Medical Records Custody Agreement Template for the United States

Generate a bespoke document

Trusted by 200k+ teams

4.7 Capterra
4.8 Product Hunt
4.6 Trustpilot

What is a Medical Records Custody Agreement?

The Medical Records Custody Agreement becomes necessary when healthcare providers need to transfer custody of patient records due to practice closure, retirement, merger, or outsourcing of record management. This agreement, governed by U.S. federal and state laws, particularly HIPAA, ensures proper handling of sensitive medical information. It defines specific responsibilities for record maintenance, security protocols, and patient access procedures, while protecting both the healthcare provider and the custodian through clear liability allocation and compliance requirements.

Reviewed by

Swetha Meenal

Legal Engineer, GenieAI

Swetha Meenal profile photo

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

Reviewed by

Imad Mohammed Nazar

Legal Engineer, GenieAI

Imad Mohammed Nazar profile photo

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

Jurisdiction

United States

Publisher

GenieAI

Sector

Business

Cost

Free to use

Last updated

About the Medical Records Custody Agreement

A Medical Records Custody Agreement is a critical legal document that governs the transfer and management of patient medical records when healthcare providers need to change custody arrangements. You'll need this agreement to ensure compliance with federal healthcare privacy laws while protecting sensitive patient information during transitions.

When do you need this document?

You need a Medical Records Custody Agreement when your medical practice is closing permanently, when you're retiring and transferring patient records to another provider, or during practice mergers and acquisitions. The agreement is also essential when outsourcing record storage to third-party medical records management companies or business associates. Healthcare facilities undergoing ownership changes, converting from paper to electronic records systems, or establishing partnerships with other healthcare entities also require this documentation. Emergency situations where a practice must suddenly cease operations due to unforeseen circumstances make this agreement crucial for ensuring continuity of patient care and legal compliance.

Key legal considerations

The agreement must clearly define the roles and responsibilities of both the transferring healthcare provider and the receiving custodian. Critical clauses include specific security measures for protecting Protected Health Information (PHI), procedures for patient access to their records, and protocols for handling record requests from other healthcare providers. You must address liability allocation, indemnification provisions, and breach notification procedures. The document should specify retention periods, destruction protocols for records that have exceeded legal requirements, and compliance monitoring procedures. Insurance requirements, termination clauses, and dispute resolution mechanisms are equally important to prevent future legal complications.

Legal requirements in the United States

Under federal law, your Medical Records Custody Agreement must comply with HIPAA Privacy and Security Rules, which mandate specific safeguards for PHI handling and transmission. The HITECH Act expands these requirements, particularly for electronic health records, and increases penalties for violations. If your records include substance abuse treatment information, you must also comply with 42 CFR Part 2 regulations, which impose stricter confidentiality requirements than HIPAA. The agreement must ensure ADA compliance for accessibility of medical records and accommodate patients with disabilities. State laws may impose additional requirements regarding record retention periods, patient notification procedures, and specific licensing requirements for records custodians. Your agreement should include provisions for ongoing compliance monitoring and regular security assessments to meet evolving regulatory standards.

GOVERNING LAW

Applicable law

This Medical Records Custody Agreement is drafted to comply with United States law. Key legislation includes:

HIPAA: Health Insurance Portability and Accountability Act of 1996 - Primary federal law governing medical records privacy, security, and patient rights regarding their health information

HITECH Act: Health Information Technology for Economic and Clinical Health Act - Expands HIPAA rules and increases penalties for violations, particularly regarding electronic health records

42 CFR Part 2: Federal regulations governing the confidentiality of Substance Use Disorder Patient Records - More stringent than HIPAA for addiction treatment records

ADA Compliance: Americans with Disabilities Act requirements for accessibility of medical records and accommodation in record-keeping practices

FTC Regulations: Federal Trade Commission regulations regarding data security and breach notification requirements for medical records

State Retention Laws: State-specific requirements for how long medical records must be retained, varying by jurisdiction and record type

State Privacy Laws: State-specific privacy regulations which may impose additional requirements beyond HIPAA

State Storage Requirements: State-specific requirements for physical and electronic storage of medical records, including security measures

CMS Requirements: Centers for Medicare & Medicaid Services standards for medical record maintenance and accessibility

Joint Commission Standards: Accreditation requirements for medical record management in healthcare facilities

Business Associate Requirements: HIPAA requirements for Business Associate Agreements when third parties handle protected health information

Breach Notification Rules: Federal and state requirements for notifying patients and authorities in case of unauthorized access to medical records

Electronic Records Standards: Technical standards and security requirements for electronic health record systems and digital storage

Patient Access Rights: Legal requirements for providing patients with access to their medical records and copies upon request

Disaster Recovery Requirements: Regulations regarding backup systems and recovery procedures for medical records in case of emergencies

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it