Medical Records

Can a physician withhold a patient’s medical record for a past due balance for services rendered?

No, medical records should not be withheld for any reason. AMA E-3.3.1

Physicians (or other providers) must furnish a complete and current copy of a patient’s medical record to the patient or to a person authorized (by the patient) to have access to medical record under an advanced directive or durable power of attorney. § 31-33-2

Can a physician withhold a patient’s record until the patient pays for copies of the records?

Yes, a physician may require payment for the costs of medical records prior to providing them to patient. § 31-33-3

How quickly must a physician release requested medical records?

A physician must provide medical records to a patient within 30 days of the receipt of a records request. § 31-33-2

A covered entity must act on a request for access to medical records within 30 days. A physician must either grant access to medical records or give a justified denial of access within 30 days of receipt of the request for release. HIPAA - 45 CFR § 164.524(b)(2)

How long must a physician retain medical records?

A physician must retain medical records for at least 10 years. This does not apply to an individual provider who has retired or sold his or her practice if the provider has notified the patient of retirement/sale and offered to provide the patient’s record to another provider of the patient’s choice and, if requested, to the patient. § 31-33-2

What must a physician do with medical records upon retiring or selling a practice?

In Georgia, a physician is required to maintain a patient's complete treatment records for at least 10 years from the date of the patient's last office visit. § 31-33-2

These requirements do not apply to a physician who has retired or sold his or her medical practice if…

  • The physician has notified his or her patients of retirement or sale of practice by mail - offering to provide the patient’s records to another provider of the patient’s choice and, if requested, to the patient.
  • The physician has published a notice - containing the date of retirement or sale - that offers to provide the patient’s records to another provider of the patient’s choice and, if requested, to the patient.
  • The physician has posted a sign announcing retirement or sale of the practice. The sign must be placed 30 days prior to retirement or sale of the practice and must remain posted until the date of retirement or sale.
  • The physician has placed both the notice and sign required by Rule 360-3-.02(16)(c) and has advised patients of their opportunity to transfer or receive their records.

A physician should always seek advice from their private counsel or their malpractice insurance carrier. Rules 360-3-.02

“A patient’s records may be necessary to the patient in the future not only for medical care but also for employment, insurance, litigation, or other reasons. When a physician retires or dies, patients should be notified and urged to find a new physician and should be informed that upon authorization, records will be sent to the new physician. Records which may be of value to a patient and which are not forwarded to a new physician should be retained, either by the treating physician, another physician, or such other person lawfully permitted to act as a custodian of the records. The patients of a physician who leaves a group practice should be notified that the physician is leaving the group. Patients of the physician should also be informed of the physician’s new address and offered the opportunity to have their medical records forwarded to the departing physician at his or her new practice location. It is unethical to withhold such information upon request of a patient. If the responsibility for notifying patients falls to the departing physician rather than to the group, the group should not interfere with the discharge of these duties by withholding patient lists or other necessary information.” AMA E-7.03

Does a physician have to give medical records to third party without a subpoena or court order?

No, a physician should not release a patient’s medical records to a third party without a proper release by the patient or legally authorized individual in accordance with Georgia law, a court order, a subpoena signed by a judge, or certification that the party has placed the opposing party on notice with opportunity to object. A physician may release medical records if there is no objection from the patient after 20 days.

What should a physician do if a patient steals their own medical records?

HIPAA specifies that the data contained within a medical record belongs to the patient, but the physical form containing the data belongs to the entity responsible for maintaining the record (i.e., the physician). If a patient takes medical records without permission and will not return them upon request, the act should be treated as a normal theft and the physician should contact the police.

Does a physician have to keep a paper copy of electronically stored medical records?

No, a provider is not required to maintain separate paper copies of electronically stored records. §31-33-8(b)

Do the same laws that apply to paper copies apply to electronic medical records?

Yes, all provisions of Chapter 33 of Title 31 of the Georgia Code, including fees, apply to electronic medical records. § 31-33-8(c)

What happens to my patients’ medical records when I leave a group?

Medical records belong to the practice. Unless your employment agreement provides otherwise, you may be able to notify patients that you are leaving the practice and notify them of your new address. However, you should be very clear about what you are allowed to do regarding notification of patients when leaving the practice. It is recommended that you discuss/negotiate the process by which you will exit the practice. Request the right to notify your patients of your new address of your departure and information on how to contact you at your new location.

Patients are not prohibited from requesting that their medical record be forwarded to another physician, but a physician should be careful to avoid a breach of an employment agreement or a breach of privacy or patient confidentiality in accessing, copying, or taking patient records. AMA E-7.03

What steps should patients take who can't obtain their medical records?

In the rare event that you can’t obtain your medical records from a physician in the state for any reason, the Medical Association of Georgia (MAG) recommends that you…  

  • Mail a letter requesting a copy of your medical records to the practice at its street address – even if the office is vacant.
  • Find a new physician as soon as possible and let them know that you haven’t been able to obtain your medical records; click on the “Resources” tab at www.mag.org to find a physician in Georgia.
  • Write a summary of your health history – particularly for the last five years – so you can share this information with your new physician.   
  • Ask your pharmacist for a list of medications that you have taken for the last 18 months and determine how much prescription medicine you have left and discuss any medication that you are taking with your new physician as soon as possible. 
  • Request a copy of the claims that have been submitted on your behalf for the last 12 months from your health insurance company. This won’t serve as a substitute for your health record, but it will provide your new physician with useful information. Also let your new physician know about any pending health insurance claims.
  • Contact hospitals in your area that you believe might have access to your medical records. 
  • Send an email to Bethany Sherrer with MAG at bsherrer@mag.org; MAG doesn’t have the legal authority to compel a physician to produce a patient’s medical records, but it will attempt to contact the physician on your behalf.
  • As a last resort, submit a letter of complaint to the Georgia Composite Medical Board (the agency that licenses physicians in the state), Enforcement Unit, 2 Peachtree Street, N.W., 36th Floor, Atlanta, Georgia 30303-3465.

Georgians should know that state law allows a patient or their designee to receive a copy of their medical records within 30 days; physicians are required to retain a patient’s medical records for at least 10 years from the date of the patient’s last office visit; and a medical practice cannot withhold your medical record because of a past due balance – though you might be responsible for the costs associated with copying and mailing your medical record.

Can a physician release a patient’s medical records and health information to an insurance company or third party payer without the patients consent and/or knowledge?

Yes. The amended HIPAA Privacy Rule gives health plans and self-insured employers broad authority (“regulatory permission”) to get information without a patient’s consent. Health plans and employers are also authorized to obtain, use and disclose an individual’s health information without their consent for the purpose of:

1.    Conducting due diligence that’s related to the sale or transfer of assets;
2.    Certain types of marketing;
3.    Business planning and development;
4.    Business management and general administrative activities; and
5.    Underwriting, premium rating and other activities relating to the creation, renewal or replacement of a contract of health insurance (45 CFR 164.501)

Medical practices must (are also required to) provide every patients with a notice that lets them how their personal health information will be used and disclosed. (45 CFR 164.520)