The Office Manager should use the Patient Records Access Log Template for each set of records. Medical records, psychotherapy notes, and administration files should be reviewed regularly. Documents that are outdated or no longer relevant should be removed, as should documents that are misleading or inaccurate. The Office Manager should adopt a written privacy procedure that clearly identifies employees or classes of employees who require access to protected information, how it will be used within the entity, and when the information may be disclosed.
MDO109-3 PATIENT RECORDS ACCESS LOG covers the date, who accessed the record, the reason for access, and more. The patient also has the right to know who accessed the records, when, and for what reason. Covered entities will also need to take steps to ensure that their business associates and contractors protect the privacy of health information. Access to employee medical records should be limited to personnel with a “need to know” a patient. A “need to know” should govern access to all employees’ records, including separate personnel files. Those with a need to know typically include only those involved in making decisions about a patient.