Duties and responsibilities
A matter of records: Retention and transfer of clinical records
Originally published March 2003 / Revised October 2016
Some of the most common questions asked by CMPA members relate to the clinical record, including how long should it be kept, how it can be kept secure, and under what circumstances should it be shared or transferred.
Retention of records
Generally, provincial/territorial legislation and/or regulatory authority (College) policies define the period of time for which a physician is required to keep clinical records after the date of last entry in the record. The chart below lists retention requirements or recommendations for each province and territory
The CMPA recommends that physicians retain medical records for at least 10 years (16 years in British Columbia) from the date of last entry or, in the case of minors, 10 years (16 years in British Columbia) from the time the patient would have reached the age of majority (either age 18 or 19 years).
There are important reasons for these recommended retention periods. A principal reason is that the records may be required to assist in the defence of a physician, or his/her estate, if medical-legal difficulty should arise. For example, in the event that a physician's estate is sued in connection with professional work the physician performed, the records often contain the best evidence of the deceased doctor's interaction with the patient.
A physician defending allegations of professional fault or negligence after disposing of a medical record will be left to rely primarily on memory, which may be affected by the passage of time.
While legislation in each province imposes limits as to when a legal action can be commenced, these limits can be quite flexible. In certain circumstances, the courts may be reluctant to deprive an individual of the right to have an issue adjudicated despite the apparent expiry of the limitation period. Accordingly, despite provincial/territorial differences in limitation periods, the CMPA's advice for retention of records remains the same, that is, for at least 10 years (16 years in British Columbia) from the date of last entry or 10 years (16 years in British Columbia) from the age of majority in the case of minors.
Access to records
The 1992 Supreme Court decision in McInerney v. MacDonald represents a significant departure from the previously-held view that the patient's right to information in the medical record is limited to a summary report of the care and management afforded the patient by the physician. In this decision, the Supreme Court of Canada stated that:
- The physical medical records are the property of the physician.
- A patient is entitled to examine and receive a copy of the complete medical records compiled by the physician in administering advice or treatment to the patient, including records prepared by other doctors that the physician may have received.
- The patient is not entitled to examine or receive copies of any information or material received or compiled by the doctor outside of the physician-patient relationship.
- A patient's general right of access to medical records is not absolute. The physician may use discretion not to disclose any information which the physician reasonably believes is likely to cause a substantial adverse effect on the physical, mental or emotional health of the patient or harm to another person. The Court stated that patients should have access to the medical records in all but a few circumstances.
- A patient should have access to the medical record unless there are compelling reasons to not disclose. The onus is on the physician to justify denying access.
- A patient may apply to the court for a review of any refusal by a physician to disclose all or part of the medical record. If the court is not satisfied that the physician acted in good faith, it may order the disclosure and award costs to the patient.
Since this decision was made, many jurisdictions have enacted privacy legislation that governs the disclosure of personal health information.
As a general rule, information about a patient should be disclosed only:
- on the written authority of the patient
- on the written authority of the patient's authorized legal representative
- on receipt of a court order
- when the request comes from an agency or individual expressly entitled by legislation to a copy of the records
Please contact the CMPA if you have questions regarding a third party's entitlement to medical records.
Security of records
Clinical records must be properly secured and protected, either physically or electronically. For example, paper records should be kept in restricted access areas or in locked cabinets with limited access.
Patient information that is stored electronically is likely accessible to a greater number of people than a paper record, and the protection of the information is therefore more complex.
Security features and policies should ensure information maintained in an electronic records system is accessible only within the patient's circle of care, or for other purposes authorized by law or with express patient consent. This can be achieved through the use of user identification and passwords for logging on.
Electronic records systems should also include controls that restrict access based on the user's role and responsibilities. Encryption technology on all computer systems and portable electronic devices (e.g. laptops, memory sticks, etc.) containing patient information is recommended.
Storage and disposal
Physicians must ensure that records are stored in a safe and secure place. Where a physician has engaged a service provider to manage medical records, the physician will continue to be responsible for maintaining the security of the records in accordance with applicable privacy legislation and College requirements. If the records are retained by a commercial storage provider, some jurisdictions that have enacted health-specific privacy legislation require physicians to enter into a written agreement with the commercial storage provider. While this may not be a requirement in every jurisdiction, it is a recommended practice. Patients should also be notified about the location of their records and how they may be accessed. Physicians must also confirm how they can access the records and make copies of any records for the purpose of preparing medical-legal reports, defending legal actions, or participating in a complaint investigation.
Once the retention period has expired, records should be destroyed in a manner that maintains confidentiality. Destruction should ensure that the record cannot be reconstructed in any way. For example, it is recommended that paper records be either shredded, pulverized, or incinerated. Effective destruction of electronic records requires that the records be permanently deleted or irreversibly erased. When destroying information, physicians must consider whether it is necessary to destroy not only the original records, but also any copies, including back-up files. Physicians should be aware of any specific obligations imposed on them by the College or relevant privacy legislation when destroying clinical records.
Before destroying records, it is recommended that a list be made of the names of the patients whose records are to be destroyed, and that this list be kept permanently in a secure location. The purpose is to be able to later determine at a glance that a medical record has been destroyed and has not simply been lost or misplaced.
Transfer of records
It is not uncommon that a former physician is asked by a new physician to provide patient information or even to hand over the record. Occasionally, a patient will ask that the file be sent to the new physician or that it be given to the patient who can in turn take it to the new physician. However, an office clinical record made by you is your property and you may need it later if your professional work or care for the patient is called into question.
As a general practice, it is recommended that you not let the original files out of your control.
There are other reasonable means of providing information about a physician's role in a patient's case (with the patient's consent) without handing over the original file, including:
- a report or letter summarizing the relevant entries in the file; or
- a photocopy of the file may generally be provided if specifically requested.
Physicians must ensure that the medical records are transferred to another physician in a manner that protects the confidentiality of the information. When a physician is transferring patient information contained in an electronic record, the physician should use a secure means such as fax, email, or another eRecord. Physicians should be aware of applicable College policies and guidelines and privacy legislation governing the transfer of personal health information via email or fax.
Physicians working in partnership with others or in a clinic should have an agreement in place to deal with issues related to transfer of, and access to, records in the event the physician leaves the partnership or clinic.
The bottom line
- Despite different legislated and College guidelines across the country, as well as variable limitation periods, the CMPA recommends that for medical-legal purposes a physician's medical records should be retained for at least 10 years (16 years in British Columbia) from the date of last entry or, in the case of minors, 10 years (16 years in British Columbia) from when the age of majority is reached.
- Patients are entitled to receive copies of their medical records arising out of the doctor-patient relationship, including consultant reports. Physicians should ensure that appropriate written authorization is received from the patient or their legal representative before transfer occurs.
- Whether in paper or electronic format, clinical records must be properly secured and protected.
- Once the retention period has expired, records should be destroyed in a manner that maintains confidentiality.
- Where transferring records to another physician, physicians may charge patients a reasonable fee for copying the record.. Some privacy statutes prescribe fees that are permitted to be charged to patients for access to their personal health information, and some Colleges and medical associations also have guidelines in this area.
CMPA members may contact the CMPA for individual advice concerning the management of medical records.