Telehealth creates unique health information management challenges for various reasons, including: aggregating large data sets (i.e. remote monitoring); using and storing numerous file formats (video, audio, text, digital images, film); establishing safeguards for sharing data with virtual providers and distant sites; determining the appropriate location for data storage (if more than one provider or entity is involved); and more.  All of these challenges create issues relating to medical record management, maintenance, ownership, and storage.

In the past, it was easier to define what was and was not considered the “medical record” for a patient.  Typically, the medical record was the patient’s paper file and/or a basic electronic medical record (EMR).  With the addition of the internet, telehealth, and other electronic means of data transmission, the question remains:

What new mediums must be included in a patient’s medical record? 

Must it include…

  • Digital images?
  • Emails?
  • Phone conversations?
  • Video recordings?
  • Live stream videos?
  • Remote monitoring data streams?

It is important to understand the definition and scope of the term “medical record” because under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, an individual has the right to access and/or amend his or her protected health (medical record) information that is contained in a “designated record set,” or DRS.   Thus, healthcare providers must understand what they are required to include in the patient’s medical record and provide for the patient upon request.

The term “medical record” generally refers to the collection of information regarding a patient and his/her health care.  The term “designated record set” is defined within the Privacy Rule to include medical and billing records, and any other records used by the provider to make decisions about an individual.  Each healthcare organization is required to define the data or documents that meet this definition.

In addition to HIPAA, some organizations are subject to state laws that provide specific definitions relating to telehealth and medical record documentation/retention.  For example, in Colorado, Colo. Rev. Stat. § 25-1-802(5) states that “medical information transmitted during the delivery of health care via telemedicine… is part of the patient's medical record maintained by a health care provider.”

Another common theme in many state statutes and codes is that telehealth documentation retained in the medical record must be comparable to an in-person office visit.  For example, Texas Administrative Code states that in order to be reimbursed for telemedicine services “documentation in the patient's medical record for a telemedicine medical service or a telehealth service must be the same as for a comparable in-person evaluation.”  Other sections of the Texas Administrative Code set forth specific telehealth record retention requirements stating:

“Medical records must include copies of all relevant patient-related electronic communications, including relevant patient-physician e-mail, prescriptions, laboratory and test results, evaluations and consultations, records of past care and instructions. If possible, telemedicine encounters that are recorded electronically should also be included in the medical record.”

The focus in federal and state laws, regulations, and guidance is not on creating an exhaustive list of exact documents that must be included in the medical record, but rather, on including documents or media that are directly used in medical decision-making and treatment of patients and/or documents that are necessary for supporting billing claims.  The American Health Information Management Association (AHIMA) expresses this notion stating:

“The determining factor in whether something is to be considered part of the legal health record is not where the information resides or the format of the information, but rather how the information is used and whether it is reasonable to expect the information to be routinely released when a request for a complete medical record is received.”

AHIMA is a leading national organization for health information management practices, and its data retention practices are often cited by numerous health care organizations and publications as the current industry standard.  It is also important to note that secondary data (notes, images, videos) that are not related to these patient-centered or billing functions likely do not need to be included in the medical record.

Also, AHIMA highlights that organizations only need to include documents that can be provided in a human-perceptible form to patients, and/or documents that are reasonably feasible to provide to patients.  Thus since it is not explicitly required by state or federal law, large data sets and streams from remote monitoring devices which are sometimes too large and cumbersome to store long-term and/or too difficult to provide to patients, may be exempt from being considered part of the legal medical record.  It is up to the organization to make the decision on what can reasonably and feasibly be included in the record.  The organization should capture this information in a corporate policy or data matrix.  Employees will need to be informed and properly trained on compliance with these policies.

In addition to federal and state laws and regulations, organizations should also consult with any payors they have contracted with for guidance or billing requirements.  Often large payors have specific requirements for medical record documentation and retention relating to telemedicine.  Further, once an organization develops its definition of the “legal” record, it should develop its own corporate policy.

Back to Health Law Advisor Blog

Search This Blog

Blog Editors

Related Services



Jump to Page


Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.