Business News Daily provides resources, advice and product reviews to drive business growth. Our mission is to equip business owners with the knowledge and confidence to make informed decisions. As part of that, we recommend products and services for their success.
We collaborate with business-to-business vendors, connecting them with potential buyers. In some cases, we earn commissions when sales are made through our referrals. These financial relationships support our content but do not dictate our recommendations. Our editorial team independently evaluates products based on thousands of hours of research. We are committed to providing trustworthy advice for businesses. Learn more about our full process and see who our partners are here.
Updated Oct 02, 2024
How to Ensure Your Medical Records Retention Practices Are HIPAA Compliant
Learn how to retain and destroy medical records in compliance with HIPAA regulations.
Written By: Max FreedmanBusiness Operations Insider and Senior Analyst
Editor Reviewed:
Editor Reviewed
This guide was reviewed by a Business News Daily editor to ensure it provides comprehensive and accurate information to aid your buying decision.
Sandra Mardenfeld
Business Operations Insider and Senior Editor
Business News Daily earns compensation from some listed companies. Editorial Guidelines.
Table of Contents
Before electronic medical records (EMRs) digitized patient charts, physicians often ran out of physical storage space and had to destroy specific records. However, even the best medical software has unlimited storage and memory, so the need to destroy records hasn’t entirely disappeared.
It’s crucial to understand that destruction practices that violate medical records retention laws are grounds for lawsuits. We’ll explain how your practice can retain and destroy medical records in compliance with existing laws. [Related article: How to Implement an Electronic Health Records System]
What is medical records retention?
Medical records retention is the act of keeping your patient charts and other medical information on file. When you retain your records, you develop a track record of your treatment plans and quality of care. The latter is an important measure within value-based care models.
Proper medical records retention is advisable for successful long-term patient treatment. It’s also helpful when dealing with medical malpractice suits, licensing board complaints and medical billing audits.
How long must medical records be retained?
Several factors determine the number of years for which you must retain medical records.
Federal law
The following federal laws pertain to medical record retention:
The Centers for Medicare & Medicaid Services Hospital Conditions of Participation and Interpretive Guidelines: The federally funded Medicare and Medicaid programs are the largest payers in the United States. To keep your practice compliant with their regulations, you must retain all medical records for at least five years. Critical access hospitals must do so for six years.
Occupational Safety and Health Administration (OSHA) hazardous substance rules: Sometimes, medical personnel may be exposed to harmful agents, such as pathogens on the job. If these agents significantly impact the well-being of a nurse, practitioner or other person involved in patient care, OSHA regulations take effect. OSHA mandates that you keep exposure records for 30 years.
Health Insurance Portability and Accountability Act (HIPAA) privacy regulations. Policies, procedures and disclosure accounting documents fall under the purview of the HIPAA Privacy Rule. According to these guidelines, you must retain these documents for six years.
State law
Most states have extensive regulations regarding retaining or destroying medical records. Consult experts in your state about these laws and how they affect your medical records retention. Below are a few examples of state medical records retention guidance:
California practitioners must retain certain medical records for at least 10 years.
New York practitioners must keep all medical records on file for at least six years. Additionally, any obstetric and pediatric records must be kept until the child in question turns 21 years old.
Texas practitioners must retain medical records for at least seven years. Additionally, pediatric records must be retained until the child reaches at least 21 years of age.
Case law
Case law is a subset of state law concerning medical malpractice suits. It determines how long after the state’s statutory period a patient may file suit if they discover that medical malpractice led to their current complaints.
Case law exists because some injuries or conditions aren’t immediately obvious signs of medical malpractice, which means medical malpractice suits can sometimes be exempt from statutory limits. Confer with experts in your state to learn more.
Tip
Consult other practitioners and medical law experts in your area to determine which state and case laws govern the retention of your medical records.
Best practices for keeping and maintaining medical records
To keep your medical records retention in line with the guidance above, follow these best practices.
1. Know which types of information to record.
A patient’s medical records should include the following information:
Retain any records that physicians and specialists outside your practice send you for your own use with a patient, according to the same retention time frames as your records. Additionally, keep your practice’s medical billing documents regarding the patient so you can track which services were performed and paid for.
2. Record and store information correctly.
Several medical recordkeeping dos and don’ts can ensure that your patient charts are readily usable for any future purposes.
Do:
Keep your notes objective.
Timestamp your notes.
Indicate both informed consent and patient refusal or noncompliance.
Record timestamped entries for all patient encounters, phone calls and electronic communications.
Don’t:
Write illegibly. You can always use EMRs and medical speech-to-text tools to eliminate messy handwriting.
Use abbreviations or ambiguous language.
Use offensive words or try to make jokes.
Make alterations or delete old information without leaving a track record.
Store medical records at locations other than a medical office or warehouse. Residential medical record storage, including on computers, is not advised.
Did You Know?
Patient charts are crucial to successful outcomes. Accurate patient charts help practitioners avoid misdiagnosing patients or implementing ineffective treatment plans.
3. Prioritize confidentiality except when necessary exemptions arise.
In almost all cases, a patient’s written consent is required to share their medical records with other parties. Given this privacy concern, medical records retention is as much about keeping records on file as it is about securing them from unauthorized access. HIPAA-compliant EMRs come with safeguards that make connected medical device security seamless.
In the U.S., limited exceptions exist to medical record sharing and confidentiality regulations. Some portions of U.S. law can allow the sharing of medical records without the patient’s consent if the following conditions are met:
When doing so is critical to treating an emergency
If they are pertinent to local, state or federal public health agency programs regarding substance abuse or HIV research
4. Make medical records accessible to patients.
Although your practice bears the burden of retaining medical records, all records belong to the patients named in them. So, set up your medical records to make patient access easy.
Medical software, such as EHR systems and medical practice management system (PMS) patient portals, streamline this access. Note that you must comply with all patient requests to share their medical records with any parties they request.
Did You Know?
The terms EMR and EHR (electronic health record) are often used interchangeably. However, while EMRs are essentially digital patient charts, EHRs have additional functions like digital prescribing capabilities.
5. Destroy medical records appropriately.
Eventually, all medical records will exist long enough that you’re no longer required to keep them. In this case, follow destruction best practices, including the following:
Confirm that confidential information will remain private during the destruction process.
Hire a record destruction agency instead of doing it yourself.
Create a log of all destroyed records that lists the name of the patient and the date of destruction.
Medical record retention FAQs
Technically, patients own their EMRs. The practice remains responsible for storing them but patients can demand access at any time. Patients can even demand you hand over their records without retaining copies.
If your practice closes, you can't just destroy your patient records and call it a day. After all, records belong to patients, not you. Notify your patients of your impending closure and inform them of their right to designate another practitioner to hold their records. Alternatively, you can release the patient's records directly to them.
Medical records and other sensitive documents go through a life cycle comprising three stages. The first stage is the document's creation and the second and more involved stage is maintenance. During this stage, you may need to edit your medical records and move them to new locations within your top medical software. The third and final stage is the destruction of your medical records in compliance with HIPAA regulations.
Although state regulations may tell you the date after which you can destroy records you no longer need, many experts suggest retaining documents indefinitely. However, if you need to clear up storage space, delete only documents you've retained long after the final date permitted by law.
In almost all circumstances, doctors cannot refuse to release medical records when patients request them. Extremely limited exceptions may exist in certain states or localities, but it's best to assume that when a patient demands their records, you should hand them over.
However, you don't have to release a patient's medical records to a third party unless you receive direct authorization from the patient. Getting the patient's explicit permission for record release is best. This way, you avoid breaching the patient's confidentiality and winding up with a lawsuit on your hands. After all, that's one of your biggest reasons for following medical records retention guidelines in the first place.
Did you find this content helpful?
Thank you for your feedback!
Share Article:
Written By: Max FreedmanBusiness Operations Insider and Senior Analyst
Max Freedman has spent nearly a decade providing entrepreneurs and business operators with actionable advice they can use to launch and grow their businesses. Max has direct experience helping run a small business, performs hands-on reviews and has real-world experience with business technology.
At Business News Daily, Max covers accounting software, POS systems and digital payroll solutions, as well as leading medical software and text message marketing services.
Max has written hundreds of articles for Business News Daily on a range of valuable topics, including small business funding, time and attendance, marketing and human resources.