Book a demo Log in / Sign up

Medical Records Custody Agreement Template for the United States

Generate a bespoke document

  • England and Wales
  • Scotland
  • Northern Ireland
  • Ireland
  • United States
  • Alabama (USA)
  • Alaska (USA)
  • Arizona (USA)
  • Arkansas (USA)
  • California (USA)
  • Colorado (USA)
  • Connecticut (USA)
  • Delaware (USA)
  • Florida (USA)
  • Georgia (USA)
  • Hawaii (USA)
  • Idaho (USA)
  • Illinois (USA)
  • Indiana (USA)
  • Iowa (USA)
  • Kansas (USA)
  • Kentucky (USA)
  • Louisiana (USA)
  • Maine (USA)
  • Maryland (USA)
  • Massachusetts (USA)
  • Michigan (USA)
  • Minnesota (USA)
  • Mississippi (USA)
  • Missouri (USA)
  • Montana (USA)
  • Nebraska (USA)
  • Nevada (USA)
  • New Hampshire (USA)
  • New Jersey (USA)
  • New Mexico (USA)
  • New York (USA)
  • North Carolina (USA)
  • North Dakota (USA)
  • Ohio (USA)
  • Oklahoma (USA)
  • Oregon (USA)
  • Pennsylvania (USA)
  • Rhode Island (USA)
  • South Carolina (USA)
  • South Dakota (USA)
  • Tennessee (USA)
  • Texas (USA)
  • Utah (USA)
  • Vermont (USA)
  • Virginia (USA)
  • Washington (USA)
  • West Virginia (USA)
  • Wisconsin (USA)
  • Wyoming (USA)
  • Austria
  • Denmark
  • France
  • Germany
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • Switzerland
  • Australia
  • New Zealand
  • Singapore
  • Hong Kong
  • India
  • Malaysia
  • Pakistan
  • United Arab Emirates
  • Qatar
  • Saudi Arabia
  • South Africa
  • Nigeria
  • Canada
  • Brasil
  • Monaco
  • Bermuda
  • Cayman Islands
  • Gibraltar
  • Isle of Man
  • Mauritius

What is a Medical Records Custody Agreement?

The Medical Records Custody Agreement becomes necessary when healthcare providers need to transfer custody of patient records due to practice closure, retirement, merger, or outsourcing of record management. This agreement, governed by U.S. federal and state laws, particularly HIPAA, ensures proper handling of sensitive medical information. It defines specific responsibilities for record maintenance, security protocols, and patient access procedures, while protecting both the healthcare provider and the custodian through clear liability allocation and compliance requirements.

Frequently Asked Questions

Is a Medical Records Custody Agreement legally binding under federal law?

Yes, a properly executed Medical Records Custody Agreement is legally binding under federal law, particularly under HIPAA and the HITECH Act. The agreement creates enforceable obligations for both parties regarding patient record security, privacy, and access requirements. Courts will enforce these agreements when they comply with federal healthcare privacy regulations.

How long can healthcare providers be held liable without a proper custody agreement?

Without a proper custody agreement, the original healthcare provider may remain indefinitely liable for HIPAA violations and patient record security breaches. Federal regulations don't automatically transfer responsibility, so providers could face penalties for records they no longer control. This liability continues until proper legal transfer documentation is executed.

How long does it typically take to prepare a Medical Records Custody Agreement?

A basic Medical Records Custody Agreement can be drafted in 1-2 weeks, but complex transfers involving multiple parties or large record volumes may take 4-6 weeks. The timeline depends on negotiating terms, conducting due diligence on the receiving party's security measures, and ensuring HIPAA compliance verification. Rush situations like practice closures may require expedited processing.

Can this agreement be used for transferring records to cloud storage companies?

Yes, but cloud storage companies must be qualified as HIPAA Business Associates, and the agreement must include specific cloud security provisions. The agreement should address data encryption, server location restrictions, and breach notification procedures required under the HITECH Act. Additional cybersecurity clauses are typically necessary for cloud-based record custody.

Which states have additional requirements beyond federal HIPAA rules for medical record transfers?

California, New York, Texas, and Florida have additional state-specific requirements for medical record custody transfers beyond HIPAA. These may include extended retention periods, specific patient notification requirements, or additional security standards. The agreement must comply with both federal regulations and the stricter requirements of applicable state laws.

Does transferring medical records custody affect patient access rights under HIPAA?

No, patient access rights under HIPAA remain unchanged regardless of custody transfer. The new custodian must honor all patient requests for records, amendments, and access logs just as the original provider would. The agreement should specify how patient requests will be handled and ensure continuity of the required 30-day response timeframe.

Can healthcare providers be fined if they transfer records without this agreement?

Yes, transferring medical records without proper custody agreements can result in HIPAA violations with fines ranging from $100 to $50,000 per violation. The Department of Health and Human Services may impose penalties for unauthorized disclosures or failure to maintain proper safeguards. Repeat violations or willful neglect can result in criminal charges and practice license suspension.

Reviewed by

Swetha Meenal

Legal Engineer, GenieAI

Swetha Meenal profile photo

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

LinkedIn

Reviewed by

Imad Mohammed Nazar

Legal Engineer, GenieAI

Imad Mohammed Nazar profile photo

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

LinkedIn

Jurisdiction

United States

Reviewed by

Swetha Meenal & Imad Mohammed Nazar

Publisher

GenieAI

Category

Medical Agreement

Sector

Business

Cost

Free to use

Last updated

About the Medical Records Custody Agreement

A Medical Records Custody Agreement is a critical legal document that governs the transfer and management of patient medical records when healthcare providers need to change custody arrangements. You'll need this agreement to ensure compliance with federal healthcare privacy laws while protecting sensitive patient information during transitions.

When do you need this document?

You need a Medical Records Custody Agreement when your medical practice is closing permanently, when you're retiring and transferring patient records to another provider, or during practice mergers and acquisitions. The agreement is also essential when outsourcing record storage to third-party medical records management companies or business associates. Healthcare facilities undergoing ownership changes, converting from paper to electronic records systems, or establishing partnerships with other healthcare entities also require this documentation. Emergency situations where a practice must suddenly cease operations due to unforeseen circumstances make this agreement crucial for ensuring continuity of patient care and legal compliance.

Key legal considerations

The agreement must clearly define the roles and responsibilities of both the transferring healthcare provider and the receiving custodian. Critical clauses include specific security measures for protecting Protected Health Information (PHI), procedures for patient access to their records, and protocols for handling record requests from other healthcare providers. You must address liability allocation, indemnification provisions, and breach notification procedures. The document should specify retention periods, destruction protocols for records that have exceeded legal requirements, and compliance monitoring procedures. Insurance requirements, termination clauses, and dispute resolution mechanisms are equally important to prevent future legal complications.

Legal requirements in the United States

Under federal law, your Medical Records Custody Agreement must comply with HIPAA Privacy and Security Rules, which mandate specific safeguards for PHI handling and transmission. The HITECH Act expands these requirements, particularly for electronic health records, and increases penalties for violations. If your records include substance abuse treatment information, you must also comply with 42 CFR Part 2 regulations, which impose stricter confidentiality requirements than HIPAA. The agreement must ensure ADA compliance for accessibility of medical records and accommodate patients with disabilities. State laws may impose additional requirements regarding record retention periods, patient notification procedures, and specific licensing requirements for records custodians. Your agreement should include provisions for ongoing compliance monitoring and regular security assessments to meet evolving regulatory standards.

GOVERNING LAW

Applicable law

This Medical Records Custody Agreement is drafted to comply with United States law. Key legislation includes:

HIPAA: Health Insurance Portability and Accountability Act of 1996 - Primary federal law governing medical records privacy, security, and patient rights regarding their health information

HITECH Act: Health Information Technology for Economic and Clinical Health Act - Expands HIPAA rules and increases penalties for violations, particularly regarding electronic health records

42 CFR Part 2: Federal regulations governing the confidentiality of Substance Use Disorder Patient Records - More stringent than HIPAA for addiction treatment records

ADA Compliance: Americans with Disabilities Act requirements for accessibility of medical records and accommodation in record-keeping practices

FTC Regulations: Federal Trade Commission regulations regarding data security and breach notification requirements for medical records

State Retention Laws: State-specific requirements for how long medical records must be retained, varying by jurisdiction and record type

State Privacy Laws: State-specific privacy regulations which may impose additional requirements beyond HIPAA

State Storage Requirements: State-specific requirements for physical and electronic storage of medical records, including security measures

CMS Requirements: Centers for Medicare & Medicaid Services standards for medical record maintenance and accessibility

Joint Commission Standards: Accreditation requirements for medical record management in healthcare facilities

Business Associate Requirements: HIPAA requirements for Business Associate Agreements when third parties handle protected health information

Breach Notification Rules: Federal and state requirements for notifying patients and authorities in case of unauthorized access to medical records

Electronic Records Standards: Technical standards and security requirements for electronic health record systems and digital storage

Patient Access Rights: Legal requirements for providing patients with access to their medical records and copies upon request

Disaster Recovery Requirements: Regulations regarding backup systems and recovery procedures for medical records in case of emergencies

Explore 208,390+ legal templates

Explore 208,390+ legal templates

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it