Medical Records – Retention and Protection

Pinnacol receives injured worker medical records daily; disclosure of protected health information
Back to Knowledge Center

Pinnacol receives injured worker medical records daily; disclosure of protected health information to workers’ compensation insurers is authorized by Section 164.512(I) of the HIPAA privacy rule. The parties named on the claims also receive these records. Established policies and procedures safeguard these records and ensure appropriate distribution. We also strive to protect the records once they leave Pinnacol.

Treating providers and independent medical evaluators should also do their part to ensure the safekeeping and proper disposal of injured workers’ medical records.

Physicians are ultimately responsible for ensuring that digital and paper medical records are stored and maintained according to federal and state legal requirements and the principles outlined in the rules governing the protection of medical records. Under the Colorado Medical Practice Act, each licensed physician and physician assistant must develop a written plan to ensure the security of patient medical records (including the storage and proper disposal of records) and the method by which patients may promptly access or obtain copies of their records.

The medical provider is the custodian of the record. The physical medical record actually belongs to the physician or medical provider who created it and the facility in which the record was created. Patients and other parties are permitted to obtain a copy of the medical records, but the original document is retained by the provider creating the record.

To protect against loss of information and damage, providers must keep all patient records and data in a safe and secure environment with restricted access. These precautions apply regardless of whether the information is stored on premises within the physician’s control or electronically in the cloud. Physicians who remove records from the clinic or receive medical records outside the clinic must take appropriate measures to prevent loss, restrict access, and maintain the privacy of patients’ personal health information.

Physicians must not dispose of personal health information unless their obligation to retain the record has ended. At that point, they must dispose of records in a secure manner such that reconstruction of the record is not possible. If the physician performed an independent medical evaluation, the physician must either return the medical records to Pinnacol for proper disposal or acknowledge on the Pinnacol IME form that the records have been properly disposed of. Physicians must notify Pinnacol in the case of a loss or breach so we can help mitigate any adverse impacts to the injured worker involved.


Colorado Division of Workers’ Compensation – HIPAA and Colorado Workers’ Compensation

Colorado Medical Board, Medical Policy 40-7 – Guidelines Pertaining to the Release and Retention of Medical Records, last revised 8/20/15

Colorado Revised Statutes Title 8 Labor and Industry § 8-47-203 – Access to files, records, and orders

Colorado Revised Statutes Title 8 Labor and Industry § 8-43-404 – Physicians to testify and furnish results

Colorado Revised Statutes Medical Practice Act, § 12-240-142 – Protection of medical records (October 1, 2019)

Department of Health and Human Services – Disclosures for Public Health Activities, Privacy Rule, Section 164.512(I)

COVID-19 policy update