Resources
Articles

Medical record FAQs

View Presentation

by Wayne Wenske, Senior Marketing Strategist,
Tanya Babitch, Assistant Vice President of Risk Management,
Robin Desrocher, Director, Risk Management, and
Kassie Toerner, Manager, Risk Management


A medical record includes any records pertaining to the history, diagnosis, treatment, or prognosis of a patient. The Texas Medical Board (TMB) rules in Chapter 163 outline elements that should be included in the medical record. The rules also state that salient records received from another health care professional involved in the care or treatment of the patient shall be maintained as part of the medical record.

 
How long do I need to keep medical records in Texas?

For adults — all records must be kept for at least seven years from the date of the last treatment. Keep in mind, “treatment” might include a phone call, a prescription refill, or other contact with the patient. (Hospitals are required to keep records for 10 years, and some physicians may also choose to keep office records for 10 years.)

For minors — records for minor patients must be kept for at least seven years from the date of last treatment or until the child turns 21, whichever is longer.

Medical records that relate to any civil, criminal, or administrative proceeding may be destroyed only if the physician knows the proceeding has been finally resolved.

For more information, please see Chapter 163 of the TMB rules.

 
Who “owns” the medical record?

The physical documents are the tangible, personal property of the person or entity that created them. However, by law patients have the right to obtain copies of their medical records. The only clear exception in Texas law is in the Medical Practice Act, which states: “If the physician determines that access to the information would be harmful to the physical, mental or emotional health of the patient.”

The physician might be asked to explain why the records or information may be harmful to the patient. See the next question below for details on what is required when denying records to a patient.

Never release the original record, except under subpoena and then retain a copy. See more below.

 
Is there a deadline for providing requested medical records?

Texas law gives a deadline of 15 business days to provide medical records upon receipt of a request and any agreed upon fees.

This same deadline also applies if the physician feels it would be harmful to release copies of medical records to a patient. The physician or health care entity has a deadline of 15 business days to provide a written, signed, and dated statement that details the reason for the denial and provides instructions to the requestor on how to file a complaint with the Department of Health and Human Services (HHS) and the TMB. A copy of the denial statement should be placed in the patient’s medical and/or billing records. (Medical Practice Act/Texas Occupations Code 159.006)

 
How should I respond to a subpoena for a medical record?

If you are a TMLT policyholder, please contact TMLT's Claim Department to inquire about how to respond to a subpoena. In addition, if you are a Texas physician, the Texas Medical Association offers a resource, Subpoenas for Medical Records. (TMA log-in required).


Can a patient electronically access their electronic health information (EHI) at no cost?

On April 5, 2021, the ONC Cures Act Final Rule for health care providers went into effect. The rule includes a provision requiring that patients be able to electronically access all their electronic health information (EHI), structured and/or unstructured, at no cost. Health care providers may review the ONC Cures Act to ensure compliance with the rules for release of EHI. More information can be found here.

The ONC Cures Act further gives patients the right to immediate electronic access to their health records. This includes test results, medication lists, referral information, and physicians’ notes. If you are not sure about how this access is granted in your EMR, consult with your software vendor.

 
What is the proper procedure for the release of medical records to a patient?

An individual has the right to review or obtain copies of their health records, and there are steps for physicians or health care entities to follow to provide copies while maintaining HIPAA guidelines and state law. The following information outlines different scenarios.
 

Written request
As required by the Medical Practice Act/Texas Occupations Code 159.006, a physician or health care entity shall provide copies of medical and/or billing records requested or, if the individual prefers, a summary or narrative of the records pursuant to a written release of the information as provided by the Medical Practice Act 159.005

Additionally, a physician or health care entity may require individuals to use the entity’s own supplied authorization form, provided use of the form does not create a barrier to or unreasonably delay the individual from obtaining access to their PHI.
 

Verification
The Privacy Rule requires a physician or health care entity to take reasonable steps to verify the identity of an individual making a request for access.  The Rule does not mandate any specific method of verification (such as obtaining a copy of a driver’s license), but rather generally leaves the type and manner of the verification to the discretion and professional judgment of the physician or health care entity, provided the verification processes and measures do not create barriers to or unreasonably delay the individual from obtaining access to their PHI. Additional guidance is available on the HHS site.


Form and format
The Privacy Rule requires physicians or health care entities to provide the individual with access to the PHI in the form and format requested, if readily producible in that form and format.
 

Requests for paper copies
If an individual requests a paper copy of PHI maintained by a physician or health care entity, it is expected that the physician or health care entity will be able to provide the individual with the paper copy requested. This applies to medical records that are paper or maintained electronically.
 

Requests for electronic copies
If an individual requests an electronic copy of PHI that a physician or health care entity maintains only on paper, the physician or health care entity is required to provide the individual with an electronic copy if it is readily producible electronically.

If an individual requests an electronic copy of PHI that a physician or health care entity maintains  electronically, the physician or health care entity must provide the individual with access to the information in the requested electronic form and format, if it is readily producible. The physician or health care entity is not required to purchase new software or equipment to accommodate every possible individual request, however the physician or health care entity must have the capability to provide some form of electronic copy of PHI.

Practices should comply with federal and state laws regarding required timelines for release. Texas law gives a deadline of 15 business days to provide medical records upon receipt of a request.

 
Is a written authorization required to release medical records directly to a patient?

In Texas, if a patient or other authorized requester is requesting copies of records (versus electronic access), they must submit this request in writing. A form to disclose protected health information (PHI) is also available for physicians and health care entities to provide to patients for this purpose.

The written request must contain the following elements:

  • identify who is authorized to make the disclosure (such as the physician);
  • identify who may receive the PHI (such as self, relative, another treating physician, etc.);
  • identify who may make the authorization;
  • identify the specific information to be disclosed, particularly for sensitive information, such as HIV/AIDS testing and treatment, mental health treatment, and substance abuse treatment;
  • describe the purpose of the disclosure;
  • note when the authorization expires; and
  • contain a signature and date (of the patient or personal representative).
 


A valid authorization must also have these statements:

  • the patient has the right to revoke the authorization, with instructions on how to revoke;
  • clarification that under most circumstances medical care may not be conditional on the signing of the authorization; and
  • a warning that the PHI may be re-disclosed by the receiving entity.


The patient must receive a copy of the authorization and the physician or health care entity must also maintain a copy.

 
When can protected health information (PHI) be released without an authorization?

The HIPAA privacy rule permits, but does not require, a physician or health care entity, to use and disclose protected health information, without an individual’s authorization, for the following purposes or situations:

Treatment, Payment, Health Care Operations. A physician or health care entity may use and disclose protected health information for its own treatment, payment, and health care operations activities. 

Treatment is the provision, coordination, or management of health care and related services for an individual by one or more health care providers, including consultation between providers regarding a patient and referral of a patient by one provider to another.

Payment encompasses activities of a health plan to obtain premiums, determine or fulfill responsibilities for coverage and provision of benefits, and furnish or obtain reimbursement for health care delivered to an individual and activities of a health care provider to obtain payment or be reimbursed for the provision of health care to an individual.

Health care operations are any of the following activities: (a) quality assessment and improvement activities, including case management and care coordination; (b) competency assurance activities, including provider or health plan performance evaluation, credentialing, and accreditation; (c) conducting or arranging for medical reviews, audits, or legal services, including fraud and abuse detection and compliance programs; (d) specified insurance functions, such as underwriting, risk rating, and reinsuring risk; (e) business planning, development, management, and administration; and (f) business management and general administrative activities of the entity, including but not limited to: de-identifying protected health information, creating a limited data set, and certain fundraising for the benefit of the physician or health care entity.


  • Public Interest and Benefit Activities — The HIPAA Privacy Rule permits use and disclosure of PHI, without an individual’s authorization or permission, for these 12 national priority purposes as follows:
  • Required by Law — Information may be provided by a physician or health care entity to law enforcement officials to fulfill a court order, statute, or legal regulation.
  • Public health officials who are responsible for monitoring and stopping the spread of disease or injury. 

  • FDA-regulated companies if there is data that would support the monitoring of effectiveness or adverse events related to their products. 

  • Individuals who may have been exposed to transmittable diseases that are tracked by the government and require reporting. 

  • Information may be released to employers regarding employees to evaluate work-related illnesses or claims, manage workers compensation claims, and OSHA violations.

  • Positive HIV tests (without the patient's name) and AIDS diagnoses (with the patient's name) to the Texas Department of State Health Services and local health department.

  • Victims of Abuse, Neglect, or Domestic Violence — In cases of suspected abuse, it is permissible to report the incident to suspected child and elder abuse to the Texas Department of Protective and Regulatory Services and law enforcement.

  • Health Oversight Activities — Personally identifiable health information may be released to government agencies that are responsible for providing oversight for the health care system, including government health programs, such as Medicare and Medicaid, Texas Department of State Health Services, the Texas Attorney General's Medicaid Fraud Control Unit, Texas Medicaid Health Partnership, and the Department of Protective and Regulatory Services. Medicare and Medicaid records must be made available promptly to representatives of the Department of Health and Human Services.

  • Judicial and Administrative Proceedings — PHI may be disclosed to the court system in response to a subpoena, court order or administrative tribunal. Notice should be sent to the subject of the order that their information has been shared.

  • Law Enforcement Purposes — Please see Law Enforcement Exceptions to HIPAA .
  • Decedents — In the case of death, PHI can be disclosed to the coroner's office for identification purposes, and to determine the cause of death. PHI many also be released to the funeral home as needed.

  • Organ Donation — PHI can be released by physicians or health care entities to facilitate the donation of cadaver organs and tissue.

  • Research — PHI can be released in the case of medical research, provided the researchers warrant that the information is necessary for the preparation or execution of the research study and will not be used in any other way.

  • Serious Threat to Health and Safety — PHI can be released without consent to law enforcement officials to aid in the capture of an escaped prisoner or a violent criminal. Protected health information can also be released if there is credible reason to believe that there is an imminent threat to an individual or the public at large.

  •  Essential Government Functions — Physicians and health care entities can release protected health information for the completion of government duties and functions, including military missions, national security initiatives, protection of the President, for evaluating State Department employees and providing health services to inmates.

  • Worker's Compensation — Physicians or health care entities may release PHI without authorization while evaluating and certifying employee injury claims.
 


Physicians and health care entities should share their Notice of Privacy Practice with patients to educate them about how their protected health information (PHI) will be used.

Additionally, while the disclosures outlined above are permitted without a patient authorization, the physician or health care entity is encouraged to ensure that the request is valid prior to release. For example, if a subpoena looks suspicious, confirm the validity. If requests for records are being made by a government official, such as CPS, Medicare, or Medicaid, verify the identity of the requestor. 

Who can authorize the release of medical records?

Per the Texas Occupations Code, the authorization to release medical records may be signed by:

  • an adult patient;
  • a parent or legal guardian if the patient is a minor;
  • legal guardian of the patient if the patient has been adjudicated incapacitated to manage his/her own personal affairs;
  • an attorney ad litem appointed for the patient; and
  • a personal representative if the patient is deceased.

Where can I find the Authorization to Disclose Protected Health Information form developed by the Attorney General of Texas?

An electronic copy of the form is located on the Texas Attorney General’s website.

 
May I charge the patient for copying medical records?

Please see Charging for Copies of Medical Records.
 

Are there any other circumstances under which we should NOT charge a fee for supplying records?

While the Privacy Rule permits fees as described above, there are other limited circumstances under which a physician or health care entity should not charge copying fees. For example:


  • when the records are requested by a licensed Texas health care provider or any American or Canadian licensed physician for acute or emergency medical care; and
  • to support an application for disability or other benefits or assistance under: Aid to Families with Dependent Children, Medicaid, Medicare, Supplemental Social Security Income, Federal Old-Age and Survivors Insurance, and Veteran's Benefits.


For more information, please see the TMB rules Chapter 163.3 Requests for Medical Records.


May I withhold copies of medical records due to inability to pay for copies or unpaid bill for health care services?

A physician or health care entity may not withhold or deny an individual access to their PHI because the individual has not paid the bill for health care services provided or is unable to pay fees for copies.
 

What about mental health records?

Pursuant to HIPAA regulations, if the medical record contains any notes sent from a mental health professional those records cannot be re-disclosed without specific patient authorization, even under subpoena. HIPAA defines mental health professionals as psychiatrists, psychologists, and licensed professional counselors.

Related Articles

Discover more insights, stories, and resources to keep you informed and inspired.

Guidelines for the release of medical records

Read more

How to dispose of storage devices containing PHI and other sensitive data

Read more

Medical records: Understanding privacy and security requirements

Read more
View all