.04 Maintenance of Medical Records.

A. A health care provider shall develop and maintain a records retention schedule compatible with the requirements of Regulations .04—.07 of this chapter.

B. Except as provided in Regulations .06 and .07 of this chapter, a health care provider shall maintain medical records for all patients in the health care provider's care for a minimum of 5 years after the medical record is made or until the patient is 21 years old, whichever is longer.

C. Medical records are the personal property of the entity providing health care and are maintained for:

(1) The patient;

(2) The medical or treatment staff; and

(3) Other treatment, payment, and health care operations.

D. A health care provider shall retain medical records in:

(1) An office with access restricted to authorized staff;

(2) A computer or other device with appropriate security such as passwords or data encryption;

(3) A commercial records storage site with appropriate environmental and security controls; or

(4) Other storage options that ensure protection, security, and access control.

E. Maintenance of medical records may be contracted to a records management service that agrees to comply with and be subject to this chapter.

F. Medical records that have been placed in storage remain the responsibility of the health care provider, including:

(1) Providing the patient or person in interest access to their medical records and authorized copies upon request in accordance with Health-General Article, §4-304, Annotated Code of Maryland, and 45 CFR §164.524, as amended;

(2) Ensuring the confidentiality of the medical records;

(3) Providing security and restricted access to the medical records; and

(4) Protecting the medical records from:

(a) Damage;

(b) Loss; and

(c) Deterioration.

G. If a medical record is kept in electronic form, a health care provider shall:

(1) Maintain or have access to compatible electronic hardware and software that will enable the health care provider to generate a legible copy of the record in order to comply with patient and governmental access needs; and

(2) Prepare and maintain a current back-up copy of electronic medical record files.