Safety & Risk Management

Maintenance of Medical Information

This Medical Information, Consent for Emergency Medical Treatment & Emergency Contact Information Form is provided as a sample document for Program Sponsors and/or Program Directors. While collection of certain medical information is important and recommended in order to address the medical needs of your program participants, it is imperative that medical information be collected and maintained in such a way that ensures the protection of privacy for your participants.

The following guidelines should be addressed in your medical information collection and maintenance practices:

  • Only collect medical information that is necessary given the specifics of your program.
  • Dissemination of medical information should be determined by who should have access to certain information and guided by whether each person/role needs that information to discharge his/her responsibilities. There are two closely related concepts:
    • Need to Know – You should be able to clearly articulate why your specified staff roles need access to medical information, and what could go wrong if they did not have that information.
    • Minimum Necessary - You would also need to consider whether you need to disclose all the medical information or just part of it to each role. Functional information is the only information necessary. The actual name of the condition is not required for everyday precautions (e.g. restricted exercise versus a cardiac deformity).
  • Medical information should be collected using paper forms only. They should not be converted to electronic files, and data should not be transferred to an electronic database unless systems/servers storing the information have been thoroughly reviewed by information security officers and deemed secure.
  • Medical information documents should be reviewed by staff responsible for the care and welfare of program participants and kept in locked file drawers and binders which are in a secured office or location with limited access by specific senior personnel.
  • Be sure to address staff changes immediately with changes to your medical information management process if such staff changes make it necessary or prudent.
  • At the conclusion of your program, ensure that all medical information is destroyed. For paper documents, crosscut paper shredding is recommended. Electronic data should be removed from storage securely. Medical information should only be retained if an incident occurred making it necessary and/or prudent to keep information for future resolution of the incident. Such determinations should be made in consultation with Southern Utah University’s Risk Management Department. In such cases, only the relevant data should be retained.
  • Medical information or copies of medical information should then be submitted to SUU Risk Management Office.