The terms medical record, health record, and medical chart are used somewhat interchangeably to describe the systematic documentation of a single patient's medical history and care across time within one particular health care provider's jurisdiction. A medical record includes a variety of types of "notes" entered over time by healthcare professionals, recording observations and administration of drugs and therapies, orders for the administration of drugs and therapies, test results, x-rays, reports, etc. The maintenance of complete and accurate medical records is a requirement of health care providers and is generally enforced as a licensing or certification prerequisite.
The terms are used for the written (paper notes), physical (image films) and digital records that exist for each individual patient and for the body of information found therein.
Medical records have traditionally been compiled and maintained by health care providers, but advances in online data storage have led to the development of personal health records (PHR) that are maintained by patients themselves, often on third-party websites. This concept is supported by US national health administration entities and by AHIMA, the American Health Information Management Association.
In 2009, Congress authorized and funded legislation known as the Health Information Technology for Economic and Clinical Health Act to stimulate the conversion of paper medical records into electronic charts. While many hospitals and doctor's offices have since done this successfully, electronic health vendors' proprietary systems haven't always been compatible with one another, and an untold number of patients undergo duplicate procedures — or fail to get them at all — because key pieces of their medical history are missing.
Because many consider the information in medical records to be sensitive private information covered by expectations of privacy, many ethical and legal issues are implicated in their maintenance, such as third-party access and appropriate storage and disposal. Although the storage equipment for medical records generally is the property of the health care provider, the actual record is considered in most jurisdictions to be the property of the patient, who may obtain copies upon request.
The information contained in the medical record allows health care providers to determine the patient's medical history and provide informed care. The medical record serves as the central repository for planning patient care and documenting communication among patient and health care provider and professionals contributing to the patient's care. An increasing purpose of the medical record is to ensure documentation of compliance with institutional, professional or governmental regulation.
The traditional medical record for inpatient care can include admission notes, on-service notes, progress notes (SOAP notes), preoperative notes, operative notes, postoperative notes, procedure notes, delivery notes, postpartum notes, and discharge notes.
A patient's individual medical record identifies the patient and contains information regarding the patient's case history at a particular provider. The health record as well as any electronically stored variant of the traditional paper files contain proper identification of the patient. Further information varies with the individual medical history of the patient.
The contents are generally written with other healthcare professionals in mind. This can result in confusion and hurt feelings when patients read these notes. For example, some abbreviations, such as for shortness of breath, are similar to the abbreviations for profanities, and taking "time out" to follow a surgical safety protocol might be misunderstood as a disciplinary technique for children.
Traditionally, medical records were written on paper and maintained in folders often divided into sections for each type of note (progress note, order, test results), with new information added to each section chronologically. Active records are usually housed at the clinical site, but older records are often archived offsite.
The advent of electronic medical records has not only changed the format of medical records but has increased accessibility of files. The use of an individual dossier style medical record, where records are kept on each patient by name and illness type originated at the Mayo Clinic out of a desire to simplify patient tracking and to allow for medical research.
Maintenance of medical records requires security measures to prevent from unauthorized access or tampering with the records.
The medical history is a longitudinal record of what has happened to the patient since birth. It chronicles diseases, major and minor illnesses, as well as growth landmarks. It gives the clinician a feel for what has happened before to the patient. As a result, it may often give clues to current disease state. It includes several subsets detailed below.
- Surgical history
- The surgical history is a chronicle of surgery performed for the patient. It may have dates of operations, operative reports, and/or the detailed narrative of what the surgeon did.
- Obstetric history
- The obstetric history lists prior pregnancies and their outcomes. It also includes any complications of these pregnancies.
- Medications and medical allergies
- The medical record may contain a summary of the patient's current and previous medications as well as any medical allergies.
- Family history
- The family history lists the health status of immediate family members as well as their causes of death (if known). It may also list diseases common in the family or found only in one sex or the other. It may also include a pedigree chart. It is a valuable asset in predicting some outcomes for the patient.
- Social history
- The social history is a chronicle of human interactions. It tells of the relationships of the patient, his/her careers and trainings, and religious training. It is helpful for the physician to know what sorts of community support the patient might expect during a major illness. It may explain the behavior of the patient in relation to illness or loss. It may also give clues as to the cause of an illness (e.g. occupational exposure to asbestos).
- Various habits which impact health, such as tobacco use, alcohol intake, exercise, and diet are chronicled, often as part of the social history. This section may also include more intimate details such as sexual habits and sexual orientation.
- Immunization history
- The history of vaccination is included. Any blood tests proving immunity will also be included in this section.
- Growth chart and developmental history
- For children and teenagers, charts documenting growth as it compares to other children of the same age is included, so that health-care providers can follow the child's growth over time. Many diseases and social stresses can affect growth, and longitudinal charting can thus provide a clue to underlying illness. Additionally, a child's behavior (such as timing of talking, walking, etc.) as it compares to other children of the same age is documented within the medical record for much the same reasons as growth.
Within the medical record, individual medical encounters are marked by discrete summations of a patient's medical history by a physician, nurse practitioner, or physician assistant and can take several forms. Hospital admission documentation (i.e., when a patient requires hospitalization) or consultation by a specialist often take an exhaustive form, detailing the entirety of prior health and health care. Routine visits by a provider familiar to the patient, however, may take a shorter form such as the problem-oriented medical record (POMR), which includes a problem list of diagnoses or a "SOAP" method of documentation for each visit. Each encounter will generally contain the aspects below:
- Chief complaint
- This is the main problem (traditionally called a complaint) that has brought the patient to see the doctor or other clinician. Information on the nature and duration of the problem will be explored.
- History of the present illness
- A detailed exploration of the symptoms the patient is experiencing that have caused the patient to seek medical attention.
- Physical examination
- The physical examination is the recording of observations of the patient. This includes the vital signs, muscle power and examination of the different organ systems, especially ones that might directly be responsible for the symptoms the patient is experiencing.
- Assessment and plan
- The assessment is a written summation of what are the most likely causes of the patient's current set of symptoms. The plan documents the expected course of action to address the symptoms (diagnosis, treatment, etc.).
Orders and prescriptions
Written orders by medical providers are included in the medical record. These detail the instructions given to other members of the health care team by the primary providers.
When a patient is hospitalized, daily updates are entered into the medical record documenting clinical changes, new information, etc. These often take the form of a SOAP note and are entered by all members of the health-care team (doctors, nurses, physical therapists, dietitians, clinical pharmacists, respiratory therapists, etc.). They are kept in chronological order and document the sequence of events leading to the current state of health.
The results of testing, such as blood tests (e.g., complete blood count) radiology examinations (e.g., X-rays), pathology (e.g., biopsy results), or specialized testing (e.g., pulmonary function testing) are included. Often, as in the case of X-rays, a written report of the findings is included in lieu of the actual film.
Many other items are variably kept within the medical record. Digital images of the patient, flowsheets from operations/intensive care units, informed consent forms, EKG tracings, outputs from medical devices (such as pacemakers), chemotherapy protocols, and numerous other important pieces of information form part of the record depending on the patient and his or her set of illnesses/treatments.
Medical records are legal documents that can be used as evidence via a subpoena duces tecum, and are thus subject to the laws of the country/state in which they are produced. As such, there is great variability in rules governing production, ownership, accessibility, and destruction. There is some controversy regarding proof verifying the facts, or absence of facts in the record, apart from the medical record itself.
Demographics include patient information that is not medical in nature. It is often information to locate the patient, including identifying numbers, addresses, and contact numbers. It may contain information about race and religion as well as workplace and type of occupation. It also contains information regarding the patient's health insurance. It is common to also find emergency contact information located in this section of the medical chart.
In the United States, written records must be marked with the date and time and scribed with indelible pens without use of corrective paper. Errors in the record should be struck out with a single line (so that the initial entry remains legible) and initialed by the author. Orders and notes must be signed by the author. Electronic versions require an electronic signature.
Ownership of patient's record
Ownership and keeping of patient's records varies from country to country.
US law and customs
In the United States, the data contained within the medical record belongs to the patient, whereas the physical form the data takes belongs to the entity responsible for maintaining the record per the Health Insurance Portability and Accountability Act. Patients have the right to ensure that the information contained in their record is accurate, and can petition their health care provider to amend factually incorrect information in their records.
There is no consensus regarding medical record ownership in the United States. Factors complicating questions of ownership include the form and source of the information, custody of the information, contract rights, and variation in state law. There is no federal law regarding ownership of medical records. HIPAA gives patients the right to access and amend their own records, but it has no language regarding ownership of the records. Twenty-eight states and Washington, D.C., have no laws that define ownership of medical records. Twenty-one states have laws stating that the providers are the owners of the records. Only one state, New Hampshire, has a law ascribing ownership of medical records to the patient.
Canadian law and customs
Under Canadian federal law, the patient owns the information contained in a medical record, but the healthcare provider owns the records themselves. The same is true for both nursing home and dental records. In cases where the provider is an employee of a clinic or hospital, it is the employer that has ownership of the records. By law, all providers must keep medical records for a period of 15 years beyond the last entry.
The precedent for the law is the 1992 Canadian Supreme Court ruling in McInerney v MacDonald. In that ruling, an appeal by a physician, Dr. Elizabeth McInerney, challenging a patient's access to their own medical record was denied. The patient, Margaret MacDonald, won a court order granting her full access to her own medical record. The case was complicated by the fact that the records were in electronic form and contained information supplied by other providers. McInerney maintained that she didn't have the right to release records she herself did not author. The courts ruled otherwise. Legislation followed, codifying into law the principles of the ruling. It is that legislation which deems providers the owner of medical records, but requires that access to the records be granted to the patient themselves.
UK law and customs
In the United Kingdom, ownership of the NHS's medical records has in the past generally been described as belonging to the Secretary of State for Health  and this is taken by some to mean copyright also belongs to the authorities.
German law and customs
In Germany, a relatively new law, which has been established in 2013, strengthens the rights of patients. It states, amongst other things, the statutory duty of medical personnel to document the treatment of the patient in either hard copy or within the electronic patient record (EPR). This documentation must happen in a timely manner and encompass each and every form of treatment the patient receives, as well as other necessary information, such as the patient's case history, diagnoses, findings, treatment results, therapies and their effects, surgical interventions and their effects, as well as informed consents. The information must include virtually everything that is of functional importance for the actual, but also for future treatment. This documentation must also include the medical report and must be archived by the attending physician for at least 10 years. The law clearly states that these records are not only memory aids for the physicians, but also should be kept for the patient and must be presented on request.
In addition, an electronic health insurance card was issued in January 2014 which is applicable in Germany (Elektronische Gesundheitskarte or eGK), but also in the other member states of the European Union (European Health Insurance Card). It contains data such as: the name of the health insurance company, the validity period of the card, and personal information about the patient (name, date of birth, sex, address, health insurance number) as well information about the patient's insurance status and additional charges. Furthermore, it can contain medical data if agreed to by the patient. This data can include information concerning emergency care, prescriptions, an electronic medical record, and electronic physician's letters. However, due to the limited storage space (32kB), some information is deposited on servers.
In the United States, the most basic rules governing access to a medical record dictate that only the patient and the health-care providers directly involved in delivering care have the right to view the record. The patient, however, may grant consent for any person or entity to evaluate the record. The full rules regarding access and security for medical records are set forth under the guidelines of the Health Insurance Portability and Accountability Act (HIPAA). The rules become more complicated in special situations. A 2018 study found discrepancies in how major hospitals handle record requests, with forms displaying limited information relative to phone conversations.
- When a patient does not have capacity (is not legally able) to make decisions regarding his or her own care, a legal guardian is designated (either through next of kin or by action of a court of law if no kin exists). Legal guardians have the ability to access the medical record in order to make medical decisions on the patient’s behalf. Those without capacity include the comatose, minors (unless emancipated), and patients with incapacitating psychiatric illness or intoxication.
- Medical emergency
- In the event of a medical emergency involving a non-communicative patient, consent to access medical records is assumed unless written documentation has been previously drafted (such as an advance directive)
- Research, auditing, and evaluation
- Individuals involved in medical research, financial or management audits, or program evaluation have access to the medical record. They are not allowed access to any identifying information, however.
- Risk of death or harm
- Information within the record can be shared with authorities without permission when failure to do so would result in death or harm, either to the patient or to others. Information cannot be used, however, to initiate or substantiate a charge unless the previous criteria are met (i.e., information from illicit drug testing cannot be used to bring charges of possession against a patient). This rule was established in the United States Supreme Court case Jaffe v. Redmond.
In the 1992 Canadian Supreme Court ruling in McInerney v. MacDonald gave patients the right to copy and examine all information in their medical records, while the records themselves remained the property of the healthcare provider. The 2004 Personal Health Information Protection Act (PHIPA) contains regulatory guidelines to protect the confidentiality of patient information for healthcare organizations acting as stewards of their medical records. Despite legal precedent for access nationwide, there is still some variance in laws depending on the province. There is also some confusion among providers as to the scope of the patient information they have to give access to, but the language in the supreme court ruling gives patient access rights to their entire record.
In the United Kingdom, the Data Protection Acts and later the Freedom of Information Act 2000 gave patients or their representatives the right to a copy of their record, except where information breaches confidentiality (e.g., information from another family member or where a patient has asked for information not to be disclosed to third parties) or would be harmful to the patient's wellbeing (e.g., some psychiatric assessments). Also, the legislation gives patients the right to check for any errors in their record and insist that amendments be made if required.
In general, entities in possession of medical records are required to maintain those records for a given period. In the United Kingdom, medical records are required for the lifetime of a patient and legally for as long as that complaint action can be brought. Generally in the UK, any recorded information should be kept legally for 7 years, but for medical records additional time must be allowed for any child to reach the age of responsibility (20 years). Medical records are required many years after a patient's death to investigate illnesses within a community (e.g., industrial or environmental disease or even deaths at the hands of doctors committing murders, as in the Harold Shipman case).
The outsourcing of medical record transcription and storage has the potential to violate patient-physician confidentiality by possibly allowing unaccountable persons access to patient data. Falsification of a medical record by a medical professional is a felony in most United States jurisdictions. Governments have often refused to disclose medical records of military personnel who have been used as experimental subjects.
Given the series of medical data breaches and the lack of public trust, some countries have enacted laws requiring safeguards to be put in place to protect the security and confidentiality of medical information as it is shared electronically and to give patients some important rights to monitor their medical records and receive notification for loss and unauthorized acquisition of health information. The United States and the EU have imposed mandatory medical data breach notifications.
Patients' medical information can be shared by a number of people both within the health care industry and beyond. The Health Insurance Portability and Accessibility Act (HIPAA) is a United States federal law pertaining to medical privacy that went into effect in 2003. This law established standards for patient privacy in all 50 states, including the right of patients to access to their own records. HIPAA provides some protection, but does not resolve the issues involving medical records privacy.
Medical and health care providers experienced 767 security breaches resulting in the compromised confidential health information of 23,625,933 patients during the period of 2006–2012.
The examples and perspective in this section deal primarily with the United States and do not represent a worldwide view of the subject. (December 2012)
The federal Health Insurance Portability and Accessibility Act (HIPAA) addresses the issue of privacy by providing medical information handling guidelines. Not only is it bound by the Code of Ethics of its profession (in the case of doctors and nurses), but also by the legislation on data protection and criminal law. Professional secrecy applies to practitioners, psychologists, nursing, physiotherapists, occupational therapists, nursing assistants, chiropodists, and administrative personnel, as well as auxiliary hospital staff. The maintenance of the confidentiality and privacy of patients implies first of all in the medical history, which must be adequately guarded, remaining accessible only to the authorized personnel. However, the precepts of privacy must be observed in all fields of hospital life: privacy at the time of the conduct of the anamnesis and physical exploration, the privacy at the time of the information to the relatives, the conversations between healthcare providers in the corridors, maintenance of adequate patient data collection in hospital nursing controls (planks, slates), telephone conversations, open intercoms etc.
- "Personal Health Records" (PDF). CMS. April 2011. Archived from the original (PDF) on 2012-03-05. Retrieved 2012-04-14.
- "Frequently Asked Questions". MyPHR.com. Archived from the original on 2012-04-11. Retrieved 2012-04-14.
- "National Institute for Health". Nih.gov. Retrieved 2012-04-14.
- "American Health Information Management Association". Ahima.org. 2012-03-22. Retrieved 2012-04-14.
- "HITECH Act Enforcement Interim Final Rule". Hhs.gov. Retrieved 2018-09-25.
- "Paper Trails: Living and Dying With Fragmented Medical Records". undark.org. Retrieved 2018-09-25.
- "Health Information Privacy". Hhs.gov. Retrieved 2012-04-14.
- "10 tips to give patients electronic access to their medical records". American Medical Association. 9 March 2020.
- "Medical Records". McKinley Health Center. Retrieved 2012-04-14.
- "A Sample Health Record". Nlm.nih.gov. Retrieved 2012-04-14.
- Klein, Jared W.; Jackson, Sara L.; Bell, Sigall K.; Anselmo, Melissa K.; Walker, Jan; Delbanco, Tom; Elmore, Joann G. (October 2016). "Your Patient Is Now Reading Your Note: Opportunities, Problems, and Prospects". The American Journal of Medicine. 129 (10): 1018–1021. doi:10.1016/j.amjmed.2016.05.015. ISSN 0002-9343. PMC 7098183. PMID 27288854. Lay summary – The New York Times (30 September 2021).
- "Mayo Clinic Investing $1.5 Billion in HIPAA Compliant EHR System". HIPAA Journal. Retrieved 2017-10-17.
- "My Family Health Portrait". Office of the Surgeon General. Archived from the original on 2014-10-06. Retrieved 2012-04-14.
- Judson, Karen, B.S.; Harrison, Carlene, Ed.D., C.M.A. (2010). "Chapter 6: Medical Records and Informed Consent". Law & Ethics for Medical Careers (5th ed.). New York: McGraw-Hill Higher Education. ISBN 9780073402062.
- Brodnik, Melanie S., PhD, RHIA; McCain, Mary Cole, MPA, RHIA; et al. (2009). Fundamentals of Law for Health Informatics and Information Management. Chicago: AHIMA. p. 239. ISBN 978-1-58426-173-5.
- "P.L. 104-191". Aspe.hhs.gov. 1996-08-21. Retrieved 2012-04-14.
- 45 CFR 164.526
- "Who Owns Health Information? - Health Information & the Law".
- "Patient records: The struggle for ownership". Archived from the original on 2015-12-10.
- "Who Owns Medical Records: 50 State Comparison - Health Information & the Law".
- "CMPA: Electronic Records Handbook" (PDF).
- The Canadian Bar Association: Getting Your Medical Records
- "McInerney v. MacDonald". Dominion Law Reports. 93: 415–31. 1992. PMID 12041089.
- "CMPA: Who Owns the Medical Record?".
- Moyle R (30 November 1976). "Written Answers (Commons): SOCIAL SERVICES: Medical Records (Ownership and Storage)". Hansard. 921 (c91W).
Personal medical records, including X-rays, in respect of patients treated under the NHS are held to be the property of the Secretary of State. NHS hospital medical records are stored in premises designated by the appropriate health authority. Access to a patient's medical records is governed in the patient's interest by the ethics of the medical and allied professions.
- "Policy and Procedure For Records: Retention & Disposal" (PDF). Mersey Care NHS Trust. Nov 2016. Retrieved 2017-10-16.
ownership and copyright in these records as a rule is with the NHS Trust or Health Authority, not with any individual employee or contractor.
- Lye, Carolyn T.; Forman, Howard P.; Gao, Ruiyi; Daniel, Jodi G.; Hsiao, Allen L.; Mann, Marilyn K.; deBronkart, Dave; Campos, Hugo O.; Krumholz, Harlan M. (2018-10-05). "Assessment of US Hospital Compliance With Regulations for Patients' Requests for Medical Records". JAMA Network Open. 1 (6): e183014. doi:10.1001/jamanetworkopen.2018.3014. ISSN 2574-3805. PMC 6324595. PMID 30646219.
- "Personal Health Information Protection Acts [SBC 2003] Chapter 63".
- Grant, D.A. (1998). "MDs still confused about patient access to medical records". Canadian Medical Association Journal. 158 (9): 1126. PMC 1229252.
- "Government 'Breached Ex-Soldier's Human Rights'". The Guardian. October 20, 2004.
- Kierkegaard Patrick (2012). "Medical data breaches: Notification delayed is notification denied". Computer Law & Security Review. 28 (2): 163–183. doi:10.1016/j.clsr.2012.01.003.
- Privacy Rights Clearinghouse - Medical Privacy Information
- Privacy Rights Clearinghouse's Chronology of Data Security Breaches.
- Health and Human Services HIPAA Privacy Rule for health information.
|Wikimedia Commons has media related to Medical records.|
- Personal Medical Records from MedlinePlus
- American Health Information Management Association
- Medical Record Privacy - Electronic Privacy Information Center (EPIC)
Organizations dealing with medical records
- ASTM Continuity of Care Record - a patient health summary standard based upon XML, the CCR can be created, read and interpreted by various EHR or Electronic Medical Record (EMR) systems, allowing easy interoperability between otherwise disparate entities.
- American Health Information Management Association