Skip to Content

104. Mass. Code Regs. 27.17. - Records and Records Privacy

Link to the law
This will open in a new window

“Records and Records Privacy”
This law sets forth how facilities shall maintain a permanent individual record for each person admitted to the facility. These records shall be the medical and psychiatric record of a patient admitted and does not include any financial, statistical or bookkeeping records of the facility. Each facility shall maintain each individual record for at least 20 years after closing of the record due to discharge or death or the last date of service.  If a record is to be destroyed the facility must notify the Department of Public Health. The manner of destruction must ensure the confidentiality of patient information. Medical records in electronic digital format shall have the same force and effect as the original records from which they were made. Any form of electronic storage system shall have adequate backup and security provisions to safeguard against data loss, as well as against unauthorized access. Each facility shall provide each patient with a notice of privacy practices that describes the facility procedures regarding retention of records. Record of patient data such statistical and diagnostic data shall be made available to the Department. Each facility shall employ reasonable physical, technical and administrative safeguards to ensure the confidentiality, integrity and availability of individual records.  A patient and the patient's legally authorized representative shall be permitted to inspect the patient's records unless the Commissioner or designee determines that such inspection is reasonably likely to endanger the life or physical safety of the patient or another person; the record makes reference to another person (other than a health care provider) and is reasonably likely to cause substantial harm to that other person. 
If access to a record is denied based on the criteria in 104 CMR 27.17(8)(a), the patient or legally authorized representative has the right to appeal. The determination on appeal must be made by a licensed healthcare professional, other than the person who made the initial decision to deny access, and such determination shall be final.The patient's attorney is permitted to inspect the record upon request. The legally authorized representative's consent may be needed before permitting a patient under the age of 18 to inspect his or her own records. The records of a patient shall be open to inspection upon proper judicial order.  Whenever practicable, a patient shall be informed of a court order for the production of the patient's record. The Commissioner or designee may permit inspection or disclosure of the records of a patient where he or she has made a determination that such inspection or disclosure would be in the best interest of the patient; andsuch disclosure is permitted by the privacy regulations promulgated under the Health Insurance Portability and Accountability Act (HIPAA) at 45 CFR Parts 160 and 164. This section also lists when the records may be disclosed as required by law.

Current as of June 2015