Effective Date: 
Mon, 08/01/2011
Tue, 05/11/2021
Tue, 05/11/2021


To establish guidelines for the contents, maintenance, and confidentiality of patient medical records that meet the requirements set forth in Federal and State laws and regulations, and to define the portion of an individual’s healthcare information, whether in paper or electronic format, that comprises the medical record. Patient medical information is contained within multiple electronic records systems in combination with financial and other types of data. This policy defines requirements for those components of information that comprise a patient’s complete “Medical Record.”


I. Maintenance of the Medical Record

A. A Medical Record shall be maintained for every individual who is evaluated or treated as an outpatient at UCSC Student Health Services.

B. Currently, the Medical Record is considered a hybrid record, consisting of both electronic and paper documentation that has been scanned into the record.

C. The medical record contents is a electronic format, including digital images, and can include patient identifiable source information, such as photographs, films, ECG tracings.

D. The current electronic components of the Medical Record consist of patient information from multiple Electronic Health Record source systems. The intent of UCSC is to integrate all electronic documents into a permanent electronic repository.

F. All paper reports / documents/ CD Reports will be scanned into the EMR by the trained Health Information Assistant  within 24 hours of receipt.  All paper documents created by Student Health Services must have the patient name & SID on all sides that are to be scanned. All EMR Visit Notes are to be completed within 24 hours of visit date, Non- Appointment Chart Notes are to be completed within 10 days.

G. Counseling Note Completion:

1. Crisis Notes:

Licensed Staff-Crisis services provided by licensed staff need to be documented within one working day.
Unlicensed Staff- Crisis services provided by unlicensed staff need to be documented within two working days, to allow time for review by licensed staff.
5150 cases-If a student is involuntarily psychiatrically hospitalized from CAPS, documentation must be completed by the end of the day.

2. Non-Crisis Notes:

Licensed Staff

Initial assessments must be completed within three working days of the service
Follow-up notes must be completed within two working days of the service

Unlicensed Staff- Review of the record and co-signature by supervisor for non-crisis services must occur within 5 working days of providing the service.

3. ADHD Assessments:

Due to the time needed to complete, review, analyze, document, supervise, and co-sign the results of an ADHD assessment, staff have 10 working days from completion of testing to finalize documentation.

II. Confidentiality

The Medical Record is confidential and is protected from unauthorized disclosure by law. The circumstances under which UCSC may use and disclose confidential medical record information is set for in the Notice of Privacy Practices. (see: “Notice of Privacy Practices”).

Viewing / Discussing  the Medical Record

  • Follow the minimum need to know rule
  • Don't view a chart or part of a chart unless you need to as part of your job
  • Never view your own chart
  • Never view the chart of another employee ( including student employees) unless you are directly involved in their care
  • Surveillance Audits are performed to monitor this a part of our privacy policy
  • Be aware of your environment when discussing PHI with a patient/client or with another staff member
  • Keep names, conditions, treatment information confidential
  • Discuss these things with your patient/client in a closed office. Even presumed clinical areas like the hallways  within the clinic and nurses stations are not confidential
  • Secure and lock computer stations when you leave the area
  • Use the shred bins which are located throughout the SHC for papers with PHI.

III. Content

A. Medical Record content shall meet all State and Federal legal, regulatory and accreditation requirements.

B. All documentation and entries in the Medical Record, both paper and electronic, must be identified with the patient’s full name and a unique UCSC Student ID number. Each page of double-sided or multi-page forms, created by UCSC, must be marked with both the patient’s full name and the unique SID number. Outside medical records if multipage must have the patient's full name and UCSC Student ID number on the first page of document.

C. All Medical Record entries should be made as soon as possible after the care is provided, or an event or observation is made. An entry should never be made in the Medical Record in advance of the service provided to the patient. Pre-dating or backdating an entry is prohibited.

IV. Medical Record vs. Designated Record Set

A. Under the HIPAA Privacy Rule, an individual has the right to access and/or amend his or her protected health (medical record) information that is contained in a “designated record set.” The term “designated record set” is defined within the Privacy Rule to include medical and billing records, and any other records used by the provider to make decisions about an individual. In accordance with the HIPAA Privacy Rule, UCSC has defined a “designated record set” to mean the group of records maintained for each individual who receives healthcare services delivered by a healthcare provider, which is comprised of the following elements:

1. The Medical Record whether in paper or electronic format, to include patient identifiable source information such as photographs, films, digital images.

2. Billing records including insurance claim information

3. All physician or other provider notes, written or dictated, in which medical decision-making is documented, and which are not otherwise included in the Medical Record (e.g., outside records when applicable for treatment).

B. The Medical Record generally excludes records from non-UC providers (i.e., health information that was not documented during the normal course of business at a UCSC facility or by a UCSC provider). However, if information from another provider or healthcare facility, or personal health record, is used in providing patient care or making medical decisions, it may be considered part of the UCSC Designated Record Set, and may be subject to disclosure on specific request or under subpoena. Disclosures from medical records in response to subpoenas will be made in accordance with applicable Campus policies.

V. Who May Document Entries in the Medical Record: Multidisciplinary Notes

Only the following types of UCSC employees and/or employees of UCSC contracted clinical providers may document entries in the Multidisciplinary Notes section of the Medical Record:

1.      Clinical Care Partners

2.      Licensed Vocational Nurses

3.      Medical Assistants

4.      Nurse Practitioners

5.      Pharmacists

6.      Physician Assistants

7.      Physicians including MD’s and DO’s

8.      Psychologists

9.      Registered Nurses

10.      Mental Health Practitioners

11.      Licensed Psychiatric Technicians

12.      Others as designated by SHC Policies and /or Medical Staff Bylaws

Completion, Timeliness and Authentication of Medical Records

A. All Medical Records must be completed within 24 hours of the encounter.

B. All Medical Record entries are to be dated, the time entered, and signed.

C. Certain electronic methods of authenticating the Medical Record, including methods such as passwords, access codes, or key cards may be allowed provided certain requirements are met. The methodology for authenticating the document electronically must comply with UCSC electronic signature standards.

D. There are daily audits using report: Unsigned Notes - Medical-Psych. Clinicians are notified when a note is not completed in the 24hr timeframe. If over the 24 hrs, their direct supervisor is notified.

E. Friday of every week reports,  Unsigned Notes - Medical-Psych and Unsigned Notes - CAPS New, are run and given to the Medical Director for review.

VII. Routine Requests for Medical Records for Purposes of Treatment, Payment and Healthcare Operations

The Health Information staff will process routine requests for Medical Records. Only authorized UCSC workforce members may access Medical Records in accordance with Privacy Policy.  UCSC Workforce members who access Medical Records for healthcare operations are responsible to access only the amount of information in medical records, which is necessary to complete job responsibilities.

A. Access to Medical Records for Treatment Purposes.

B. Healthcare providers who are directly involved in the care of the patient may access the full Medical Record.

C. Payment Purposes.

D. Authorized and designated UCSC workforce members may access the patient’s medical record for purposes of obtaining payment for services, including the following uses:

1. Coding and abstracting.

2. Billing including claims preparation, claims adjudication and substantiation of services.

3. Utilization Review.

E. Healthcare Operations. Patient medical records may be accessed for routine healthcare operation purposes, including, but not limited to:

1. Peer Review Committee activities;

2. Quality Management reviews including outcome and safety reviews;

3. Documentation reviews

F. Requests for Electronic Components of the Medical Record.

Personnel who access the electronic Medical Record are required to have a unique User ID and password, and access to information is limited according to the minimum necessary rule and managed by role, as approved by designated management personnel.

VIII. Ownership, Responsibility and Security of Medical Records

A. All Medical Records of UCSC patients/clients, regardless of whether they are created at, or received by, UCSC, and patient lists and billing information, are the property of UCSC and The Regents of the University of California. The information contained within the Medical Record must be accessible to the patient and thus made available to the patient and/or his or her legal representative upon appropriate request and authorization by the patient or his or her legal representative. As per the CURES Act patients have electronic access to designated parts of their records through the Health e-Messenger portal.

B. Responsibility for the Medical Record. The UCSC  Health Information Systems Administrator (HISA) is designated as the person responsible for assuring that there is a complete and accurate medical record for every patient. The medical staff and other health care professionals are responsible for the documentation in the medical record within required and appropriate periods to support patient care.

C. Original records may not be removed from UCSC Student Health Center except by court order, subpoena, or as otherwise required by law. If an employed physician or provider separates from or is terminated by the University for any reason, he or she may not remove any original Medical Records, patient lists, and/or billing information from UCSC Student Health Center. For continuity of care purposes, and in accordance with applicable laws and regulations, patients may request a copy of their records be forwarded to another provider upon written request to UCSC.

D. Medical records shall be maintained in a safe and secure area. Safeguards to prevent loss, destruction and tampering will be maintained as appropriate. Records will be released from HIM only in accordance with the provisions of this policy and other UCSC Privacy Policies and Procedures.

E. Special care must be exercised with Medical Records protected by the State and federal laws covering mental health records, alcohol and substance abuse records, reporting forms for suspected elder/dependent adult abuse, child abuse reporting, and HIV-antibody testing and AIDS research.

F. Chronology is essential and close attention shall be given to assure that documents are filed properly, and that information is entered in the correct encounter record for the correct patient, including appropriate scanning and indexing of imaged documents.

IX. Retention and Destruction of Medical Records

All Medical Records are retained for at least as long as required by State and federal law and regulations, and UCSC policies and procedures. The paper (unless scanned into the chart) & electronic versions of the record must be maintained per the legal retention requirements of 10 years after last record activity for students, 30 years after employee leaves or retires from the university.

X. Maintenance and Legibility of Record

All Medical Records, regardless of form or format, must be maintained in their entirety, and no document or entry may be deleted from the record, except in accordance with the destruction policy (refer to section IX).

Handwritten entries should be made with permanent black or blue ink, with medium point pens. This is to ensure the quality of electronic scanning, photocopying and faxing of the document. All entries in the medical record must be legible to individuals other than the author.

XI. Corrections and Amendments to Records

When an error is made in a medical record entry, the original entry must not be obliterated, and the inaccurate information should still be accessible.

The correction must indicate the reason for the correction, and the correction entry must be dated and signed by the person making the revision. Examples of reasons for incorrect entries may include “wrong patient,” etc. The contents of Medical Records must not otherwise be edited, altered, or removed. Patients may request a medical record amendment and/or a medical record addendum.

A. Documents Created in Paper Format:

1.      Do not place labels over the entries for correction of information.

2.     If information in a paper record must be corrected or revised, draw a line through the incorrect entry and annotate the record with the date and the reason for the revision noted, and signature of the person making the revision.

3.      If the document was originally created in a paper format, and then scanned electronically, the electronic version must be corrected by printing the documentation, correcting as above in (2), and rescanning the document.

B. Documents that are created electronically must be corrected in the following mechanisms:

1.      Adding an addendum to the electronic document indicating the corrected information, the identity of the individual who created the addendum, the date created, and the electronic signature of the individual making the addendum.

2.      Sometimes it may be necessary to re-create a document (e.g., wrong work type) or to move a document, for example, if it was originally posted incorrectly or indexed to the incorrect patient record.  When a signed entry is in the wrong patient/client chart, the following procedure is followed.  This procedure must be started as soon as the error is recognized.

  1. a.      Mitigate harm. The first priority is to assure that both patients/clients have suffered no harm as a result of charting in the wrong patient chart. All Sections of the chart should be reviewed. Taking timely action to mitigate harm is essential once the is error has occured.
  2. b.     Notify your supervisor
  3. c.     Document or addend. On the incorrect patient encounter document or addend with a note as to why this is the incorrect patient chart.
  4. d. Correct Documentation of the Encounter.  It is the responsibility of the clinician to transfer the contents of the erroneous entry into the correct patient/client chart. The clinician must also remove erroneous entries in other sections of the chart including the Problem List & Medication List.
  5. e. Notify Health Information Management (HIM).  DO NOT CREATE AN INCIDENT REPORT IN THE RL DATIX SYSTEM.
  •  From the chart note to be deleted - IM the Health Information Systems Administrator, (HISA) – Cathy Sanders
  • List the correct Student ID (SID)
  • List date of error
  • List reason for error

f. HISA will enter incident in the RL Datix system

C. When a pertinent entry was missed or not written in a timely manner, the author must meet the following requirements:

1.      Identify the new entry as a “late entry”

2.      Enter the current date and time – do not attempt to give the appearance that the entry was made on a previous date or an earlier time. The entry must be signed.

3.      Identify or refer to the date and circumstance for which the late entry or addendum is written.

4.      When making a late entry, document as soon as possible. There is no time limit for writing a late entry; however, the longer the time lapse, the less reliable the entry becomes.

D. An addendum is another type of late entry that is used to provide additional information in conjunction with a previous entry. When writing an addendum, complete it as soon as possible after the original note.


E. Scanning Documents

Significant Errors requiring an Incident Report:

  • Document scanned into wrong EMR
  • Document not scanned                                                                                                                                                                1.      Notify the HISA

2.      The HISA will Mitigate as appropriate and complete the Incident Report

Non-Significant Errors

  • Incorrect document date or missing date
  • Incorrect document category
  • Comment field not completed as per guidelines
  • Date stamp missing
  • Student Identification Number missing
  • Faxed stamp missing

When docments are received to be scanned the detailed scan guideline will be followed. This guide is located in Health Information management.

All outside records received will be scanned or uploaded into appropriate chart and assigned to the approprate clinician who will review and acknowledged in PnC.

F. Electronic Documentation – Direct Online Data Entry

Note: The following are guidelines for making corrections to direct entry of clinical documentation, and mechanisms may vary from one system to another.

一.   In general, correcting an error in an electronic/computerized medical record should follow the same basic principles as corrections to the paper record.

一.   The system must have the ability to track corrections or changes to any documentation once it has been entered or authenticated.

一.   When correcting or making a change to a signed entry, the original entry must be viewable, the current date and time entered, and the person making the change identified.

一.   G. Copy and Paste Guidelines

The “copy and paste” functionality available for records maintained electronically eliminates duplication of effort and saves time, but must be used carefully to ensure accurate documentation and must be kept to a minimum.

一.   Copying from another clinician’s entry: If a clinician copies all or part of an entry made by another clinician, the clinician making the entry is responsible for assuring the accuracy of the copied information.

一.   Copying test results/data: If a clinician copies and pastes test results into an encounter note, the clinical-provider is responsible for ensuring the copied data is relevant and accurate.

一.   Copying for re-use of data: A clinician may copy and paste entries made in a patient’s record during a previous encounter into a current record as long as care is taken to ensure that the information actually applies to the current visit, that applicable changes are made to variable data, and that any new information is recorded.

XII. Authentication of Entries

A. Electronic signatures must meet standards for:

Data integrity to protect data from accidental or unauthorized change (for example “locking” of the entry so that once signed no further untracked changes can be made to the entry);

Authentication to validate the correctness of the information and confirm the identity of the signer (for example requiring signer to authenticate with password or other mechanism);

Non-repudiation to prevent the signer from denying that he or she signed the document (for example, public/private key architecture).

At a minimum, the electronic signature must include the full name and either the credentials of the author or a unique identifier, and the date and time signed.*

B. Electronic signatures must be affixed only by that individual whose name is being affixed to the document and no other individual.

C. Countersignatures or dual signatures must meet the same requirements, and are used as required by State law and Medical Staff Rules and Regulations.

D. Initials may be used to authenticate entries on flow sheets or medication records, and the document must include a key to identify the individuals whose initials appear on the document.

E. Rubber stamp signatures: Refer to Section VI (D).

F. Documents with multiple sections or completed by multiple individuals should include a signature area on the document for all applicable staff to sign and date. Staff who have completed sections of a form should either indicate the sections they completed at the signature line or initial the sections they completed.

G. No individual shall share electronic signature keys with any other individual.

XIII. Designation of Secondary Patient Information

The following three categories of data contain secondary patient information and must be afforded the same level of confidentiality as the LMR, but are not considered part of the legal medical record.

A. Patient-identifiable source data are data from which interpretations, summaries, notes, etc. are derived. They often are maintained at the department level in a separate location or database, and are retrievable only upon request. Examples:

  • Photographs for identification purposes
  • Audio recordings of dictation notes or patient phone calls.
  • Video recordings of an office visit, if taken for other than patient care purposes

1.      Video recordings/pictures of a procedure, if taken for other than patient care purposes

2.      Video recordings of a telemedicine consultation

3.      Communication tools (i.e., Kardex, patient lists, work lists, administrative in-baskets messaging, sign out reports, FYI, drafts of notes, or summary reports prepared by clinicians, etc.)

4.      Protocols/clinical pathways, best practice alerts, and other knowledge sources.

5.      A Patient’s personal health record provided by the patient to his or her care provider.

6.      Alerts, reminders, pop-ups and similar tools used as aides in the clinical decision making process. The tools themselves are not considered part of the legal medical record. However, the associated documentation of subsequent actions taken by the provider, including the condition acted upon and the associated notes detailing the exam are considered as component of the legal medical record. Similarly, any annotations, notes and results created by the provider because of the alert, reminder or pop-up are also considered part of the legal medical record.

Some source data are not maintained once the data has been converted to text. Certain communication tools are part of workflow and are not maintained after patient's discharge.

B. Administrative Data is patient-identifiable data used for administrative, regulatory, healthcare operations and payment purposes. Examples include but are not limited to:

一.   Authorization forms for release of information

一.   Correspondence concerning requests for records.

一.   Birth and death certificates.

一.   Event history/audit trails.

一.   Patient-identifiable abstracts in coding system.

一.   Patient identifiable data reviewed for quality assurance or utilization management.

一.   Administrative reports.

一.   C. Derived Data consists of information aggregated or summarized from patient records so that there are no means to identify patients. Examples:

一.   Accreditation reports

一.   Best practice guidelines created from aggregate patient data. Public health records and statistical reports.

D. Draft Documents / Work in Progress. Electronic processes and workflow

Management requires methods to manage work in progress. These work-in-progress documents often are available in the system as “draft documents.  Draft documents are not considered an official medical record document until it has been signed by an authorized signer.


Compliance with the above policy is monitored by UCSC Student Health Services. Violations of any of the above policy will be reported to the appropriate supervising authority for potential disciplinary action, up to and including termination and/or restriction of privileges in accordance with UCSC Medical Staff Bylaws, and Human Resource / Personnel Policies.


If a student/patient presents to the UCSC SHS with a written advance healthcare directive, the paperwork will be sent to HIM for scanning into the patient’s medical record.

Any discussions of advance healthcare directives will be incorporated into the patient's clinical record.

A link to information on writing an advance healthcare directive is available on the UCSC SHS website under Patient Rights and Responsibilities.


The Health Information Systems Administrtor or the Business and Information Systems Coordinator, in the HISA's absence, will be notified of the Death of a Student.  Once notified, they will access PnC OpenRegistration, make the record Sequestered and check the Patient is Deceased box and complete DOD (Date o Death) box if known. Document who the notifier was in the Comment section. They will also send the SHS management team & billing office notification of death.


*Non-Patient related faxing are not to be done using the HIM fax machine. The fax machine located in the Exectutive Director's Assistants office can be used for personal faxing when the assistant is present.

Faxing of all patient records will be done only through designated secure fax machines in Medical Records, Insurance, Pharmacy and CAPS. Medical Records primariy uses Sfax, and electronic system, to fax.

Fax Cover sheet, HC: 247, are not to include any form of Protected Health Informaion (PHI) or Personal Identifiable Information (PII), including name of patient/client or date of birth. Fax Cover HC: 247 - please contact HIM for department defined sheets.

All documents containing any form of PHI that are to be faxed must have an appropriate fax cover sheet as the first page.

All fields on the fax cover sheet must be completed: ATTN, Date, Destination Fax, #Of Pages (including coversheet), From (Name) – this is the sender’s name, and message. The Student ID as a reference is appropriate.

Message should reference what you are sending. ROI, Plan of Care sign off, New RX, Approved Refill request… etc.

All faxes are required to have a fax coversheet that includes the following declaration:

WARNING,  this information is intended only for the use of the addressee. It may contain information, which is privileged and confidential. The addressee is hereby notified that any use, dissemination, distribution or copying of this information is strictly prohibited and you may face personal liability for such disclosure. If you have received this in error, please call the contact person listed.


When receiving and outside call from client/student/former student the caller must be identified with at least two but preferably three identifiers.

Due to the high risk of PHI disclosure from Health Information Management, it is imperative the caller is identified appropriatly.

Start with Student ID Number, Date of Birth. Follow with first and last name. If unable to provide the Student ID, look up by date of birth and name. Ask another identifing question, for example: Address while a student, first date/year of attendence, ucsc email address.

If unable to identify forward call to the HISA.