Let us clear up some of the confusion!
There is a great deal of conflicting information about how long medical records must be retained. Providers can even fear discarding anything at all. Let us clear up some of the confusion!
According to current law, most healthcare providers are required to retain patient records for seven to ten years after a patient’s last visit. In the case of a minor patient, doctors must keep the record for at least 10 years following the final office visit or until the child is 19 years old, whichever is longer. Keep in mind that this rule may vary per your individual state law. For example, some states even say it’s the standard number of years past the last visit after the child has turned 18. If the last visit was when the child was 15, and the state law said records retention was 7 years, records for that child must be kept 10 years after that last appointment.
HIPAA Privacy Rules and Record Retention
There is often a bit of confusion regarding how HIPAA Privacy Rules come into play. Many providers are so consumed with being HIPAA compliant in this aspect, they neglect to take state guidelines into consideration. It is a mistake, as your state law is truly the determining factor here. HIPAA does not mention record retention time frames.
The following is from HHS.gov FAQ:
Does the HIPAA Privacy Rule require covered entities to keep patients’ medical records for any period of time?
No, the HIPAA Privacy Rule does not include medical record retention requirements. State laws generally govern how long medical records are to be retained. However, the HIPAA Privacy Rule does require that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records and other protected health information (PHI) for whatever period such information is maintained by a covered entity, including through disposal. See 45 CFR 164.530(c).
It is crucial to remember that where and how long you keep records on file is an important component of your compliance policy.
Suggestions for Retaining Records:
- Scan patient records into an electronic format. Don’t use EHR? No problem. Utilize paper files only for the most recent day-to-day use. Scan any completed episodes of care, along with any other records to a network drive, or other device that is backed up regularly.
- Periodically dispose of any archived or inactive patient files. We suggest scanning the entire file and then shredding it. Create and implement a policy that clearly indicates at what length of time a file should be considered inactive, scanned, and shredded. (Adhere to HIPAA guidelines for the disposal of PHI.)
- Exclude insurance information from patient files (such as EOBs). File these in a daily bundle style format with other important documents such as sign-in sheets, deposit tickets, daily EOB postings, credit card vouchers, etc. None of these items should be contained within the patient records. For the sake of saving space and organization purposes, this information should be filed by date, and periodically archived. You may opt to eventually scan and shred these as well.
A compliance policy that describes how you handle each aspect of the retention and destruction of patient records is a must have for every office. It should be included in your HIPAA and OIG Compliance Policy Manuals.
Dr. Colleen Auchenbach graduated with a Doctor of Chiropractic from Cleveland University Kansas City in December of 1998 and practiced for over 20 years. Her interest in Medical Compliance began when she earned the 100-hour Insurance Consultant/Peer Review certification from Logan University in 2015. She has been a certified Medical Compliance Specialist-Physician since 2016. In November 2020, Dr. Auchenbach joined the excellent team at KMC University as a Specialist and, as part of this dedicated team, is determined to bring you accurate, current, reliable information. You may reach her by email at email@example.com or by calling (855) 832-6562.
Comments on How Long Must I Retain Medical Records?