Skip to Main Navigation
Skip to Main Content
The University of Texas at Dallas

HIPAA Privacy Manual

Section 17: Medical Record and Media Policy

Policy:

UTD must ensure a single unit medical record is comprised of all appropriate medical data generated on each individual UTD patient for continuity of patient care and legal purposes. Any copies made of medical records for convenience (Case Management Records/Shadow Records) or any other copies made for a health care operation of UTD must be tracked and secured just as if these copies were the institution’s official medical record.

Definitions:

Medical Record Department (MRD): The official UTD medical record is maintained by the Medical Records Department (MRD) and contains UTD’s original patient care documents.

Medical Record (MR) : The record contains the written interpretations of all significant clinical information gathered for a given patient, whether as an inpatient, outpatient, or emergency care patient. The entire patient’s medical record is thus in one volume, or multiple volumes, under one number. Medical records are maintained according to the record retention schedule.

Subsidiary Medical Record (SMR): A medical record maintained by a specific department other than MRD department, which contains original documents concerning outpatient health care administered by UTD health care providers to UTD patients.

Case Management Records (CMR): These records are commonly referred to as shadow records. They are medical records maintained by a specific physician or department that includes only copies of original patient care information that has already been forwarded to MRD for inclusion in the MR. These records are considered convenience copies only and have no record retention schedule. These records never contain original medical records.

Medical Media: Medical Media includes health information stored in any original media. Examples of Medical Media include, but are not limited to written and electronic data. These forms of Medical Media have unique retention schedules. The MRD must contain a written interpretation of all Medical Media. Medical Media is distinct from the written interpretations of significant clinical information that has been forwarded to the MRD.

Designated Record Set: The designated record set includes the MRD, and billing records of patients. Additionally, the designated record set includes any records that UTD or a Business Associate has used while making health care decisions. For example, medical records from non-UTD sources used to make health care decisions. The designated record set specifically excludes:

  • Healthcare operations not related to medical care
  • Copyrighted materials or Trade Secrets
  • Outside records provided by caregivers which are not necessary for treatment purposes. These records are returned to the provider or shredded.

Department Medical Record

A MR shall be generated for each UTD patient and the MRD will maintain all MRs.

  • All pertinent UTD health care information created is to be documented on approved medical record forms. All proposed forms must be approved according to guidelines in Medical Records Forms Management.
  • Patient name and unit history number are to be clearly printed or included on a label attached to each page of the medical information.
  • Completed original medical record forms are to be forwarded to MRD immediately for inclusion in the MR.
  • Any UTD employee who uses the MR must ensure that PHI is maintained confidentially and must use only the minimum necessary amount of information required to complete the employee’s tasks.
  • No one other than MRD can disclose information from the MR, for purposes other than Treatment, Payment or health care Operations (TPO). Departments must forward non-TPO requests for PHI to the MRD for processing. For additional information regarding the release of information, see both the Use and Disclosure of PHI based on Patient Authorization and the Accounting for Disclosures.

Subsidiary Medical Record:

UTD prohibits departments or division from maintaining their own Subsidiary Medical Records. All original medical information must be sent to MRD for inclusion in the MR.

Medical Media:

Medical Media refers to original information in any format that is used as a basis of a diagnostic test or report. The original written interpretation of the Medical Media data must be stored in the MRD.

  • Medical Media must be maintained in a manner that ensures the confidentiality of the PHI in accordance with standards on medical record services, UTD policies and procedures, and applicable federal and state laws.
  • Any department containing Medical Media must designate a Custodian for Medical Media and the department must obtain approval for maintaining the Medical Media from the MRD prior to the creation of these records. Departments may request approval to maintain Medical Media by writing for permission from the MRD.
  • Any and all requests for the release of PHI must be referred to the MRD. PHI will not be disclosed from Medical Media, except for emergency purposes. Emergencies are determined by the professional judgment of the licensed treatment provider responsible for the patient. For more information regarding the release of information, please see the Use and Disclosure of PHI based on Patient Authorization.
  • Medical Media may be audited at any time to verify adherence to this policy.
  • Audit results will be reported to the Privacy Officer. The Privacy Officer will make the recommendations to the UTD Compliance Committee. Corrective action may include, but is not limited to, revocation of the privilege of maintaining Medical Media.

Case Management Records/Shadow Records:

Each UTD department or entity that maintains CMRs must appoint a person (CMR Custodian) responsible for compliance with this policy. Health care information in the form of a CMR must be maintained as follows:

  • CMRs must be maintained in a manner that ensures the confidentiality of the PHI in accordance with standards on medical record services, UTD policies and procedures, and applicable federal and state laws.
  • Any and all requests for the release of PHI must be referred to MRD. PHI will not be disclosed from CMRs, except for emergency purposes. Emergencies are determined by the professional judgment of the licensed treatment provider responsible for the patient. For more information regarding the release of information, please see the Use and Disclosure of PHI based on Patient Authorization.
  • CMRs may be audited at any time to verify adherence to this policy.
  • Audit results will be reported to the Privacy Officer. The Privacy Officer will make the recommendations to the UTD Compliance Committee regarding corrective action. Corrective action may include, but is not limited to, revocation of the privilege of maintaining CMRs.
  • If CMRs are found to contain original medical information that should be in the MRD, the custodian of the CMR must remove this information immediately and make any and all arrangements to have it incorporated into the proper MRD.
  • When a CMR is no longer needed, the custodian of these records must dispose of them in a manner that ensures the confidentiality of the information in accordance with UTD Disposal of PHI.

Physical Management of Medical Records:

Any department or entity that maintains either CMRs, Medical Media or copies of medical records must designate a Record Custodian to be responsible for securing and tracking those records. Physical maintenance of CMRs, Medical Media or copies of medical information require:

  • Record Custodians must take appropriate measures to ensure CMRs, Medical Media or copies of medical information are maintained in a secure location with restricted access. All CMRs, Medical Media or copies of medical information must be secured in a locked room or locked file cabinet. Each Custodian must designate a person (or persons) to be responsible for granting access to the locked room or locked file cabinet containing CMRs, Medical Media or copies of medical information.
  • Record Custodians must use a tracking system to account for the inventory and location of the CMRs, Medical Media or copies of medical information. The tracking system must include the following:
  • An inventory that shows when records are added or destroyed, and
  • A system for establishing the location for the record. This must include establishing the party responsible for the record once it has been checked out.
  • This tracking system may be manual system, an automated system or a combination of the two.

Release of Information

As a result of the HIPAA regulations, releasing information has become extremely complex due to several specific reporting requirements. MRD will also responsible for the release of any information for purposes other than TPO. For instance, additional copies of billing information or copies of pharmacy records that require the patient’s authorization or information request made pursuant to subpoenas or court orders will be managed solely by MRD. For more information on the release of information, please see Use and Disclosure of PHI based on Patient Authorization.