Book a demo Log in / Sign up

Custodian Of Medical Records Agreement Template for the United States

Generate a bespoke document

  • England and Wales
  • Scotland
  • Northern Ireland
  • Ireland
  • United States
  • Alabama (USA)
  • Alaska (USA)
  • Arizona (USA)
  • Arkansas (USA)
  • California (USA)
  • Colorado (USA)
  • Connecticut (USA)
  • Delaware (USA)
  • Florida (USA)
  • Georgia (USA)
  • Hawaii (USA)
  • Idaho (USA)
  • Illinois (USA)
  • Indiana (USA)
  • Iowa (USA)
  • Kansas (USA)
  • Kentucky (USA)
  • Louisiana (USA)
  • Maine (USA)
  • Maryland (USA)
  • Massachusetts (USA)
  • Michigan (USA)
  • Minnesota (USA)
  • Mississippi (USA)
  • Missouri (USA)
  • Montana (USA)
  • Nebraska (USA)
  • Nevada (USA)
  • New Hampshire (USA)
  • New Jersey (USA)
  • New Mexico (USA)
  • New York (USA)
  • North Carolina (USA)
  • North Dakota (USA)
  • Ohio (USA)
  • Oklahoma (USA)
  • Oregon (USA)
  • Pennsylvania (USA)
  • Rhode Island (USA)
  • South Carolina (USA)
  • South Dakota (USA)
  • Tennessee (USA)
  • Texas (USA)
  • Utah (USA)
  • Vermont (USA)
  • Virginia (USA)
  • Washington (USA)
  • West Virginia (USA)
  • Wisconsin (USA)
  • Wyoming (USA)
  • Austria
  • Denmark
  • France
  • Germany
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • Switzerland
  • Australia
  • New Zealand
  • Singapore
  • Hong Kong
  • India
  • Malaysia
  • Pakistan
  • United Arab Emirates
  • Qatar
  • Saudi Arabia
  • South Africa
  • Nigeria
  • Canada
  • Brasil
  • Monaco
  • Bermuda
  • Cayman Islands
  • Gibraltar
  • Isle of Man
  • Mauritius

What is a Custodian Of Medical Records Agreement?

The Custodian of Medical Records Agreement is essential when a healthcare provider needs to transfer responsibility for maintaining patient records to a third party. This commonly occurs during practice closure, retirement, acquisition, or outsourcing of records management. The agreement ensures continued compliance with HIPAA regulations and state laws while protecting patient privacy and maintaining proper access to medical records. It addresses critical aspects such as security measures, retention periods, access protocols, and breach notification procedures, all within the framework of U.S. federal and state healthcare regulations.

Frequently Asked Questions

Is a Custodian Of Medical Records Agreement legally binding in the United States?

Yes, a properly executed Custodian Of Medical Records Agreement is legally binding in the United States when it complies with federal HIPAA requirements and applicable state laws. The agreement creates enforceable obligations for both the transferring healthcare provider and the custodian regarding patient record handling and privacy protection. All parties must sign the agreement and fulfill their specified duties under federal healthcare regulations.

Can I transfer medical records without a Custodian Of Medical Records Agreement?

No, transferring medical records to a third-party custodian without a proper agreement violates HIPAA requirements and can result in significant penalties. Federal law requires a written Business Associate Agreement or custodian agreement that specifies how patient information will be protected and accessed. Operating without this agreement exposes healthcare providers to regulatory fines and potential lawsuits.

How long must a custodian keep medical records under US law?

Medical record retention periods vary by state, typically ranging from 5-10 years for adults and longer for pediatric records. The Custodian Of Medical Records Agreement must specify retention periods that comply with both federal requirements and the applicable state's medical records laws. Some states require retention until the patient reaches age of majority plus additional years, while others have fixed timeframes regardless of patient age.

How is a Custodian Of Medical Records Agreement different from a Business Associate Agreement?

A Custodian Of Medical Records Agreement specifically governs the transfer and ongoing custody of patient records, while a Business Associate Agreement covers broader data sharing relationships under HIPAA. The custodian agreement typically applies when a practice closes or transfers ownership, establishing long-term record storage responsibilities. Business Associate Agreements are used for ongoing operational relationships like billing services or cloud storage providers.

How long does it take to prepare a Custodian Of Medical Records Agreement?

Creating a comprehensive Custodian Of Medical Records Agreement typically takes 1-3 weeks, depending on the complexity of the transfer and negotiation between parties. The process includes reviewing patient record inventories, determining retention requirements, establishing access procedures, and ensuring HIPAA compliance. Rush situations may be completed faster, but adequate time should be allowed for proper legal review and compliance verification.

Can patients access their records after they're transferred to a custodian?

Yes, patients retain the right to access their medical records even after transfer to a custodian under HIPAA regulations. The Custodian Of Medical Records Agreement must establish clear procedures for patient access requests, including response timeframes and any applicable fees. The custodian becomes responsible for fulfilling these access requests in compliance with federal and state patient rights laws.

What mistakes do healthcare providers make with medical records custodian agreements?

Common mistakes include failing to specify retention periods, inadequate security requirements, unclear patient access procedures, and missing breach notification protocols. Many providers also forget to include provisions for record destruction after retention periods expire or fail to address what happens if the custodian goes out of business. Incomplete agreements can result in HIPAA violations and loss of important patient records.

Reviewed by

Swetha Meenal

Legal Engineer, GenieAI

Swetha Meenal profile photo

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

LinkedIn

Reviewed by

Imad Mohammed Nazar

Legal Engineer, GenieAI

Imad Mohammed Nazar profile photo

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

LinkedIn

Jurisdiction

United States

Reviewed by

Swetha Meenal & Imad Mohammed Nazar

Publisher

GenieAI

Category

Medical Agreement

Sector

Business

Cost

Free to use

Last updated

About the Custodian Of Medical Records Agreement

A Custodian Of Medical Records Agreement is a critical legal contract that establishes the terms and conditions when a healthcare provider transfers responsibility for maintaining patient medical records to a third-party custodian. This agreement ensures continuous compliance with federal privacy laws while protecting patient rights and maintaining proper access to healthcare information throughout the transition process.

When do you need this document?

You need this agreement when your medical practice is closing permanently and you must transfer patient records to a qualified custodian for long-term storage. It's essential during practice acquisitions where the purchasing entity will not maintain the original practice location but needs to preserve patient records. You'll also require this document when outsourcing your records management to a specialized third-party service provider or when a retiring physician transfers patient files to another healthcare provider. Additionally, this agreement becomes necessary during practice mergers where records consolidation requires temporary or permanent custodial arrangements with external entities.

Key legal considerations

The agreement must clearly define the scope of custodial services, including specific responsibilities for maintaining, storing, and providing access to protected health information. You need to establish comprehensive security measures that meet or exceed HIPAA Security Rule requirements, including physical safeguards, technical controls, and administrative procedures. The contract should specify detailed breach notification procedures that comply with both HIPAA and HITECH Act requirements, including timelines for reporting incidents to covered entities and patients. Include provisions for records retention periods that satisfy both federal requirements and state-specific medical record laws, which can vary significantly across jurisdictions. The agreement must address patient access rights, ensuring the custodian can respond appropriately to patient requests for their medical records within required timeframes.

Legal requirements in United States

Under HIPAA regulations, any third-party custodian handling protected health information must qualify as a business associate and execute a compliant business associate agreement. The custodian must implement appropriate safeguards under the HIPAA Security Rule, including encryption for electronic records and secure storage for physical documents. HITECH Act provisions require specific breach notification procedures, with notifications to affected patients within 60 days and annual reports to the Department of Health and Human Services. State medical record laws impose additional requirements for retention periods, which typically range from 7-10 years for adult patients and longer periods for pediatric records. Some states require specific licensing or certification for entities serving as medical records custodians, and certain jurisdictions mandate patient notification when records are transferred to third-party custodians. The agreement must also comply with 42 CFR Part 2 if any substance abuse treatment records are included, as these have heightened confidentiality protections beyond standard HIPAA requirements.

GOVERNING LAW

Applicable law

This Custodian Of Medical Records Agreement is drafted to comply with United States law. Key legislation includes:

HIPAA: Health Insurance Portability and Accountability Act of 1996 - Primary federal law governing medical records privacy and security requirements

HITECH Act: Health Information Technology for Economic and Clinical Health Act - Expands HIPAA requirements and establishes breach notification rules

42 CFR Part 2: Federal regulations specifically governing confidentiality of substance abuse treatment records

ADA: Americans with Disabilities Act - Impacts accessibility requirements for medical records

Federal Rules of Civil Procedure: Governs requirements for records retention in case of legal proceedings

State Medical Record Laws: State-specific requirements for medical record retention periods and maintenance standards

State Privacy Laws: State-level privacy regulations which may impose stricter requirements than federal HIPAA standards

State Electronic Records Requirements: State-specific regulations governing electronic medical records management

Joint Commission Standards: Professional standards for healthcare organization accreditation including medical records management

Medicare/Medicaid Requirements: Federal healthcare program requirements for medical records maintenance and accessibility

State Medical Board Regulations: Professional standards and requirements set by state medical boards for records management

Explore 208,390+ legal templates

Explore 208,390+ legal templates

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it