• Revenue Cycle Management
  • COVID-19
  • Reimbursement
  • Diabetes Awareness Month
  • Risk Management
  • Patient Retention
  • Staffing
  • Medical Economics® 100th Anniversary
  • Coding and documentation
  • Business of Endocrinology
  • Telehealth
  • Physicians Financial News
  • Cybersecurity
  • Cardiovascular Clinical Consult
  • Locum Tenens, brought to you by LocumLife®
  • Weight Management
  • Business of Women's Health
  • Practice Efficiency
  • Finance and Wealth
  • EHRs
  • Remote Patient Monitoring
  • Sponsored Webinars
  • Medical Technology
  • Billing and collections
  • Acute Pain Management
  • Exclusive Content
  • Value-based Care
  • Business of Pediatrics
  • Concierge Medicine 2.0 by Castle Connolly Private Health Partners
  • Practice Growth
  • Concierge Medicine
  • Business of Cardiology
  • Implementing the Topcon Ocular Telehealth Platform
  • Malpractice
  • Influenza
  • Sexual Health
  • Chronic Conditions
  • Technology
  • Legal and Policy
  • Money
  • Opinion
  • Vaccines
  • Practice Management
  • Patient Relations
  • Careers

HIPAA Consult


Answers to your questions about...retaining records; reporting privacy violations; family authorizations

Retaining medical records

Q. My practice has had an influx of new patients. When their old records are transferred to me, I summarize the relevant parts, using speech recognition software. I then incorporate the summary into my EHR and shred the old records. Is this permitted under HIPAA, or does the law require that I physically house the old records in my office?

Q. I'm part of a group surgical practice. After we dismissed one of our employed physicians, he accessed patient files from his home computer. Was this a HIPAA violation and, if so, whom should we contact to complain about his actions?

A. To answer the first part of your question, Yes, this was probably a HIPAA violation. Once you dismissed the employed physician, he was no longer entitled to records that belong to the practice, unless patients specifically authorized that they be transferred to him. As for filing a complaint (there's no mandatory reporting requirement), contact the regional Office for Civil Rights, US Department of Health and Human Services, for your region. (To file a complaint online, go to, where a list of regional offices is included.)

There's another issue you should consider, however: Why was your former employee able to access practice records in the first place? And do you have appropriate security measures in place to prevent this kind of thing from occurring again? If the answer to the second question is No, take appropriate action to ensure that your medical record system is secure.

Family authorizations

Q. Our office, which sees many elderly patients, is once again updating our patient registration form. Is it a good idea to add a family authorization section that authorizes certain family members to discuss care on behalf of an elderly patient?

A. Yes, it is. In the section, ask the patient to list the name and relationship of any person to whom medical information can be released without the patient being physically present. Also, to be on the safe side, consider adding a second section that lists which family members have been authorized to receive appointment reminders.

Margaret M. Davino (
) is a healthcare attorney with Kaufman Borgeest & Ryan, in New York City.

This department answers common HIPAA-related questions. It isn't intended to provide specific legal advice. Please submit questions via e-mail to
, or by regular mail to Medical Economics, 5 Paragon Drive, Montvale, NJ 07645, ATTN: HIPAA CONSULT. If we select your query, we'll address it in an upcoming issue. Your name will not be used.

Related Videos
Jennifer N. Lee, MD, FAAFP
© National Institute for Occupational Safety and Health
© National Institute for Occupational Safety and Health
© National Institute for Occupational Safety and Health
© National Institute for Occupational Safety and Health
© National Institute for Occupational Safety and Health
© National Institute for Occupational Safety and Health