Am I Still Allowed to Keep Paper Records, or Are Electronic Medical Records Required?
Many healthcare practice owners ask us: “Can we use paper records for our patients? What legal issues might arise if I do?” If you’re a provider who prefers pen and paper, keep reading to learn the requirements.

The federal government strongly encourages healthcare practices to use electronic medical records (EMRs) or electronic health records (EHRs). Due to this policy preference, their use has exploded, with positive results for both patients and practices. However, the push toward electronic records has also led to confusion about whether paper records still comply with federal law.
What Does Federal Law Say About Using EMRs and EHRs?
Over the last several years, Congress passed robust legislation and created financial incentives to sway hospitals and practices to convert to electronic records.
In 2009, Congress passed the American Recovery and Reinvestment Act (ARRA) to promote the adoption of health information technology. ARRA includes the Health Information Technology for Economic and Clinical Health Act (HITECH), which supports HIPAA enforcement by establishing incentive payments for eligible professionals, eligible hospitals, and critical access hospitals to promote the adoption and use of EMRs. These financial incentives pushed hospitals around the country to convert to electronic records.
In 2016, Congress passed the 21st Century Cures Act (commonly called “the Cures Act”). The act initiated a rulemaking process that led to the OpenNotes Rule (as it’s informally known), which prohibits information blocking. In short, patients must have full and immediate access to their electronic health data. The rule also calls on the healthcare industry to adopt standardized application programming interfaces (APIs). APIs will allow patients to access structured electronic health information securely with smartphone apps.
How Does This Apply To Paper Records?
To be clear, the Cures Act does not require you to adopt an EMR or EHR system at your practice. Additionally, at this time, there is no federal ban prohibiting the use of paper records as part of your practice operations. The Cures Act requirements only apply to electronic patient health information. In other words, if you are using paper records, the Cures Act’s final rulemaking process does not apply to you.
While you are not mandated to convert your paper-only practice to an electronic system, this doesn’t mean you have no security concerns regarding your records. If you are a covered entity under HIPAA, you are still subject to HIPAA’s Privacy Rule, which prohibits unauthorized disclosure of protected health information (PHI) in any format.
Unauthorized disclosures of paper records trigger notice requirements under HIPAA. While, on its face, unauthorized disclosure of paper records seems less likely, do not underestimate how easy it can be to mail medical records to the wrong recipient or for someone to steal charts from your office.
HIPAA, particularly its Security Rule, requires all covered entities to have a written security plan. If you are a “paper practice,” your written security plan needs to consider this and explain how you protect physical records. For example, do you lock your records in a filing cabinet? Who is responsible for upkeep? Do you have any backup system if a flood, fire, or other natural disaster destroys the records? What is the procedure if a file is lost? Your HIPAA policies and procedures (i.e., your written security plan) should address these questions.
What Works Best For Your Practice?
We understand that many healthcare providers may still want to avoid EMR/EHR systems altogether and remain a “paper practice.” Electronic systems usually come with financial costs. They will also inevitably open the door to additional regulatory requirements and add different avenues for a breach.
However, electronic medical or health records can have real benefits. Unlike paper records, you can back up EMRs and EHRs through HIPAA-compliant cloud systems. Plus, many people love the convenience of viewing their electronic records through a patient portal. With so many hospitals relying on EMRs, patients have come to expect easy access to records and all of the other benefits of using these systems.
Need Help With EMR or EHR Compliance?
Maybe you are a paper practice who wants to learn more about the regulatory landscape surrounding electronic records. Or maybe you suspect that your HIPAA policies and procedures do not adequately capture the security protocols you have in place at your practice. If this is you, contact an experienced healthcare lawyer to walk you through federal requirements and best practices.
Jackson LLP is dedicated to making compliance straightforward and stress-free. By working to understand your preferences, we can create internal policies that simplify your operations. If you practice in one of the states where we have licensed attorneys, you can schedule a complimentary phone consultation to learn more.
This blog is made for educational purposes and is not intended to be specific legal advice to any particular person. It does not create an attorney-client relationship between our firm and the reader. It should not be used as a substitute for competent legal advice from a licensed attorney in your jurisdiction.