How to Ensure Your Medical Records Retention Practices Are HIPAA Compliant

What is medical records retention?

Medical records retention is the act of keeping your patient charts and other medical information on file. When you retain your records, you develop a track record of your treatment plans and quality of care. The latter is an important measure within value-based care models. 

Proper medical records retention is advisable for successful long-term patient treatment. It’s also helpful when dealing with medical malpractice suits, licensing board complaints and medical billing audits. 

How long must medical records be retained?

Several factors determine the number of years for which you must retain medical records. 

Federal law

The following federal laws pertain to medical record retention:

• The Centers for Medicare & Medicaid Services Hospital Conditions of Participation and Interpretive Guidelines: The federally funded Medicare and Medicaid programs are the largest payers in the United States. To keep your practice compliant with their regulations, you must retain all medical records for at least five years. Critical access hospitals must do so for six years.
• Occupational Safety and Health Administration (OSHA) hazardous substance rules: Sometimes, medical personnel may be exposed to harmful agents, such as pathogens on the job. If these agents significantly impact the well-being of a nurse, practitioner or other person involved in patient care, OSHA regulations take effect. OSHA mandates that you keep exposure records for 30 years.
• Health Insurance Portability and Accountability Act (HIPAA) privacy regulations. Policies, procedures and disclosure accounting documents fall under the purview of the HIPAA Privacy Rule. According to these guidelines, you must retain these documents for six years.

State law

Most states have extensive regulations regarding retaining or destroying medical records. Consult experts in your state about these laws and how they affect your medical records retention. Below are a few examples of state medical records retention guidance:

• California practitioners must retain certain medical records for at least 10 years.
• New York practitioners must keep all medical records on file for at least six years. Additionally, any obstetric and pediatric records must be kept until the child in question turns 21 years old.
• Texas practitioners must retain medical records for at least seven years. Additionally, pediatric records must be retained until the child reaches at least 21 years of age.

Case law

Case law is a subset of state law concerning medical malpractice suits. It determines how long after the state’s statutory period a patient may file suit if they discover that medical malpractice led to their current complaints. 

Case law exists because some injuries or conditions aren’t immediately obvious signs of medical malpractice, which means medical malpractice suits can sometimes be exempt from statutory limits. Confer with experts in your state to learn more.

Best practices for keeping and maintaining medical records

To keep your medical records retention in line with the guidance above, follow these best practices.

1. Know which types of information to record.

A patient’s medical records should include the following information:

• Demographics
• Reason for visit
• Exams administered
• Tests ordered
• Exam and test findings
• Diagnoses
• Treatment plans
• Prescriptions and medications

Retain any records that physicians and specialists outside your practice send you for your own use with a patient, according to the same retention time frames as your records. Additionally, keep your practice’s medical billing documents regarding the patient so you can track which services were performed and paid for.

2. Record and store information correctly.

Several medical recordkeeping dos and don’ts can ensure that your patient charts are readily usable for any future purposes. 

Do:

• Keep your notes objective.
• Timestamp your notes.
• Indicate both informed consent and patient refusal or noncompliance.
• Record timestamped entries for all patient encounters, phone calls and electronic communications.

Don’t:

• Write illegibly. You can always use EMRs and medical speech-to-text tools to eliminate messy handwriting.
• Use abbreviations or ambiguous language.
• Use offensive words or try to make jokes.
• Make alterations or delete old information without leaving a track record.
• Store medical records at locations other than a medical office or warehouse. Residential medical record storage, including on computers, is not advised.

3. Prioritize confidentiality except when necessary exemptions arise.

In almost all cases, a patient’s written consent is required to share their medical records with other parties. Given this privacy concern, medical records retention is as much about keeping records on file as it is about securing them from unauthorized access. HIPAA-compliant EMRs come with safeguards that make connected medical device security seamless. 

In the U.S., limited exceptions exist to medical record sharing and confidentiality regulations. Some portions of U.S. law can allow the sharing of medical records without the patient’s consent if the following conditions are met:

• When doing so is critical to treating an emergency
• If they are pertinent to local, state or federal public health agency programs regarding substance abuse or HIV research

4. Make medical records accessible to patients.

Although your practice bears the burden of retaining medical records, all records belong to the patients named in them. So, set up your medical records to make patient access easy.

Medical software, such as EHR systems and medical practice management system (PMS) patient portals, streamline this access. Note that you must comply with all patient requests to share their medical records with any parties they request.

5. Destroy medical records appropriately.

Eventually, all medical records will exist long enough that you’re no longer required to keep them. In this case, follow destruction best practices, including the following:

• Confirm that confidential information will remain private during the destruction process.
• Hire a record destruction agency instead of doing it yourself.
• Create a log of all destroyed records that lists the name of the patient and the date of destruction.