Risk management FAQs

About Risk Management

Medical Privacy and Security — State and Federal Laws

Americans With Disabilities Act

Advance Directives

Staffing Issues

Communicable Diseases


Other Regulations

Medical Records


Miscellaneous Risk Management Questions

About Risk Management

How many hours of CME do I need per year?

According to TMB Rule 166.2, Texas physicians are required to complete 48 hours of credit every 24 months. At least 24 credits must be from formal courses designated as Category I. At least two of the 24 formal credits must involve the study of medical ethics. The remaining 24 credits may comprise informal self-study, attendance at hospital lectures, grand rounds, or case conferences not approved for formal CME.

How much is the CME discount and when will it apply?

TMLT policyholders who complete a 2 hour risk management CME activity may be eligible for a 3% premium discount. The discount will be applied to your next eligible policy period.

What CME courses can I take to receive the risk management discount?

We offer online CME, Case Closed home-study programs, and CME in Volume 4 of our publication, the Reporter. You can also attend one of our scheduled seminars or a seminar that we co-sponsor with the Texas Medical Association. View a complete listing of all TMLT CME courses.

How many risk management courses can I take per policy period to be eligible for the TMLT risk management discount?

TMLT policyholders can take two 2 hour courses per policy period.

What if I take more than two risk management courses? Can I carry them over to the next policy period for the risk management discount?

Yes. You can carry over up to two courses per year.

What is my policy period?

Your policy period is listed on your current policy declarations page.

I am trying to complete an online CME course and it is asking for a user name and password.

If you have previously completed a TMLT online CME course and you do not have your user name and password, please go to our online CME login page and click "I forgot my password."

If you have not completed a TMLT online course, please go to our online CME login page and click "New User Registration." You will need to enter your policy number and your license number.

I completed a TMLT course and cannot find my certificate.

You can reprint a certificate from any online course by going to our online CME login page and selecting the course. Click the "Test/Certificate" button to print your certificate. If you attended a live seminar and need a copy of your certificate, please contact the risk management department and a duplicate copy of your certificate will be sent to you.

I think I have taken all the online courses available. Can you check and see if there is something I have not taken?

Please contact the risk management department for a course transcript, or go to our online CME login page and select "Risk Management/View CME History."

What happens during a practice review?

During a practice review, a risk management professional will visit your practice to help determine your risk exposures. Before the scheduled review date, questionnaires will be emailed to you. The representative will then review approximately 10 medical records for each physician in the practice. He/she will also review your practice's policy and procedure manual, take a quick tour of the office, and conclude the review with a wrap-up discussion with the physician(s).

How long will the practice review take?

The time for a review varies depending on the size of your practice. Plan on a representative being in the office for several hours. However, the majority of the representative's time will be spent reviewing medical records, and he/she will not require time from anyone in your office.

Does the physician have to be present during the practice review?

Physicians are encouraged to continue their regular schedule during the review. Once the risk management representative has completed the review, he/she will need to spend approximately 45 to 60 minutes with the physician(s) to discuss general risk management concerns and any specific recommendations. This meeting will be arranged when the practice review is scheduled.

Do I need to de-identify patient information in the medical records that will be reviewed during a practice review?

No. TMLT has a HIPAA business associate's agreement on file with all of our policyholders. This allows us to review the medical records under HIPAA guidelines. No patient information will be removed from the practice.

Can one physician in a group request a practice review if the other physicians do not wish to participate?

When a practice review is requested for a group, it is recommended that all TMLT-insured physicians agree to be included before scheduling the review.

Can a physician who is not a TMLT policyholder request a practice review?

Yes. Practice reviews are free to all TMLT policyholders. However, if a physician who is not insured by TMLT would like to request a practice review, that physician can contact the TMLT Risk Management Department for information regarding the fees for a review.

Can a hospital-based physician (hospitalist, radiologist, pathologist, anesthesiologist, emergency medicine physician) request a practice review?

Yes. TMLT can conduct practice reviews for physicians in all specialties and practice types.

How long will the practice review premium discount remain in effect?

Once the physician has adequately responded in writing to any recommendations made during the review, the 5% practice review discount is effective for the remainder of the current policy period plus an additional two full policy periods, as long as the physician is continuously insured with TMLT.

How long will it take before I hear from someone about scheduling the review?

Typically, risk management representatives are out of the office conducting practice reviews 2 to 3 days per week. Therefore, it may take up to 2 weeks before a representative contacts you to schedule the review.

Medical Privacy and Security — State and Federal Laws

Are some physician practices exempt from complying with HIPAA?

Under HIPAA, the definition of "covered entities" did exclude a few physicians; however, the Texas Medical Records Privacy Act is much more inclusive and anyone who creates or maintains medical records must comply with Texas rules. Physicians may want to seek the advice of an attorney who specializes in HIPAA to determine if they are exempt from the federal law.

In 2003, practices that had paper medical records and met the definition of a covered entity were required to meet HIPAA Privacy. Is that all I need to be concerned about?

Covered entities were required to meet HIPAA Privacy in 2003; however, changes have been made that affect Texas physicians. The Texas Medical Records Privacy Act, HITECH in 2009, and the HIPAA Omnibus Rule in 2013 have changed the requirements. Additionally, if you bill electronically or have transitioned to electronic medical records you must meet the HIPAA Security Requirements. For more information, visit the HHS web site.

Who is required to conduct a risk analysis and how often must it be repeated?

All practices that are required to meet the HIPAA Security Rule are required to conduct a risk analysis. Generally speaking, if you bill electronically, have electronic records or maintain records in an electronic format you are required to conduct a risk analysis. Additionally, you are required to re-assess your risk and vulnerabilities any time you make significant changes to your network or system.

For practices participating in meaningful use, the requirement is to conduct a risk assessment annually or review the previous one. The inability to produce a thorough and complete risk assessment is the number one reason that medical practices are failing meaningful use audits.

Additionally, if a breach or complaint is investigated by the OCR, investigators will ask to see the results of all risk assessments performed, as well as any plan developed to address the risks and vulnerabilities discovered.

TMLT staff are available to conduct a risk analysis for your practice. Please contact Stephanie Downing at 800-580-8658, ext. 4884 for more information.

What are the requirements for training staff on privacy and security?

Under HIPAA, covered entities were required to train staff and repeat training when changes were made in the practice. Texas has much more stringent requirements. All new employees must be trained by the 90th day of employment; employees must be retrained whenever there is a change in the law that affects their job as it relates to personal health information (training should be done as soon as possible, but is required by the first anniversary of the effective date of the law); and the employee must sign an acknowledgment of training.

Are business associate agreements required?

Under HIPAA, HITECH, the HIPAA Omnibus Rule, business associate agreements or contracts are required to clearly outline the responsibilities of the business associate. Under the Omnibus Rule, there are more requirements for business associates and their subcontractors. Covered entities should review their business associate agreements for compliance.

All business associate agreements should have been updated before September 22, 2014 to meet the requirements of the Omnibus rule.

For more information, please see the HHS website.

How is sensitive personal information different from protected health information?

In Texas, sensitive personal information (SPI) contains the following:

  • social security number;
  • driver's license number or other government-issued identification number;
  • account number, credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account; or

Information that identified an individual and relates to:

  • the physical or mental health or condition of the individual;
  • the provision of health care to the individual; and
  • payment for the provision of health care to the individual.
What should I do if I have a breach of protected health information?

The definition of a breach changed significantly in 2013. A breach is now usually defined by the U.S. Department of Health and Human Services as "an impermissible use or disclosure under the [HIPAA] Privacy Rule that compromises the security or privacy of protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment…"

All TMLT policyholders have a cyber liability endorsed to their medical professional liability policies. Contact the TMLT claims department to report a breach and you will be provided assistance. It is important to report a breach as soon as possible, as timely reporting is a requirement for obtaining coverage. Depending on the number of records affected, you will have notification requirements. Generally, all breaches must be reported to the affected patient(s) within 60 days and must be reported to the U.S. Secretary of Health and Human Services.

Americans With Disabilities Act

What am I required to do under the ADA to accommodate patients who are hearing impaired?

Appropriate auxiliary aids and services may include qualified interpreters, assistive listening devices, note takers, and written materials. The ADA does not require modifications that would fundamentally alter the nature of the services provided or result in an "undue burden" on the provider. What constitutes an "undue burden" is determined on a case-by-case basis. At least one court has found in favor of the plaintiff over the provision of an interpreter for a hearing-impaired patient in a primary care physician's office.

What does the ADA require for mobility-impaired patients?

A public accommodation is required to remove architectural barriers in existing facilities where such removal is "readily achievable," which is defined as "easily accomplished and able to be carried out without much difficulty or expense." Examples of steps to remove barriers include installing ramps, widening doors, installing grab bars in bathroom stalls, installing a raised toilet seat, removing deep pile carpeting, and creating designated, accessible parking spaces. Please refer to the ADA web site for more information.

What about those patients who do not speak English? Am I required to provide and absorb the cost of an interpreter?

According to the Office for Civil Rights, an entity receiving federal reimbursement (such as Medicaid or Medicare) is responsible for ensuring that effective oral and written communication occurs with program beneficiaries who are limited English proficient (LEP). The entity can take several steps to meet its obligations to LEP patients. Providing interpreters, at no cost to the client, is one method. Please visit the Office for Civil Right's web site for more information.

Who has responsibility for ADA compliance in leased buildings, the landlord or the tenant?

The ADA places legal responsibility to remove barriers or provide auxiliary aids on both the landlord and the tenant.

What is my responsibility as an employer under the ADA?

Employers with 15 or more employees must comply with the ADA in their employment practices. The ADA protects individuals with disabilities from discrimination related to employment practices. Individuals with disabilities who meet "the skill, experience, education, and other job-related requirements of a position held or desired, and who, with or without reasonable accommodation, can perform the essential functions of a job" are protected. To be covered by the ADA, an individual must have a mental or physical impairment that (even with corrective or mitigating measures, such as corrective lenses) substantially limits one or more major life activities. In addition, the ADA prohibits discrimination against persons who are perceived to have a disability.

Please refer to the ADA web site for more information.

Advance Directives

What is an advance directive?

According to the Texas Advance Directives Act, the current definition of an advance directive is: "an instruction to administer, withhold or withdraw life-sustaining treatment in the event of a terminal or irreversible condition [A Directive to Physicians and Family or Surrogates]; or an out-of-hospital DNR order; or a medical power of attorney."

Advance directive documents include:

  1. Directive to Physicians, instructing health care professionals to administer, withhold, or withdraw life-sustaining treatment in the event of a terminal or irreversible condition (previously called a "living will");
  2. out-of-hospital do-not-resuscitate orders; and
  3. medical power of attorneys.
What is a terminal condition?

A terminal condition means an incurable condition caused by injury, disease, or illness that according to reasonable medical judgment will produce death within six months, even with available life-sustaining treatment provided in accordance with the prevailing standard of medical care. A person admitted to a licensed hospice program is presumed to have a terminal condition.

Do both witnesses to advance directives need to meet the statutory requirements?

No. While both witnesses must be competent adults, only one must meet certain statutory requirements, such as:

  1. not designated by the declarant to make treatment decisions;
  2. not related to the patient by blood or marriage;
  3. not mentioned in the patient's will or having any claim to his/her estate; and
  4. not the attending physician, his/her employees, or certain employees of the health care facility in which the patient is being treated.
Are advance directives executed in another state valid?

Yes, a directive executed in another state is enforceable provided that it complies with the laws of the State of Texas. For guidelines, please go to the Texas Medical Association's Death Act: Directive to Physicians.

Who can execute a directive on the behalf of a minor?

A directive may be executed on behalf of a qualified minor by:

  1. the patient's spouse, if the spouse is an adult;
  2. the patient's parents; or
  3. the patient's legal guardian.
Do advance directives need to be notarized?

No, in fact a physician or health care facility may not require that a directive be notarized or that a person use a form provided by the health care professionals.

What about advance directives for pregnant patients?

A person may not withdraw or withhold life-sustaining treatment from a pregnant patient.

What is my liability in following or refusing to follow an advance directive?

A physician, health care facility, or health care professional with no knowledge of a directive is not civilly or criminally liable for failing to act in accordance with the directive. However, if an attending physician refuses to comply with the directive, life-sustaining treatment must be provided to the patient only until a reasonable opportunity has been afforded for the transfer of the patient to another physician willing to comply with the directive or treatment decision. Failure to follow a qualified patient's directive will subject the physician or health care professional to review and disciplinary action by the appropriate licensing board.

What can I do when I disagree with the surrogate decision-maker?

Whether the physician is recommending that treatment be continued or that it be stopped because it is medically futile, the new law codifies a process that includes a mandatory ethics consultation; a reasonable attempt to transfer the patient to another physician or institution willing to honor the directive; and, in the case of medical futility disputes, continuation of life-sustaining procedures for at least 10 days after the ethics committee explains its conclusion in writing to the patient's surrogate.

Staffing Issues

Should I perform background checks on employees?

Under the legal doctrine of respondeat superior, physicians are responsible for the actions of their employees committed within the scope of employment. Like any employer, a physician is required to select, train, supervise, and discipline his or her employees in a manner consistent with providing quality patient care. Checking references and performing background checks reflects your efforts to employ qualified personnel. The information should be documented in the employee's personnel file.

In Texas, criminal background checks can be performed through the Texas Department of Public Safety (DPS). A full set of fingerprints (which can be obtained at your local law enforcement department or at the DPS office), a signed written request, and a $15 fee are required. Please visit the Texas DPS web site for more information.

What is my responsibility when supervising physician assistants (PAs) and advanced practice registered nurses (APRNs)?

The Medical Practice Act (MPA) establishes minimum standards for supervision by physicians of PAs and APRNs for provision of services at various sites. In most situations, a physician is limited to supervising no more than seven full time equivalent PAs and APRNs, but there are exceptions. Prescriptive authority agreements, standing delegation orders, standing medical orders, physician's orders, or other orders or protocols may authorize diagnosis of the patient's condition and treatment. Neither the MPA nor the Texas Medical Board rules authorize the exercise of independent medical judgment by PAs or APRN. The supervising physician remains responsible to patients for acts performed under the physician's delegated authority.

Physician supervision shall conform to what a reasonable, prudent physician would find consistent with sound medical judgment, and may vary with the education and experience of the PA or APRN. A physician shall provide continuous supervision, but the constant presence of the physician is not required. The physician must be easily contacted by radio, telephone, or other telecommunication device. Please see TMB rules Chapter 185 and Chapter 193 for more information.

Additional information is also available from the Texas Board of Nursing.

What is my responsibility when delegating tasks to unlicensed employees?

Provided that you are satisfied with the competence of your employee, with due regard to the safety of the patient, and in keeping with sound medical practice, standing delegation orders may be authorized for the performance of acts and duties that do not require the exercise of independent medical judgment. Please see TMB Standing Delegation Orders, Chapter 193 for more information.

Unlicensed employees can be trained to perform some tasks associated with the delivery of patient care; however, some tasks are inappropriate to delegate and the accountability for the competent performance of that task remains with the physician. In determining the appropriate role for unlicensed personnel, you should consider the capabilities of the employee, the complexity of the task, and the amount of supervision required. Employers can be held liable for negligent delegation if they:

  • delegate a task they know or should know the person does not have the training or experience to complete;
  • do not provide the degree of supervision the employer knows or should know is needed;
  • delegate tasks contrary to the medical/nurse practice act;
  • delegate tasks that pose substantial risk of harm to a patient or are present and fail to take action when possible to avoid patient injury; and
  • do not properly allocate the time of available staff.

Communicable Diseases

Can I test a patient for HIV after one of my employees has been accidentally exposed?

In a case of accidental exposure to blood or other body fluids, the health care facility may test the person who may have exposed the health care worker to HIV without the person's specific consent to test. Any identifying information concerning the person should be destroyed as soon as the testing is complete and the person who may have been exposed is notified.

What type of consent is required for HIV testing?

Except as otherwise provided by law, a person may not perform an HIV test without first obtaining the informed consent of the person to be tested. This consent does not need to be written. Documentation in the medical record that the test has been explained and consent has been obtained is sufficient. For more information on HIV consent, please review the Texas Health and Safety Code.

What is the law concerning spousal/partner notification of positive HIV test results?

According to the Texas Department of State Health Services, private physicians or their designee, may notify spouses or partners of their possible exposure to HIV or may seek assistance from the local or regional HIV/STI program. Physicians asking HIV/STI programs to contact a spouse or partner will provide written confirmation that the client tested HIV-positive.

What is expedited partner therapy (EPT)?

Physicians are allowed to prescribe treatment for the sexual partner(s) of their established patients who have been diagnosed with chlamydia or gonorrhea without establishing a professional relationship with the partner first. Please see the The Texas Department of State Health Services EPT resources for more information.

Can I test for HIV before a procedure?

Texas law provides that a person (such as a physician) may require another person to have an HIV test if a medical procedure is to be performed that could expose health care personnel to AIDS or HIV infection, and there is sufficient time to receive the test result before the procedure is conducted. However, HIV-positive patients are considered "disabled" under the Americans with Disabilities Act (ADA), which supersedes state law. The ADA also prohibits discrimination against persons who are perceived to have a disability. Thus, refusing to perform a procedure based on HIV status or the patient's refusal to undergo an HIV test would likely violate the ADA.

Does the Americans with Disabilities Act (ADA) require me to treat individuals with HIV?

While the ADA expressly provides that a public accommodation may exclude an individual if that individual poses a "direct threat" to the health or safety of others that cannot be mitigated by appropriate modifications in the accommodation policies or procedures, one cannot justify the refusal to treat HIV-positive or AIDS patients in the policies of organized medicine or public health. The Centers for Disease Control and Prevention and the American Medical Association recommend the use of "universal precautions" to prevent the transmission of blood-borne diseases in the health care setting.

What are the current STD treatment guidelines?

Please see the U.S. Centers for Disease Control and Prevention (CDC) 2015 Sexually Transmitted Diseases Treatment Guidelines.


What are the risks of prescribing a medication for off-label use?

Because a particular use of the drug may be beneficial but uncommon, many drug manufacturers choose not to seek FDA approval for an off-label use due to cost and time factors. Congress has not prohibited the prescription of medications for off-label use.

However, prescribing a medication for off-label use is not without risk, particularly in pediatrics. Physicians are still responsible for practicing prudent medicine. The available literature and the practices of similarly situated physicians would be evidence of compliance to the standard of care. In addition, physicians are encouraged to obtain a signed, written consent indicating the rationale for the medication, its risks, benefits, and alternatives. Information is available at the FDA web site.

Do I have to keep my sample medications and prescription pads locked away?

Not necessarily. Health care professionals have a responsibility to guard against theft of sample medications and prescription pads. Sample medications should be stored in areas accessible only to physicians and clinical staff members. Prescription pads should not be readily accessible to patients, visitors, or some staff members. Locking up prescription pads protects them, however, and is certainly prudent risk management.

What should I do if prescription pads or controlled substances are missing?

Prescription pad or controlled substance theft should be reported to local law enforcement and the Drug Enforcement Agency. If prescription pads are missing, local pharmacies and the Board of Pharmacy should also be notified.

Do I need to keep receipts of sample medications?

Yes. The Texas Administrative Code requires that all physicians maintain a copy of each signed request form for sample dangerous drugs for a period of two years from the date of acquisition. Dangerous drugs are defined as any medications that require a prescription.

Can Schedule II drugs be prescribed electronically in Texas?

Effective September 1, 2011, Schedule II drugs may be prescribed using electronic prescriptions.

During the 82nd Texas Legislative session, Senate Bill 594 was passed. It amends the Texas Health & Safety Code to allow Schedule II drugs to be prescribed with an electronic prescription, to match changes to the federal law. Read the full text of the bill.

Can be fined for purchasing drugs or medical devices from a vendor unlicensed to sell in Texas?

The Texas attorney general and the federal government are taking actions against physicians arising from the purchase and use of medical products and drugs that are allegedly not legal for use in the United States. Most of these cases arise when physicians attempt to save money for their patients by buying drugs and devices from Internet sites or distributors who offer product discounts.

The typical scenarios that give rise to these actions include:

  • Physicians purchase medical products over the Internet believing the goods are approved for use in the U.S., but the products are not "FDA approved" or labeled for domestic distribution. This renders the products "misbranded."
  • Physicians may unknowingly purchase a medical product from a distributor unlicensed or unauthorized to do business in Texas or the U.S.

Either of these actions may give rise to a charge of numerous "laundry list" acts that violate Texas law, most prominently the Texas Deceptive Trade Practices Act (DTPA). The DTPA has been interpreted as essentially a strict liability statute, so that fines may be pursued even if the doctor had no intent to violate the law.

Under Texas law, each proven violation may result in a civil penalty of not more than $20,000 per violation, with additional penalties if the consumer was over the age of 65. Each individual use of the product may be deemed a distinct statutory violation by the attorney general, so the fines can be very large.

Other Regulations

What does the Occupational Safety and Health Administration (OSHA) require for medical practices?

OSHA standards require that medical practices develop and comply with safety policies and procedures related to blood-borne pathogens, regulated waste disposal, and chemical hazard communication. Employee training is required initially and annually thereafter. Records of all OSHA training should be maintained for three years. Employers are required to make Hepatitis B vaccination available at no cost to all employees whose job classifications indicate potential exposure. Employees who refuse vaccination must sign a declination form. All employee medical records must be kept confidential and retained for at least the duration of employment plus 30 years. More information is available at the OSHA web site.

Since I perform only a few simple tests in my office, do Clinical Laboratory Improvement Amendments (CLIA) regulations apply to my practice?

Yes, CLIA does apply. However, simple tests are waived from specific CLIA requirements. Some of these include:

  • dipstick or tablet reagent urinalysis;
  • fecal occult blood;
  • ovulation test using visual color comparison;
  • urine pregnancy test using visual color comparison;
  • erythrocyte sedimentation rate — non-automated;
  • hemoglobin by copper sulfate method — non-automated;
  • spun microhematocrit; and
  • blood glucose using certain devices cleared by the FDA specifically for home use.

A complete list of CLIA-waived tests is available at the CLIA Categorization of Tests web site. If you perform only these tests, a CLIA certificate of waiver is required.

What are the requirements for medical waste management?

The Texas Administrative Code defines the requirements for medical waste management, disposal, transportation, collection, and storage. In general, generators of medical waste are required to maintain receipts of its disposal for a period of three years. More information is available from the Texas Commission on Environmental Quality.

What informational resources are physicians required to provide to the parents of newborns?

This information is available from the Texas Department of State Health Services.

Where can I find information about umbilical cord blood banking?

During the 2007 regular legislative session, legislators passed House Bill 709, which requires physicians to provide pregnant patients with a brochure on umbilical cord blood banking. The brochure and additional information is available from the Texas Department of State Health Services.

What does the law require for physicians to sign death certificates?

Texas physicians who are asked to sign a death certificate must do so electronically or face fines of up to $500 per violation.

A medical certifier on a death certificate must submit the medical certification and attest to its validity electronically. Physicians must register with the Texas Electronic Death Registrar (TEDR) before signing a death certificate. Any physician who signs a death certificate, and is not registered with TEDR, may be fined up to $500 by the TMB.

Physicians who have not yet registered can do so at the TEDR web site.

If you need assistance, send an email to help-TER@dshs.state.tx.us or call the TER at 888-963-7111 ext. 3490.

Fetal death certificates — if a fetus is born without vital signs, it is appropriate for the physician (medical certifier) to complete a paper death certificate. If a fetus is born with vital signs, the physician (medical certifier) must complete an electronic death certificate.

Medical Records

Where can I find the Authorization to Disclose Protected Health Information form developed by the Attorney General of Texas?

An electronic copy of the form is located on the Texas Attorney General's website.

What is the proper procedure for the release of medical records?

In order to be acceptable under the Health Insurance Portability and Accountability Act (HIPAA) and compliant with state law, an authorization for the release of protected health information (PHI) must:

  • be in writing;
  • identify who is authorized to make the disclosure;
  • identify who may receive the PHI;
  • identify who may make the authorization;
  • identify the specific information to be disclosed, particularly for sensitive information, such as HIV/AIDS testing and treatment, mental health and substance abuse treatment;
  • describe the purpose of the disclosure;
  • note when the authorization expires; and
  • contain a signature and date (of the patient or personal representative).

A valid authorization must also have these statements:

  • the patient has the right to revoke the authorization, with instructions on how to revoke;
  • clarification that under most circumstances medical care may not be conditional on the signing of the authorization; and
  • a warning that the PHI may be re-disclosed by the receiving entity.

The patient must receive a copy of the authorization and the provider must also maintain a copy.

Pursuant to HIPAA regulations, if your medical record contains any notes forwarded to you by a mental health professional you cannot re-disclose that information, even under subpoena. HIPAA defines mental health professionals as psychiatrists, psychologists, and licensed professional counselors.

Who can authorize the release of medical records?

The authorization to release medical records may be signed by:

  • a parent or legal guardian if the patient is a minor;
  • legal guardian if the patient has been adjudicated incompetent to manage his/her own personal affairs;
  • an agent of the patient authorized under a durable power of attorney for health care;
  • an attorney ad litem or guardian ad litem appointed for the patient;
  • a personal representative or statutory beneficiary if the patient is deceased; and
  • an attorney retained by the patient or by the patient's legally authorized representative.
Who "owns" the medical record?

The physical pieces of paper are the tangible, personal property of the person or entity who created them. However, by law patients have the right to obtain copies of their medical records. The only clear exception is in the Medical Practice Act, "If the physician determines that access to the information would be harmful to the physical, mental or emotional health of the patient." The physician might be asked to produce a reasonable explanation as to why the records or information may be harmful to the patient.

Never release the original record, except under subpoena and then retain a copy.

What constitutes a medical record?

Medical records include any records pertaining to the history, diagnosis, treatment, or prognosis of the patient. The Texas Medical Board rules (Chapter 165) state that records received from another physician or health care provider involved in the care or treatment of the patient shall be maintained as part of the medical record.

Is there a time limit to respond to requests for medical records?

The physician has 15 business days (from the date the request is received) to respond to the request. If a physician “denies the request for copies of medical and/or billing records or a summary or narrative of the records, either in whole or in part, the physician shall furnish the patient a written statement, signed and dated, within 15 business days of receipt of the request stating the reason for the denial and how the patient can file a complaint with the federal Department of Health and Human Services (if the physician is subject to HIPAA) and the Texas Medical Board. A copy of the statement denying the request shall be placed in the patient's medical and/or billing records as appropriate.” Taken from Texas Medical Board Rules, Chapter 165.2 Medical Record Release and Charges

May I charge for copying medical records?

When determining allowable fees for copies of medical records, both federal and state regulations should be followed. Guidelines differ for release of records directly to the patient versus release of records to a third party.

The Office of Civil Rights (OCR) has updated guidelines on patients'/individuals' rights to obtain their medical records and how much providers/covered entities can charge for copies. Chapter 45 of the Code of Federal Regulations Section 164.524 outlines individuals' rights to access their protected health information (PHI). Given the intricacies of the new rules, we recommend reviewing these FAQs and Chapter 45 of the Code of Federal Regulations Section 164.524.

Below are highlights from the new rules:

Fees to release directly to the patient/individual

Flat-Rate of $6.50—The OCR has determined that a flat-fee of $6.50 is a reasonable cost for the release of medical records directly to a patient/individual. If the provider does not calculate a reasonable fee as outlined below, then the provider should charge the flat-rate of $6.50 to the individual for copies of their PHI.

Charging an individual more than $6.50

For any request from an individual, a covered entity (or business associate operating on its behalf) may calculate the allowable fees for providing individuals with copies of their PHI:

  1. By calculating actual allowable costs to fulfill each request; or
  2. By using a schedule of costs based on average allowable labor costs to fulfill standard requests.
  3. Alternatively, in the case of requests for an electronic copy of e-PHI, covered entities may charge a flat fee not to exceed $6.50 (inclusive of all labor, supplies, and postage)

Charging a flat fee not to exceed $6.50 per request is an option for entities that do not want to go through the process of calculating actual or average allowable costs for requests for electronic copies of e-PHI.

When an entity chooses generally to use the average cost method or flat fee for electronic copies of e-PHI, the entity may receive an uncommon request that it had not considered when setting up its fee structure. In these cases, the entity may wish to calculate actual costs, and it may do so as long as the costs are reasonable and only of the type permitted by the Privacy Rule.

An entity that chooses to calculate actual costs in these circumstances must — as in other cases — inform the individual in advance of the approximate fee that may be charged for providing the copy requested.

Health care providers are urged to err on the side of caution when determining fees for release of records directly to the patient. While the HHS has published the guidelines above, these rules are intended to increase patients' access to their own records. This is demonstrated by language found in the HHS FAQs:

"…while the Privacy Rule permits the limited fee described above, covered entities should provide individuals who request access to their information with copies of their PHI free of charge. While covered entities should forgo fees for all individuals, not charging fees for access is particularly vital in cases where the financial situation of an individual requesting access would make it difficult or impossible for the individual to afford the fee. Providing individuals with access to their health information is a necessary component of delivering and paying for health care.”

For more information, please see these FAQs along with Chapter 45 of the Code of Federal Regulations Section 164.524.

Release for free or to patient with outstanding bill

A covered entity may not withhold or deny an individual access to their PHI because the individual has not paid the bill for health care services provided. While the Privacy Rule permits the limited fee as described, covered entities should provide individuals who request access to their information with copies of their PHI free of charge to avoid creating a barrier to access.

Fees to release to third-party

The new OCR flat-rate fee guidance does not apply to release of records to a third-party unless that release is directed by the individual/patient to the third-party (see FAQs). For direct requests from a third-party, the covered entity/provider should follow the Texas Medical Board (TMB) rules for release of PHI.

Please review the most recent version of the TMB rules Chapter 165.2 Medical Records Release and Charges. Below is an excerpt from the TMB rules:

(e) Allowable Charges.

(1) Paper Format.

(A) The physician responding to a request for such information in paper format shall be entitled to receive a reasonable, cost-based fee for providing the requested information.

(B) A reasonable fee for providing the requested records in paper format shall be a charge of no more than $25 for the first twenty pages and $.50 per page for every copy thereafter.

(2) Electronic Format.

(A) The physician responding to a request for such information to be provided in electronic format shall be entitled to receive a reasonable, cost-based fee for providing the requested information in electronic format.

(B) A reasonable fee for providing the requested records in electronic format shall be a charge of no more than: $25 for 500 pages or less; $50 for more than 500 pages.

(3) Hybrid Records Format.

(A) The physician responding to a request for such information that is contained partially in electronic format and partially in paper format ("hybrid"), may provide the requested information in a hybrid format and shall be entitled to receive a reasonable, cost based fee for providing the requested information.

(B) A reasonable fee for providing the requested records in a hybrid format may be a combination of the fees as set forth in paragraphs (1) and (2) of this subsection.

(4) Other Charges.

(A) If an affidavit is requested, certifying that the information is a true and correct copy of the records, whether in paper, electronic or hybrid format, a reasonable fee of up to $15 may be charged for executing the affidavit.

(B) A physician may charge separate fees for medical and billing records requested.

(C) Allowable charges for copies of diagnostic imaging studies are set forth in §165.3 of this title (relating to Patient Access to Diagnostic Imaging Studies in Physician's Office) and are separate from the charges set forth in this section.

(5) A reasonable fee for records provided in a paper, electronic or hybrid format may not include costs associated with searching for and retrieving the requested information, and shall include only the cost of:

(A) copying and labor, including, compiling, extracting, scanning, burning onto media, and distributing media;

(B) cost of supplies for creating the paper copy or electronic media (if the individual requests portable media) that are not prohibited by federal law;

(C) postage, when the individual has requested the copy or summary be mailed; and

(D) preparing a summary of the records when appropriate.

For more information, please review the most recent version of the TMB rules Chapter 165.2 Medical Records Release and Charges and TMB FAQs for Consumers. 

May I withhold copies of medical records until the copies are paid for?

You are entitled to receive the fee for records preparation before releasing the records, except in these situations:

  • where the records are requested by a licensed Texas health care provider or any American or Canadian licensed physician for acute or emergency medical care; and
  • to support an application for disability or other benefits or assistance under: Aid to Families with Dependent Children, Medicaid, Medicare, Supplemental Social Security Income, and Federal Old-Age and Survivors Insurance, and Veteran's Benefits.
What about medical records for other physicians?

The Texas Medical Practice Act states "A physician shall furnish copies of medical records requested, or a summary or narrative of the records, including records received from another physician or health care provider involved in the care or treatment of the patient, pursuant to a written authorization for release of the information." The exception is psychiatric records.

If a physician feels it would be harmful to release copies of medical records to a patient, what should be done?

When a physician deems it necessary to deny a request to release medical records, that physician must provide the patient a written statement within 15 business days of receipt of the request, and file a copy of the statement in the medical record. The statement must specify the reason for the denial and how the patient can file a complaint with the federal Department of Health and Human Services and the Texas Medical Board.

Can information from medical records be released without the patient's consent?

Some release of information is required by law, and may be released without the patient's consent. These situations include:

  • treatment of gunshot wounds to law enforcement officials;
  • suspected child and elder abuse to the Texas Department of Protective and Regulatory Services and law enforcement;
  • positive HIV tests (without the patient's name) and AIDS diagnoses (with the patient's name) to the Texas Department of State Health Services and local health department; and
  • Medicare records must be made available promptly to representatives of the Department of Health and Human Services.
  • Medicaid records must be made available promptly to Texas Department of State Health Services, the Texas Attorney General's Medicaid Fraud Control Unit, Texas Medicaid Health Partnership, and the Department of Protective and Regulatory Services.

In none of these situations is the patient's authorization for release of information required. There are limited additional circumstances under which records may be released without patient authorization. For example, a physician may release information to medical or law enforcement personnel, if the physician determines that there is a probability of imminent physical injury to the patient, physician, or other person. Read more from the Texas Medical Association about these exceptions to confidentiality. (TMA log-in required).

May I release health information to an insurance company without the patient's consent?

You may file an insurance claim without a written signed consent accompanying each claim.

How should I respond to a subpoena?

Please contact TMLT's Claims Department to inquire about how to respond to a subpoena. In addition, if you are a Texas physician, the Texas Medical Association offers a resource Subpoenas for Medical Records. (TMA log-in required).

How long do I need to keep medical records?

For adults — all records must be kept for at least seven years from the date of the last treatment. (Hospitals are required to keep records for 10 years, so some physicians may choose to keep office records for 10 years also.)

For minors — records for minor patients must be kept for at least seven years from the date of last treatment or until the child turns 21, whichever is longer.

For more information, please visit the see Chapter 165 of the Texas Medical Board rules.


Who is considered a minor?

A minor is a person under age 18 who has never been married and never been declared an adult by a court.

When can minors consent to their own treatment?

The Texas Family Code Section 32.003 lists instances where a minor child can consent to certain types of medical treatment on his or her own. These include:

  • a minor on active duty with the armed forces of the United States;
  • a minor who is 16 years of age or older, residing apart from his/her parents or guardian, and managing his/her own financial affairs;
  • a minor who is unmarried and pregnant can consent to treatment related to the pregnancy other than abortion;
  • a minor can consent to diagnosis and treatment of infectious, contagious, or communicable disease that are reportable to the Texas Department of State Health Services;
  • a minor who is unmarried, is the parent of a child, has actual custody of his or her child and consents to the medical, dental, psychological, or surgical care for the child may consent to his or her own treatment;
  • a minor who is serving a term of confinement in a facility operated by or under contract with the Texas Department of Criminal Justice; and
  • a minor can consent to counseling for suicide prevention, chemical or alcohol addiction or dependency, or sexual, physical or emotional abuse.

A physician may rely on a written statement by the minor containing the grounds on which the minor has capacity to consent to treatment.

Who can consent for the treatment of the child of an unmarried minor?

An unmarried minor who has "actual custody" of his/her own biological child can consent to medical, dental, psychological, and surgical treatment for the child.

What are my legal obligations when treating minors for contraception.

In general, minors cannot give consent for their own medical treatment (see exceptions above). Contraception is not specifically addressed by law as an exception. In most situations, it is not a treatment for which a minor can give consent unless he or she is an "emancipated minor."

Do both divorced parents have a right to review the information in their minor child's medical records?

Unless the court finds it would not be in the best interest of the child, "both parents shall be appointed as joint managing conservators of the child." (Texas Family Code Section 153.131) Joint managing conservator is the modern term for "joint custody."

The court granting the divorce may allocate the rights and duties of the joint managing conservators. Thus, both may have the right to consent to invasive procedures, or only one may have that right. Ask to see a copy of the court order when in doubt. Both joint managing conservators have the right to access the child's medical records unless specifically limited by the court granting the divorce.

Unless limited by a court order, both the possessory conservator (custodial parent) and the managing conservator (noncustodial parent), have the following rights:

  • right of access to medical, dental, psychological, and educational records;
  • the right to consult with a physician, dentist, or psychologist of the child; and
  • the right to be designated on the child's records as a person to be notified in case of an emergency.
When can a non-parent consent to treatment of a minor?

When the person having the power to consent cannot be contacted and actual notice to the contrary has not been given, other persons and entities can give consent. These include:

  • grandparents;
  • adult siblings;
  • aunts and uncles;
  • an educational institution with written authorization;
  • any adult who has actual care, control, and possession of the minor with written authorization;
  • a court having jurisdiction over a suit affecting the parent-child relationship;
  • an adult responsible for the actual care, control, and possession of a child under the jurisdiction of a juvenile court or committed by a juvenile court to the care of an agency of the state or county;
  • a peace officer who has lawfully taken custody and has reasonable grounds to believe immediate medical treatment is needed; and
  • for immunizations only, a guardian or any person authorized under law or court order to consent for the child or, if these persons are not available, any one of the persons listed above.

When documenting consent by a non-parent, consent must be in writing and include:

  • the name of the child;
  • the name of one or both parents, if known; and the name of any managing conservator or guardian of the child;
  • the name and relationship of the person giving consent and their relationship to the child;
  • a statement of the nature of the medical treatment to be given; and
  • the date the treatment is to begin. (Texas Family Code Title 2, Chapter 32)

Miscellaneous Risk Management Questions

Should I talk with an attorney "off the record" regarding a medical malpractice lawsuit in which I am not a party?

Medical records or protected health information should never be released without consent of the patient or the patient's authorized representative. Instruct the attorney you are willing to cooperate within the confines of the law and the litigation process (e.g. giving deposition or testimony by subpoena). Do not "volunteer" information to the attorney even though you are not a party to the lawsuit. You need to protect yourself against any potential action that may result from an "off the record" conversation.

How do I terminate the physician-patient relationship?

Your relationship with a patient should be terminated in a manner that reduces liability for patient abandonment and facilitates patient care. The patient should be notified in writing by first class U.S. mail and certified mail, return receipt requested. Keep a copy of the letter and return receipt in the patient's chart.

You are not required to state a reason for termination and in fact, it may not be advisable to state a reason such as incompatible personality, hostile behavior, etc. You may state "failure to follow medical advice" or "failure to keep appointments that are medically indicated." Agree to treat the patient for 30 days. Clearly state the date on which the termination will be effective. Provide resources to help the patient find a new physician, (e.g. health insurance plan, county medical society), but do not make a specific physician referral unless your state's medical board rules require otherwise (Texas does not). Offer to send a copy of the medical record to the new physician upon receipt of signed authorization, and include a blank authorization form.

More information and sample termination letters can be found in the TMLT's CME activity,Terminating the patient-physician relationship, published in the 2012 Volume 5 issue of the Reporter.

What testing does the law require for pregnant patients?

Clinicians in Texas, including physicians or any other person permitted to attend to a pregnant woman, must test every pregnant woman under their care for HIV, syphilis, and hepatitis B unless she objects. HIV and syphilis tests must take place during the pregnant woman's first prenatal visit and during her third trimester (as of September 1, 2015). If there is no record of her HIV and syphilis test results from the third trimester, then the woman must be tested at delivery unless she objects. The law also provides for expedited testing of the mother and newborn at delivery.

The woman must be informed of the HIV test before the testing and advised that the result of the test is confidential, but not anonymous. The woman has the right to refuse HIV testing and refusal should be documented in the record. Before testing for HIV, the health care professional must:

  1. Distribute printed materials about HIV, AIDS, Hepatitis B and syphilis to the patient. (Printed materials are available from the Texas Department of State Health Services.)
  2. Notify the patient of the law requiring the provider to test for Hepatitis B, syphilis, and HIV and inform the patient of her right to refuse testing. Explain the difference between confidential and anonymous testing.
  3. Provide the patient with a referral to an anonymous testing facility if the patient objects to testing.
  4. Document the HIV test was explained, printed materials were given, and consent was obtained.

If tests indicate a woman is infected with HIV, the provider who submitted the sample for testing must provide the woman with:

  1. Information relating to HIV infection and AIDS in a manner understandable to that patient.
  2. Counseling in a manner that complies with the Health and Safety Code, which allows for referral to an entity that provides counseling/treatment for individuals infected with HIV. Please see the Texas Department of State Health Services web site for more information regarding counseling requirements.