has access to a minor 's medical record. However, in NC there are certain treatments for which a minor does not need parental consent. The records for these services are generally protected unless the child gives his or her consent for the parent to view the record. A minor may give consent for the prevention, diagnosis and treatment of (1) venereal disease (2) pregnancy (3) abuse of controlled substances or alcohol or (4) emotional disturbance. Medical records involving these treatments should not be released without a signed statement from the minor. An emancipated child can consent to any medical treatment, and therefore the parent should have no access to records without a release.

Privacy and HIPAA:
HIPAA has been referenced throughout this article, but it is important to understand the basics behind the privacy rules to grasp the impact it will have. HIPAA has many facets, but the privacy portion is of most importance here. The deadline for compliance was April 14, 2003.

HIPAA applies to health plans, health care providers, and health care clearinghouses (covered entities) that transmit health information in electronic form. HIPAA protects certain individually identifiable information, protected health information (PHI), relating to a person 's health. The broad privacy rule is that a covered entity may not use or disclose PHI unless the patient agrees or the regulation specifically permits it. HIPAA also gives patients certain rights with respect to their information and requires covered entities to implement policies to protect this information.

Covered entities are now required to provide patients with a notice of their privacy practices. Providers must permit patient access to records, and even permit requests for amendments. Other duties include appointing a privacy officer, developing privacy policies, establishing a complaint mechanism for privacy concerns, and provide privacy training for its employees.

Retention of Medical Records
North Carolina does not have a statute defining the length of time medical records should be kept. Some physicians keep their records indefinitely, however, for many practices this is cost prohibitive due to sheer volume. They key is to develop a policy and follow it. If the policy is to retain records for ten years past the last date of service, set up a system that ensures that shredding or destruction occurs at that point. Do not implement such a policy if some will be shredded at ten years and others at fifteen.

It is a good idea to consult an attorney or call your medical malpractice carrier on this subject. He or she will most likely base the retention policy on medical malpractice statute of limitations. Records should be kept long enough to be able to defend a malpractice action. Other things to consider are federal laws (Medicare requires records be kept for five years), research, and storage limitations. There are many companies that specialize in storing medical records and are very aware of the important confidentiality considerations.

Some basic minimum guidelines are:

  • Patient Health Records (Adults): 10 yearrs after the most recent encounter
  • Patient Health Records (Minors): Age of majority plus statute of limitations
  • Diagnostic Images: 5 Years
  • Master Patient Index: Permanently
  • Register of Surgical Procedures: Permanently

The North Carolina Medical Board supports Section 7.05 of the American Medical Association's current Code of Medical Ethics regarding the retention of medical records by physicians. It states:

7.05: Retention of Medical Records
Physicians have an obligation to retain patient records which may reasonably be of value to a patient. The following guidelines are offered to assist physicians in meeting their ethical and legal obligations:

  1. Medical considerations are the primary basis for deciding how long to retain medical records. For example, operative notes and chemotherapy records should always be part of the patient's chart. In deciding whether to keep certain parts of the record, an appropriate criterion is whether a physician would want the information if he or she were seeing the patient for the first time.
  2. If a particular record no longer needs to be kept for medical reasons, the physician should check state laws to see if there is a requirement that records be kept for a minimum length of time. Most states will not have such a provision. If they do, it will be part of the statutory code or state licensing board.
  3. In all cases, medical records should be kept for at least as long as the length of time of the statute of limitations for medical malpractice claims. The statute of limitations may be three or more years, depending on the state law. State medical associations and insurance carriers are the best resources for this information.
  4. Whatever the statute of limitations, a physician should measure time from the last professional contact with the patient.
  5. If a patient is a minor, the statute of limitations for medical malpractice claims may not apply until the patient reaches the age of majority.
  6. Immunization records always must be kept.
  7. The records of any patient covered by Medicare or Medicaid must be kept at least five years.
  8. In order to preserve confidentiality when discarding old records, all documents should be destroyed.

Before discarding old records, patients should be given an opportunity to claim the records or have them sent to another physician, if it is feasible to give them the opportunity.

Medical records play a crucial role in the delivery of health care services. They facilitate and improve patient care by presenting a more complete and accurate history both within a practice and to other physicians. They document services rendered for payment purposes. Medical records can be instrumental in defending a medical malpractice action. With the continued emphasis by the government on fraud and abuse, and more recent attention to HIPAA and privacy, there is every reason for physicians to make medical records a priority. Fortunately, due to the mandatory compliance requirements of HIPAA, more guidance on medical records is available than ever before. Even as privacy becomes a primary focus, providers must remember to scrutinize all aspects of their medical record policies to be truly in compliance: documentation, providing appropriate access to patients, safeguarding patient information, and retention policies.

Problem reading template: file=/pages/pract_essentials/article_detail.html, elementId=DYNAMIC_CONTENT