Posted by Team KMCU on Jul 20, 2022
Let us clear up some of the confusion!
There is a great deal of conflicting information about how long medical records must be retained. Providers can even fear discarding anything at all. Let us clear up some of the confusion!
According to current law, most healthcare providers are required to retain patient records for seven to ten years after a patient’s last visit. In the case of a minor patient, doctors must keep the record for at least 10 years following the final office visit or until the child is 19 years old, whichever is longer. Keep in mind that this rule may vary per your individual state law. For example, some states even say it’s the standard number of years past the last visit after the child has turned 18. If the last visit was when the child was 15, and the state law said records retention was 7 years, records for that child must be kept 10 years after that last appointment.
HIPAA Privacy Rules and Record Retention
There is often a bit of confusion regarding how HIPAA Privacy Rules come into play. Many providers are so consumed with being HIPAA compliant in this aspect, they neglect to take state guidelines into consideration. It is a mistake, as your state law is truly the determining factor here. HIPAA does not mention patient record retention time frames. The retention laws apply to HIPAA policies, logs and other compliance related activities.
The following is from HHS.gov FAQ:
Does the HIPAA Privacy Rule require covered entities to keep patients’ medical records for any period of time?
No, the HIPAA Privacy Rule does not include medical record retention requirements. State laws generally govern how long medical records are to be retained. However, the HIPAA Privacy Rule does require that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records and other protected health information (PHI) for whatever period such information is maintained by a covered entity, including through disposal. See 45 CFR 164.530(c).
It is crucial to remember that where and how long you keep records on file is an important component of your compliance policy.
Suggestions for Retaining Records:
- Scan patient records into an electronic format. Don’t use EHR? No problem. Utilize paper files only for the most recent day-to-day use. Scan any completed episodes of care, along with any other records to a network drive, or other device that is backed up regularly and encrypted.
- Periodically dispose of any archived or inactive patient files. We suggest scanning the entire file and then shredding it. Create and implement a policy that clearly indicates at what length of time a file should be considered inactive, scanned, and shredded. (Adhere to HIPAA guidelines for the disposal of PHI).
- Exclude insurance information from patient files (such as EOBs). File these in a daily bundle style format with other important documents such as sign-in sheets, deposit tickets, daily EOB postings, credit card vouchers, etc. None of these items should be contained within the patient records. For the sake of saving space and organization purposes, this information should be filed by date, and periodically archived. You may opt to eventually scan and shred these as well.
A compliance policy that describes how you handle each aspect of the retention and destruction of patient records is a must have for every office. It should be included in your HIPAA and OIG Compliance Policy Manuals.
Jill Foote currently contracts with KMC University as a subject matter expert. She has developed a wide variety of curriculum for KMC University and has provided training to state associations and Chiropractic colleges in several states. As she worked with doctors on a national level in her previous employment as Senior Manager of Coding and Practice Management at the American Chiropractic Association, she saw a growing need for training in HIPAA compliance, especially as it relates to the IT world. She holds a certification as a HealthCare IT Specialist and is currently the owner of Easy Tech Compliance. Her ‘hands on’ yet practical approach to HIPAA implementation has resulted in establishing successful HIPAA compliant clinics as well as business associates, nationwide. You may reach her by email through info@kmcuniversity or by calling (855) 832-6562.