Skip to Main Content

Medical Records

Provider Type

  • Physicians 
  • Hospitals
  • Ancillary

Participating providers are required to maintain patient medical records in a manner that is current, detailed, complete, and organized. In addition, medical records must reflect all aspects of patient care, be readily available to health care providers and provide data for statistical and quality-of-care analysis.

Standards for the administration of medical records by participating providers are established by Network Providers, LLC (NPLLC). The standards form the basis for the evaluation of medical records by NPLLC.

NPLLC requires that participating providers have a written policy in place that keeps protected health information (PHI) confidential in accordance with the Health Insurance Portability and Accountability Act (HIPAA). The policy must be kept in hard copy or electronic format and must include a functioning mechanism designed to safeguard medical records and information against loss, destruction, tampering, unauthorized access or use, and verbal discussions about patient information to maintain confidentiality.

Provision of Medical Records

Participating providers are required to provide NPLLC with copies of medical records and accounting and administrative books and records, as they pertain to the Provider Participation Agreement (PPA).

The participating provider has financial responsibility to provide copies of medical records so that NPLLC can provide clinical quality management.

Medical records may be required for regulatory reviews by the Centers for Medicare and Medicaid Services (CMS), National Committee for Quality Assurance (NCQA), and Independent Quality Review and Improvement Organization (QIO).

Patients are entitled to confidential treatment of patient communications and records. Case discussion, consultation, examination, and treatment are confidential and must be conducted discreetly. Written authorization from the patient or authorized legal representative must be obtained before medical records are released to anyone not directly concerned with the patients care, except as permitted or as necessary for administration by Network Providers, LLC (NPLLC).

NPLLC requires that participating providers have a written policy in place that keeps protected health information (PHI) confidential in accordance with the Health Insurance Portability and Accountability Act (HIPAA). The policy must be kept in hard copy or electronic format and must include a functioning mechanism designed to safeguard records and information against loss, destruction, tampering, unauthorized access or use, and verbal discussions about patient information to maintain confidentiality.

PHI is considered confidential and encompasses any individual health information, including demographic information collected from a patient, which (1) is created or received by NPLLC and relates to the past, present or future physical, mental health or condition of a patient; the provision of health care to a patient; or the past, present or future payment for the provision of health care to a patient, and (2) that identifies the patient or there is a reasonable basis to believe the information may be used to identify the patient. Particular care must be taken, as confidential PHI may be disclosed intentionally or unintentionally through many means, such as conversation, computer screen data, faxes, or forms. Disclosure of PHI must have prior, written patient authorization.

Agencies Must be Authorized to Receive Medical Records

The relationship and communication between a participating provider and patient is privileged and the medical records containing information about the relationship is confidential. The participating provider's code of ethics, as well as California and federal law, protect against the disclosure of the contents of medical records and PHI, whether written, oral or electronic, to individuals or agencies that are not properly authorized to receive such information.

Basic Principles

PHI may be shared with participating providers in the same facility only, on a need-to-know basis, and may be disclosed outside the facility only to the extent necessary such release is authorized.

In accordance with HIPAA, PHI, whether it is written, oral or electronic, is protected at all times and in all settings. Disclosure of PHI must have prior written patient authorization. NPLLC participating providers only release PHI without authorization when:

  • Needed for payment

  • Necessary for treatment or coordination of care

  • Used for health care operations (including, but not limited to, clinical quality management)

  • Where permitted or required by law

Participating providers may transmit PHI to individuals or organizations who contract to provide covered services to patient. PHI cannot be intentionally shared, sold or otherwise used by NPLLC its subsidiaries, participating providers, or affiliates for any purpose other than for payment, treatment or health care operations or where permitted or required by law without an authorization from the patient.

Network Providers, LLC (NPLLC) developed standards for the administration and evaluation of medical records. Participating providers are required to comply with all medical record documentation standards.

NPLLC requires participating providers to maintain medical records in a manner that is current, detailed, complete, organized, and permits effective and confidential member care and quality review. Medical records must reflect all aspects of patient care, be readily available to health care providers and provide data for statistical and quality-of-care analysis.

Medical Records Documentation Standards

Participating providers are required to meet NPLLC medical record documentation standards. The following documentation guidelines must be followed and all of the elements must be included in the medical records of patients.

  • Format - The primary language and linguistic service needs of non- or limited-English proficient (LEP) or hearing-impaired persons, individual personal biographical information, emergency contact, and identification of the patient's assigned primary care physician (PCP)

  • Documentation - Medical record entries and corrections must be documented in accordance with acceptable legal medical documentation standards; allergies, chronic problems, and ongoing and continuous medications must be documented in a consistent and prominent location; all signed consent forms and the offering of advance health care directive information and education to patients ages 18 and older must be included

  • Coordination of care - Notation of missed appointments, practitioner review of diagnostic tests and consultations, history of present illness, progress and resolution of unresolved problems at subsequent visits, and consistent diagnosis and treatment plans
  • Preventive care:

    • Adult preventive care - Notation of periodic health evaluations according to the United States Preventive Services Task Force (USPSTF); assessment of immunization status and the year of the immunization(s); tuberculosis screenings and testing; blood pressure and cholesterol screenings; Chlamydia screenings for sexually active females to up to age 25 or at risk; and mammograms and Pap smears for females

    • Perinatal preventive care - Notation of prenatal care visits according to the most recent American Congress of Obstetrics and Gynecology (ACOG) standards, domestic violence and abuse screenings; HIV, alpha fetoprotein (AFP) and genetic screenings

       

Network Providers, LLC (NPLLC) monitors medical record documentation through a variety of measures, which includes, but is not limited to, various quality initiatives, data collection by way of medical record audits. Data is aggregated and analyzed at least annually. Opportunities for improvement are identified and appropriate interventions are implemented based on compliance levels established for each individual activity. Interventions may include sending provider updates, educational or reference materials, creating template medical record forms, and provider and staff education and training. Participating providers are required to obtain a performance level of 80 percent on the medical record performance measures.

Participating providers' policies and procedures governing the confidentiality of medical records and the release of protected health information (PHI) must address levels of security of medical records, including:

  • Assurance that the files are secure and not accessible to unauthorized users.

  • Indication of who has access to the medical records.

  • Identification of who may execute different database functions for computerized medical records.

  • Assurance that staff is trained with respect to the Health Insurance Portability and Accountability Act (HIPAA), privacy requirements and related policies.

  • Signed confidentiality agreements on file from staff who have access to medical records.

  • Assurance that photocopies or printouts of the medical records are subject to the same control as the original record.

  • Designation of a person to destroy the medical record when required.

Release of medical information guidelines must address:

  • Requests for PHI via the telephone.

  • Demands made by subpoena duces tecum.

  • Timely transfer of medical records to ensure continuity of care when a patient is referred to a new provider or California Department of Corrections (CDCR) institution.

  • Availability and accessibility of patient medical records to Network Providers, LLC (NPLLC) and to California Correctional Health Care Services (CCHCS) and CDCR or their delegates involved in assessing quality of care.

  • Requirements for medical record information between providers of care:

    • A physician or licensed behavioral health care provider making a patient referral must transmit necessary medical record information to the provider receiving the patient referral.

    • A physician or licensed behavioral health care provider furnishing a referral service provides appropriate information back to the referring provider.

    • A physician or licensed behavioral health care provider requesting information from another treating provider as necessary to provide care.

An authorization form for release of information not covered by HIPAA must be in plain language and must contain the following to be HIPAA compliant:

  • A specific and meaningful description of the information to be used or disclosed.

  • The name of the person or entity authorized to make the requested use or disclosure.

  • The name of a person or entity to which the use or disclosure may be made.

  • A description of each purpose or use for the information. If the individual requests the authorization for his or her own purposes, the description here may read simply "at the request of the individual".

  • An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure.

  • The signature of the individual and the date.

  • If the personal representative signs for the individual, a description of such representative's authority to act for the individual must be provided.

  • A statement about the individual's right to revoke the authorization at any time if the revocation is in writing, the exceptions to the revocation right, and a description of how the individual may revoke the authorization. Alternatively, the revocation statement may state the individual's right to revoke and instruct the individual to refer to the covered entity's Notice of Privacy Practices for instructions and limitations on revocation.

  • A statement that treatment, payment, enrollment, or eligibility for benefits may not be conditioned on obtaining the authorization unless a valid exception applies (such as, pre-enrollment underwriting or information needed for payment of a specific claim for benefits), but the authorization cannot require release of psychotherapy notes for either exception.

  • The consequences to the individual of a refusal to sign when the plan can condition enrollment in the health plan, eligibility for benefits or payment on failure to obtain such authorization.

  • A statement that the information used or disclosed pursuant to the authorization may be subject to redisclosure by the recipient and no longer protected by the privacy rule.

Participating providers must establish procedures ensuring that any advance directive is brought to the attending provider's immediate attention if, in the opinion of that provider, the patient is unable to make health care decisions. If any patient has such a directive in place, the following must occur:

  • Each health care provider must honor advance directives to the fullest extent permitted under California and federal law.
  • Participating providers must be open to any discussion with a patient and provide medical advice if the patient desires guidance or assistance regarding this matter.
  • In no event may the participating provider refuse to treat a patient or otherwise discriminate against a patient because the patient has completed an advance directive.

Participating providers are required to have systems and procedures in place that provide consistent, confidential and comprehensive record-keeping practices. Written procedures must be available upon request by Network Providers, LLC (NPLLC) for the following:

  • Confidentiality of patient information policy and procedure, which address keeping protected health information (PHI) of the patient confidential in accordance with the Health Insurance Portability and Accountability Act (HIPAA). The policy must include a written or electronic functioning mechanism designed to safeguard records and information against loss, destruction, tampering, unauthorized access or use, and additional safeguards to maintain confidentiality during verbal discussions about patient information. Information about written, electronic and verbal privacy, periodic staff training regarding confidentiality of PHI, and securely stored records that are inaccessible to unauthorized individuals must also be included.
  • Release of medical records and information, including faxes.
  • Medical record organization standards policy and procedure, which include information about individual medical records; securely fastened medical records; medical records with patient identification on each individual page; and a consistent area in the medical record designated for the patient's history, allergies, problem list, medication list, preventive care, immunizations, progress notes, therapeutic, diagnostic operative, and specialty physician reports, as well as discharge summaries.
  • Filing system for records (electronic or hardcopy).
  • Formal system for the availability and retrieval of medical records policy and procedure, which must allow for the ease of accessibility to medical records for scheduled patient encounters within the facility or in an approved health record storage facility off the facility premises.
  • Filing of partial medical records policy and procedure, which must outline the process for filing partial medical records offsite, including a process that alerts authorized staff regarding the offsite filing of the partial record.
  • Retention of medical records in accordance with state laws and regulations.
  • Preventive care guidelines for patient.
  • Referrals to specialists.
  • Accessibility of consultations, diagnostic tests, therapeutic service and operative reports, and discharge summaries to health care providers in a timely manner.
  • Inactive medical records policy and procedure, which must include guidelines that describe how and when a medical record becomes inactive. Patient medical records may be converted to microfilm or computer disks for long-term storage. Every provider of health care services who creates, maintains, preserves, stores, abandons, or destroys medical records must do so in a manner that preserves the confidentiality of patient information.
Last Updated: 01/22/2020