Records Control

Records Control 


  1. Client records will be maintained in acomplete, integrated fashion, ensuring that all appropriate client information is available to clinicians and support staff to carry out assigned work.
  2. Appropriate documentation of services provided will be maintained in accordance with regulatory guidelines and legal statutes.
  3. Mid-Ohio Psychological Services will maintain and protect information regarding patients/clients as confidential.
  4. The Director of Operations will be responsible for the administration of the clinical records system. 





Individual Client Records (ICR) will be available to all clinical and clerical staff persons who have a need to review such records in order to carry out their assigned work.  Each staff person will be made fully aware of the issues of confidentiality and will sign a statement acknowledging their responsibility for maintaining confidentiality.  No person will be granted access to client records unless approved by the agency’s Executive Director. 

Client records will be stored in a locked, secured area that is accessible to the staff persons who have a need to use the files. Forensic case files will be stored separately from other client records in a locked, secured area. Only authorized individuals shall be permitted in the areas that are used to maintain records for the persons served. All information about persons served that is maintained on computer systems will be secured to prevent unauthorized access. 

Client files will be removed from the file drawer at the end of the day prior to the client being seen by the designated support staff as identified on the daily schedule. The file will be checked out to the clinician by scanning the barcode on the chart into the electronic file management system. The files will be left in the designated pick-up area for the  appropriate clinician.  When the clinician is done working with the day’s files, the files are to be returned to the file clerk to be checked back in and re-filed. If client files for individuals not listed on the daily schedule are needed, designated support staff will remove the files from the file drawer and check them out to the requesting person using the barcode reader. When done with the file, the file will be returned to the designated support staff, who will check the file in and re-file it.  Only designated support staff shall re-file client records.  No file is to be removed from its assigned location over-night unless approval has been granted by the Executive Director and the file is checked out using the electronic file management system. 

Records storage shall be maintained in accordance with Federal Regulation 42 CFR Part II. 


Confidentiality is a vital component of providing quality outpatient therapeutic services.  Clients expect an assurance that what they discuss privately will be held in the strictest confidence.  The assurance, once conveyed, is often a prelude to the development of trust, which is essential in the therapeutic setting.  In order to ensure that confidentiality is maintained, its importance will be emphatically conveyed to every employee, volunteer, student and client of Mid-Ohio Psychological Service, Inc. 

Confidentially rules conveyed to every employee, volunteer, student and client would include the following: 

  • Program staff shall not convey to a person outside of the program that a client attends or receives services from the program or disclose any information identifying a client as a program participant unless the client consents in writing for the release of information, the disclosure is allowed by a court order, or the disclosure is made to a qualified personnel for a medical emergency, research, audit or program evaluation purposes. 
  • Federal laws and regulations do not protect any threat to commit a crime, any information about a crime committed by a client either at the program or against any person who works for the program. 
  •  Federal laws and regulations do not protect any information about suspected child abuse or neglect from being reported under state law to appropriate state or local authorities. 

If violations of confidentiality are noted, appropriate administrative action shall be carried out.  In the case of a client who is a member of a therapy group, his/her expulsion from the group is an option open to the group leaders and members if the group member violates confidentiality. 

Confidentially shall be maintained in accordance with Federal Regulation 42 CFR Part II. 

Client Access to Records 

The laws and standards of this profession require that we keep Protected Health Information about clients in client Clinical Record. Except in unusual circumstances that involve danger to the client and/or others, clients may examine and/or receive a copy of the Clinical Record, if it is requested it in writing and the request is signed by the client and dated not more than 60 days from the date it is submitted.  Because these are professional records, they can be misinterpreted and/or upsetting to untrained readers. For this reason, we recommend that clients initially review them in the provider’s presence, or have them forwarded to another mental health professional so they can discuss the contents. In most circumstances, we are allowed to charge a copying and scanning fee of $1 per page for the first ten pages, 50 cents per page for pages 11 through 50, and 20 cents per page for pages in excess of fifty, plus $15 fee for processing , plus postage at the discretion of the Executive Director. If a request for access to records is refused, clients will have a right of review, which we will discuss upon request with the provider. 

HIPAA provides several new or expanded rights with regard to Clinical Record and disclosures of protected health information. These rights include requesting that a record be amended; restrictions on what information from Clinical Record is disclosed to others; requesting an accounting of most disclosures of protected health information that were neither consented to nor authorized; determining the location to which protected information disclosures are sent; having any complaints made about agency policies and procedures recorded in patient records; and the right to a paper copy of this Agreement, the Notice form, and our privacy policies and procedures. 

Release of Client Information 

Client information will only be released with written authorization of the client/guardian, except as specified in section 5122.31 of the Ohio Revised Code.  The release of information shall include the client’s name, identifying information, the exact nature of the information to be released, the purpose of sharing of the information, the date/conditions under which the release of information will expire, and who the information is to be released to.  The release of information must also include a statement such as: This information may not be re-released.  This information has been disclosed from records whose confidentiality is protected by Ohio Revised Code 5122.31, Ohio Department of Mental Health Rules for Clinical Records 5119:1-7-11, and in accordance with Federal Regulation 42 CFR Part II.  MOPS will not re-release information gathered from other sources. 

The File Clerk will review the request for information and ensure that it complies with the above issues.  If the request for information does not comply, then a letter will be sent to the requesting agency explaining what data is missing. This letter will neither confirm nor disconfirm whether the client has actually been seen by this agency. If the request for information does comply with the above identified issues, the File Clerk will gather the appropriate records and present them to the Clinical Direct or their designee to determine what specific material will be released.  The File Clerk will then copy the appropriate documents, complete a Response to Request for Information form and provide this material to the requesting agency. 

If a client provides a signed release of information utilizing the agency approved form, then a clinician may speak by phone to the person who needs information concerning the client.  In all cases, the clinician must verify that the release of information authorization is valid at the time of the communication.  All communication with outside agencies concerning a client will be documented through a case note to be placed in the client’s ICR. 

Compliance with Subpoenaed Records 

Every effort will be made to comply with a valid subpoena. Any clinical staff member receiving a subpoena should consult with the Executive Director or designee to determine if the subpoena is valid. If the subpoena is valid, a peer review of the contents of the record should be conducted with the Executive Director or designee to determine what can and can’t be shared based on the clinical staff member’s license designation. 

If a subpoena is provided in less than ten days, the notice of the subpoena is considered insufficient. The attorney of record should be notified verbally by the clinical staff member as timely as possible, if this is challenged by the attorney, a letter should be provided to the attorney and placed in the chart. 

In the event that a subpoena is inappropriate, results in undue burden to the staff and/or is likely to violate a client’s right to privilege a motion to quash will be pursued. 

Compliance with Search Warrants and Other Investigation Demands 

A search warrant is an order signed by a judge that authorizes police officers to search for specific objects or materials at a definite location at a specified time.  Upon being served with a search warrant, the Executive Director will be notified immediately. The agency will make every effort to comply with the specific requests of the search warrant and applicable confidentiality requirements. 

In the event that the agency receives notice of an investigation by an outside regulatory agency, the Executive Director will be notified immediately. All notices of investigation should provide written guidelines for compliance during the investigation, and the agency will make every effort to comply with all requirements.  Such investigations could include but are not limited to U.S. Department of Health and Human Services (HHS), Federal or State Medicaid, or Ohio Department of Mental Health. 


All ICRs for all program areas of MOPS will include the following documents: 

  • Initial Client Contact 
  • Physical Health Assessment-Self Report 
  • Psychosocial History-Self Report 
  • Psychosocial History (which includes Mental Status Examination) 
  • A statement clarifying payment issues. 
  • A signed acknowledgment of Client Rights and Agency Policy and Procedure (which includes authorization for services). 
  • Notes reflecting each client contact or contact with other persons concerning a client (with a signed release of information as appropriate) 
  • Treatment Plan (Individual Service Plan) 
  • HIPAA Form Privacy Statement 

Each of these components will be in the ICR by the end of the first session.  Case notes will be generated within five days of the session (refer to 5-day rule) and will be in the chart within 30 days of the session.  By the forth session or within 30 days (whichever is sooner), the ICR must also contain an ISP and appropriate statistical reporting forms.  Upon termination from treatment, the ICR must also contain a Treatment Termination form and the appropriate statistical reporting forms. 

File Archive and Destruction Policy 

When a file has been determined by the responsible clinical staff as appropriate for closure, the clinician will complete the appropriate case closure documentation.  This case closure documentation will be forwarded to the appropriate support staff to

facilitate the closure of the case in the Clinical Information System (CIS).  After closing the file, support staff will scan the entire file and save it under the client identification number in the electronic archive.  The file location will be changed to S for scanned in Xakt.  

All terminated and inactive case records shall be maintained in electronic format indefinitely. The hard copy of the file will be destroyed using confidential shredding of the material provided by a third-party service on agency premises.  The file destruction service will be scheduled approximately every six months. 

HIPAA Breach Notification 

The agency will notify clients by written notice within 60 days of the date that the HIPAA breach is discovered. The notice will include: 

  • A brief description of the breach, including dates. 
  • A description of types of unsecured PHI involved. 
  • The steps the client should take to protect against potential harm. 
  • A brief description of steps the agency has taken to investigate the incident, mitigate harm, and protect against further breaches. 
  • The agency’s contact information. 

The notices will be mailed to the last known address of the client.  In the event that the client is a minor, incapacitated, or deceased, the notice will be sent to the client’s guardian, personal representative, or next of kin.  If the agency has fewer than ten clients who are unable to be contacted via mail, the agency will provide substitute notice by telephone. If the number of clients who are unable to be contacted via mail is greater than ten, the agency will post a notice on the agency’s homepage. The agency will maintain a toll-free phone number that will remain active for 90 days so clients can contact the agency to determine if the breach affected their PHI. 

For breaches affecting fewer than 500 clients the above procedures will be followed and a log will be maintained of the breaches for each calendar year.  This log will be reported to HHS within 60 days after the calendar year ends.  For breaches affecting more than 500 clients, the agency will make immediate notice to HHS and follow the instructions given to properly notify clients. 


Revised: 7/3/18 Previous Revision. 11/13