A legal health record (LHR) is the formal set of documents a healthcare organization designates as its official business record of patient care. It is the record that gets released when someone submits a valid request, whether that’s a patient asking for their own files, an attorney issuing a subpoena, or an insurer reviewing a claim. The key distinction: it is not everything stored in a hospital’s computer systems. It is a defined subset of patient data that the organization has specifically identified as its official account of what happened during care.
How It Differs From an Electronic Health Record
This is the most common point of confusion. Many people assume that the electronic health record (EHR) and the legal health record are the same thing. They are not. The EHR is a massive data store, a digital warehouse containing every piece of patient-specific information a system captures. That includes clinical notes, lab results, billing codes, system-generated alerts, duplicate entries, preliminary drafts, and data pulled in from outside organizations.
The legal health record is a curated portion of that warehouse. It contains only the documentation the organization recognizes as its primary record of direct patient care provided in its own facilities. Think of the EHR as every file on your computer, and the LHR as the specific folder you’d hand over if a court asked for your business records. Each healthcare organization decides exactly what falls inside that folder, which is why LHR definitions can vary from one hospital to the next.
There is also a third category worth knowing: Other Patient Specific Information (OPSI). This is the large, diverse set of data sitting in the EHR that does not qualify as part of the legal health record or the HIPAA-defined designated record set. It exists in the system but lives outside the official boundaries of the LHR.
What the Legal Health Record Typically Contains
Because each organization defines its own LHR through internal policy, the exact contents vary. However, most legal health records include the core documentation of direct patient care: admission records, discharge summaries, physician orders, progress notes, operative reports, nursing assessments, medication administration records, diagnostic test results, pathology and radiology reports, consent forms, and advance directives.
What typically stays out of the LHR is just as important. Draft documents, personal clinician notes not filed to the chart, peer review materials, incident reports, and data generated purely for administrative or quality-improvement purposes are generally excluded. These items may still exist in the EHR, and they may still be discoverable through legal channels, but they are not part of the organization’s official business record of care.
Why Organizations Must Define It
Every hospital and health system needs a written policy that spells out exactly what their legal health record includes. This is not optional housekeeping. Federal regulations require hospitals to maintain a medical record for each inpatient and outpatient that is accurately written, promptly completed, properly filed, and accessible. The system must use author identification and record maintenance practices that ensure the integrity and security of every entry.
Without a clear LHR definition, an organization has no consistent answer when a court order, subpoena, or patient request arrives asking for “the medical record.” Staff wouldn’t know which documents to release, which to withhold, and which fall into a gray area. The policy removes that ambiguity. It also assigns responsibility: the health information management (HIM) professional serves as the custodian of the legal health record, overseeing collection, protection, and archiving, while IT staff manage the technical infrastructure underneath.
How It Functions in Court
When a medical record enters a legal proceeding, it stops being a clinical document and becomes evidence. This happens in personal injury claims, malpractice suits, insurance disputes, criminal cases, and administrative hearings. In a courtroom, the record serves as the factual foundation for arguments, expert testimony, and judicial decisions.
For records to be admissible, they must meet several standards. First, they need to be verifiably authentic. Courts typically accept a business records certification or an affidavit from the custodian of records confirming when and how the documents were created and maintained. A documented chain of custody is critical, especially when multiple parties have handled the files. Second, the records need to be complete, relevant, and well-organized. The most common problems courts encounter are incomplete files, mismatched dates, and inclusion of confidential details unrelated to the case at hand.
Best practice calls for organizing records chronologically from earliest to most recent, paginating every page, adding clear section headings for different document types, and creating an index or table of contents for larger files. In some jurisdictions, disorganized records can actually be rejected as evidence. Legal teams also review records before production to confirm that authentication requirements are met and that sensitive information unrelated to the case has been redacted.
The Role of Metadata and Audit Trails
Electronic records carry a layer of invisible data that paper charts never had: metadata. An audit trail tracks who accessed a patient’s record, when they accessed it, from where, and sometimes why. This background data can make or break a malpractice case because it reveals whether a note was written in real time or added after the fact, whether a critical lab result was viewed before a clinical decision, and whether records were altered.
Metadata is increasingly treated as discoverable evidence that organizations are obligated to preserve and produce. Even if metadata is not formally included in an organization’s LHR definition, attorneys can request it, and courts can compel its release. As one legal expert put it, it is no longer enough to defend just the medical record. You must also defend the metadata. This reality makes accurate, timely documentation more important than ever, because the system is quietly recording proof of exactly when and how every entry was made.
The Designated Record Set Under HIPAA
The legal health record and the HIPAA designated record set (DRS) overlap but are not identical concepts. The designated record set is defined by federal privacy law and includes the medical records and billing records a covered entity uses to make decisions about individuals, plus enrollment, payment, and claims records held by a health plan. It is the set of records a patient has the right to access and request amendments to under HIPAA.
The LHR, by contrast, is defined by each organization and serves as its official business record for release purposes. In practice, the LHR is often a subset of the designated record set. And both are subsets of the full EHR. Understanding these layers matters because a patient requesting their records under HIPAA may be entitled to see designated record set content that goes beyond what the organization considers its legal health record, while certain data in the EHR (like peer review documents) may fall outside both categories entirely.
Retention Requirements
Federal regulations require hospitals to retain medical records in their original or legally reproduced form for a minimum of five years. However, this is a floor, not a ceiling. Many states impose longer retention periods, sometimes 7 to 10 years from the last date of service, and records for minors often must be kept until the patient reaches adulthood plus an additional number of years. Organizations generally follow whichever requirement, federal or state, demands the longer retention period.
For practical purposes, many health systems retain records well beyond the legal minimum, partly because electronic storage costs have dropped and partly because malpractice claims can surface years after care was provided. The record’s integrity over that entire retention period, including author identification, security protections, and accessibility, is the organization’s ongoing responsibility.