Category: Compliance

Date: January 23, 2002

Reviewed/Revised: July 2014

Purpose

To ensure that records of all kinds, including medical records, are complete, accurate and maintained in a safe storage environment in accordance with all applicable federal and state laws and regulations.

Policy

  1. Medical and business records should be complete, accurate, and reliable. All records, books, documents, computer records, electronic media, data, and files are to be prepared properly and completely.
  2. Employees shall be informed and trained to properly and accurately complete the various records for which they are responsible. Staff who feel they are inadequately trained or informed should address this issue with their supervisors or managers.
  3. Records are to be maintained for the duration of time specified by federal or state laws and regulations, or for the time specified by policy, whichever is longer. Disposal of any type of medical or financial record should be properly researched, documented, and authorized. Financial records should be maintained for a period of five (5) years, to comply with the provisions of the Social Security Act as it relates to cost reporting. If the record contains protected health information (“PHI”), then certain additional precautions should be taken in accordance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Virginia Health Records Privacy Act, Va. Code Section 32.1-127.103. Medical records should be maintained in accordance with EVMS Medical Group’s Handling PHI: Collection, Storage, Transmission, and Disposal Policy and applicable federal and state law and regulations, and should be stored in a secure location with an approved vendor bound by the terms of a Business Associate Agreement.
  4. All records are considered confidential. Records that contain individually identifiable information, such as medical records, phone messages, receipts, etc., should be maintained in complete confidence in accordance with HIPAA, the Virginia Health Records Privacy Act, and other state and federal laws and regulations. All personnel shall sign a confidentiality statement, and receive HIPAA privacy training prior to accessing, using or disclosing confidential information at EVMS Medical Group. Please refer to Confidentiality of Patient Information and Uses and Disclosure of PHI for more specific policies regarding maintaining the privacy and confidentiality of patient information.
  5. Employees are cautioned that they are responsible for entering accurate and timely information in any and all records at EVMS Medical Group. Employees shall never enter false or misleading information into patient or business records. All information should be verified for accuracy and reliability and authorized as necessary by a supervisor or manager.
  6. See Amendment to Medical Record for the acceptable procedure to correct records.
  7. Records are to be maintained and stored in proper storage and maintenance facilities. It is recommended that duplicate copies of all electronic media related to business or patient records be maintained and that these media be stored in locked, fireproof storage, with one copy stored off-site in similar facilities. Medical record information that has not been accessed in three (3) years can be stored through scanning into electronic media, photographically copied to microfiche, or stored in hard copy. In all cases, medical records in storage should be able to be accessed by appropriate and authorized personnel by reference to the patient name, social security number and patient number. A master index should be placed in the box and maintained in the medical records department or on a readily accessible computer, and should be available for immediate access at all times by authorized medical personnel.  
  8. Any person or entity who is not an employee of EVMS Medical Group and is engaged by EVMS Medical Group to manage, control, maintain, access, use or disclose health records on behalf of EVMS Medical Group must sign a Business Associate Agreement. Agents or vendors who fail or refuse to sign an approved EVMS Medical Group Business Associate Agreement will be removed from the EVMS Medical Group approved list of vendors. Please contact the EVMS Medical Group Privacy Officer to obtain the approved EVMS Medical Group Business Associate Agreement.