Effective immediately, Michigan physicians must comply with new requirements concerning the content and maintenance of medical records. Public Act 481 also prescribes new standards for how long medical records must be retained, and imposes new requirements as to how medical records may be destroyed.
Content. The law requires that a physician create an individual record for each patient seen by the physician, setting forth a complete record of tests and examinations performed, observations made, and treatments provided.
Physicians have some flexibility in determining what to place in a patient's record. For example, if a practice does not routinely keep disposable physical impressions or models as part of a patient's record, then the statute does not require that they be kept. However, the practice should be consistent as to what is included in each of its patient records. Also, at a minimum, the practice must keep enough information in each patient's record to assure that the record is "a full and complete record" of tests and examinations performed, observations made and treatments provided.
How Long? Physicians must maintain each patient's record for at least seven years (or longer, if required under other special-situation state or federal laws, or under "generally accepted standards of medical practice"). Shorter retention periods are possible, but only with express written permission from the patient.
Privacy and Security. A physician must assure that all such records are maintained in a manner that assures their integrity, confidentiality and proper use. At a minimum, this means complying with HIPAA privacy and security standards. This statute effectively makes compliance with HIPAA a condition for a physician's continuing licensure.
Copies of the records must also be made available to patients upon request, as required by law. Fees for such copies are governed by the Michigan Medical Record Access Act.
If, for any reason, a physician finds himself or herself unable to comply with these maintenance obligations, the physician must engage another provider or a medical records company to protect, maintain and provide access to patient records as required by law.
Written Plan. Each individual physician must adopt a written plan (the statute uses the word "policy") for protecting, maintaining, and providing access to his or her medical records. Each time a physician renews his or her medical license, he or she must certify that he or she has such a written policy, and that he or she will make that policy available upon request.
It is important to note that individual physicians, not group practices, are legally required to assure that the statute's requirements are met. While a group practice can assume primary operational responsibility for its physicians' medical records, the ultimate legal responsibility for maintaining those records continues to rest with the practice's physicians.
Retirement or Death. If a physician retires or dies, he or she (or his or her personal representative) must send a notice to the Department of Community Health specifying who will have access to his or her patient records, and how a patient may request access to or copies of the patient's medical records.
The physician or personal representative must then transfer custody of his or her patient records to another individual physician (not the practice itself), individual patients themselves (if the patients have so requested), an institutional health care provider like a hospital, or to a medical record company hired for the specific purpose of taking custody of those records. Presumably, in most group practice situations, an individual physician will take legal responsibility for the records, but delegate the task of maintaining them to the practice.
Interestingly, while a physician is still practicing, he or she can normally destroy a patient's records that are more than seven years old without first notifying the patient. However, once a physician has retired or died, all of his or her then-existing medical records (no matter how old) must be transferred in the manner described above, unless the patient has received advance written notice of the transfer and an opportunity to request a copy of his or her records.
Separation. The statute does not address the express situation where a physician leaves a practice with the intent of practicing elsewhere. In such situations the medical records normally belong to the practice, but the physician has the (personal) legal obligation to ensure that all such records are properly maintained and made available to patients as required by law.
Clearly, a contractual agreement will be advisable to assure that the departing physician's medical records will be maintained and made available to patients as legally required.
Destruction of Records. The statute governs the manner by which medical records may be destroyed. Records to be destroyed must be shredded, incinerated, electronically deleted or otherwise disposed of "in a manner that ensures continued confidentiality of the patient's health care information and any other personal information relating to the patient." If the Department becomes aware of a physician's records being destroyed in a noncompliant manner, the Department is authorized to seize the records, destroy them in the manner required by statute, and bill the cost of that destruction to the physician.
Penalties. A physician is subject to a range of penalties for violating the statute, ranging from a simple reprimand to a civil fine (up to $10,000) to potential suspension or loss of license.
If you have any questions, please contact Richard Bouma (616.752.2159) or any other member of Warner Norcross and Judd's Health Sciences Practice Group.