Medical regulations governing patient privacy exist at the state as well as federal level.


Sometimes these rules can be found in guidance published by the state medical board. If the board posts this guidance on its website, the rules are easy to find. For example, here is the policy from the Massachusetts Board of Registration in Medicine:

PHYSICIAN OBLIGATIONS WITH RESPECT TO PATIENT MEDICAL RECORDS
Patient Access to Medical Records:
Physicians must provide patients with a copy of their medical records upon the patient’s request. G.L. c. 112, § 12CC and 243 CMR 2.07 (13).
• The records can be requested by a patient, the patient’s parent (if a minor) or legal guardian, or, with patient authorization, by another physician or any person authorized by the patient.
• Health care providers must provide patients, upon request, with an opportunity to inspect their records, receive a copy of their records, or receive a copy of any previously completed report required for third party reimbursement.
• Patients are entitled to a copy of their complete records, including records transferred from previous physicians.
• The regulations require that medical records be provided in a timely manner. The Board has determined that in most cases, two to three weeks is considered “timely”, while in cases of medical emergency, records should be provided as soon as possible.
• The Health Insurance Portability and Accountability Act (HIPAA) requires that records be provided within 30 days (with some exceptions).
Psychotherapy Records:
Physicians who are providing psychotherapy services should, when appropriate, provide full records to their patients. However, if, in the physician’s reasonable judgment, providing the entire medical record would adversely affect the patient’s well-being, the provider may provide a summary of the record. If the patient continues to request the entire record, the physician may make it available to either the patient’s attorney, with the patient’s consent, or to another psychotherapist, as designated by the patient. G.L. c. 112, § 12CC and 243 CMR 2.07 (13)(e).
Permissible Rates for Copying Records:
Physicians may charge for the cost of copying and providing medical records, but the rate must be reasonable. G.L. c. 111 § 70.
A reasonable rate is no more than:
• $15 per request; $0.50 per page for the first 100 pages; and $0.25 per page for every page over 100;
• Actual cost for postage; and
• Actual cost for the copying of x-rays and other records not reproducible by ordinary photocopying, plus a clerical fee that may not exceed $20.00 an hour.
• Providers may charge one fee for the entire medical record. The flat fee may be more than $15 so long as it is not greater than the per-page cost.
The physician may not charge a fee if the request for copies is being made by or on behalf of a beneficiary for the sole purpose of supporting a claim under any provision of the Social Security Act or any federal or state financial needs-based benefit program. The provider can request reasonable documentation to confirm the request for medical records is for a needs-based purpose. G.L. c. 111, § 70 and 243 CMR 2.07(13)(d).
Providers may not withhold medical records from a patient with unpaid medical services. Providers may require that the patient pay the copying costs before providing records.
Records Retention:
• Physicians must maintain patient records for a minimum of seven years from the date of the last patient encounter or until the former patient reaches age nine. Medical records must be kept in a manner that permits the patient or a successor physician access to the records. 243 CMR 2.07(13)(a).
• A retiring physician, his successor, or the estate of a deceased physician must maintain patient records for seven years from the date of the last patient encounter.
Providing Records to the Board:
Physicians must turn over patients’ medical records to the Board, upon the Board’s request. G.L. c. 112, § 5.
• A physician who provides a patient’s medical records to the Board, in response to the Board’s request, shall not be liable in any cause of action arising out of the receiving of such information.
• Although the HIPAA privacy rule generally requires that health care providers obtain patient consent prior to releasing identifiable health care information, there is an exemption when the Board requests medical records from physicians. In those instances, the physician is not required to seek patient approval prior to providing records to the Board. In addition, the physician may produce the records to the Board without the Board providing a release from the patient. 45 C.F.R. § 164.512(d)(1)(i).

Our law office drafts mirror-HIPAA provisions for physician practices that do not have to comply with HIPAA but nonetheless want to meet state law requirements and maintain high practice standards. Sometimes these provisions require careful attention to language, particularly when physicians practicing integrative medicine have chosen to opt out of Medicare or limit their obligation to provide reimbursement services pursuant to existing health insurance plans.