BND Hamburger Icon

Menu

Close
BND Logo
Search Icon
Advertising Disclosure
Close
Advertising Disclosure

Business News Daily provides resources, advice and product reviews to drive business growth. Our mission is to equip business owners with the knowledge and confidence to make informed decisions. As part of that, we recommend products and services for their success.

We collaborate with business-to-business vendors, connecting them with potential buyers. In some cases, we earn commissions when sales are made through our referrals. These financial relationships support our content but do not dictate our recommendations. Our editorial team independently evaluates products based on thousands of hours of research. We are committed to providing trustworthy advice for businesses. Learn more about our full process and see who our partners are here.

How to Ensure Your Medical Records Retention Practices Are HIPAA Compliant

Learn how to retain and destroy medical records in compliance with HIPAA regulations.

author image
Written by: Max Freedman, Senior AnalystUpdated Oct 02, 2024
Sandra Mardenfeld,Senior Editor
Business News Daily earns compensation from some listed companies. Editorial Guidelines.
Table Of Contents Icon

Table of Contents

Open row

Before electronic medical records (EMRs) digitized patient charts, physicians often ran out of physical storage space and had to destroy specific records. However, even the best medical software has unlimited storage and memory, so the need to destroy records hasn’t entirely disappeared. 

It’s crucial to understand that destruction practices that violate medical records retention laws are grounds for lawsuits. We’ll explain how your practice can retain and destroy medical records in compliance with existing laws. [Related article: How to Implement an Electronic Health Records System]

What is medical records retention?

Medical records retention is the act of keeping your patient charts and other medical information on file. When you retain your records, you develop a track record of your treatment plans and quality of care. The latter is an important measure within value-based care models

Proper medical records retention is advisable for successful long-term patient treatment. It’s also helpful when dealing with medical malpractice suits, licensing board complaints and medical billing audits. 

How long must medical records be retained?

Several factors determine the number of years for which you must retain medical records. 

Federal law

The following federal laws pertain to medical record retention:

  • The Centers for Medicare & Medicaid Services Hospital Conditions of Participation and Interpretive Guidelines: The federally funded Medicare and Medicaid programs are the largest payers in the United States. To keep your practice compliant with their regulations, you must retain all medical records for at least five years. Critical access hospitals must do so for six years.
  • Occupational Safety and Health Administration (OSHA) hazardous substance rules: Sometimes, medical personnel may be exposed to harmful agents, such as pathogens on the job. If these agents significantly impact the well-being of a nurse, practitioner or other person involved in patient care, OSHA regulations take effect. OSHA mandates that you keep exposure records for 30 years.
  • Health Insurance Portability and Accountability Act (HIPAA) privacy regulations. Policies, procedures and disclosure accounting documents fall under the purview of the HIPAA Privacy Rule. According to these guidelines, you must retain these documents for six years.

State law

Most states have extensive regulations regarding retaining or destroying medical records. Consult experts in your state about these laws and how they affect your medical records retention. Below are a few examples of state medical records retention guidance:

  • California practitioners must retain certain medical records for at least 10 years.
  • New York practitioners must keep all medical records on file for at least six years. Additionally, any obstetric and pediatric records must be kept until the child in question turns 21 years old.
  • Texas practitioners must retain medical records for at least seven years. Additionally, pediatric records must be retained until the child reaches at least 21 years of age.

Case law

Case law is a subset of state law concerning medical malpractice suits. It determines how long after the state’s statutory period a patient may file suit if they discover that medical malpractice led to their current complaints. 

Case law exists because some injuries or conditions aren’t immediately obvious signs of medical malpractice, which means medical malpractice suits can sometimes be exempt from statutory limits. Confer with experts in your state to learn more.

TipTip
Consult other practitioners and medical law experts in your area to determine which state and case laws govern the retention of your medical records.

Best practices for keeping and maintaining medical records

To keep your medical records retention in line with the guidance above, follow these best practices.

1. Know which types of information to record.

A patient’s medical records should include the following information:

  • Demographics
  • Reason for visit
  • Exams administered
  • Tests ordered
  • Exam and test findings
  • Diagnoses
  • Treatment plans
  • Prescriptions and medications

Retain any records that physicians and specialists outside your practice send you for your own use with a patient, according to the same retention time frames as your records. Additionally, keep your practice’s medical billing documents regarding the patient so you can track which services were performed and paid for.

2. Record and store information correctly.

Several medical recordkeeping dos and don’ts can ensure that your patient charts are readily usable for any future purposes. 

Do:

  • Keep your notes objective.
  • Timestamp your notes.
  • Indicate both informed consent and patient refusal or noncompliance.
  • Record timestamped entries for all patient encounters, phone calls and electronic communications.

Don’t:

  • Write illegibly. You can always use EMRs and medical speech-to-text tools to eliminate messy handwriting.
  • Use abbreviations or ambiguous language.
  • Use offensive words or try to make jokes.
  • Make alterations or delete old information without leaving a track record.
  • Store medical records at locations other than a medical office or warehouse. Residential medical record storage, including on computers, is not advised.
Did You Know?Did you know
Patient charts are crucial to successful outcomes. Accurate patient charts help practitioners avoid misdiagnosing patients or implementing ineffective treatment plans.

3. Prioritize confidentiality except when necessary exemptions arise.

In almost all cases, a patient’s written consent is required to share their medical records with other parties. Given this privacy concern, medical records retention is as much about keeping records on file as it is about securing them from unauthorized access. HIPAA-compliant EMRs come with safeguards that make connected medical device security seamless. 

In the U.S., limited exceptions exist to medical record sharing and confidentiality regulations. Some portions of U.S. law can allow the sharing of medical records without the patient’s consent if the following conditions are met:

  • When doing so is critical to treating an emergency
  • If they are pertinent to local, state or federal public health agency programs regarding substance abuse or HIV research

4. Make medical records accessible to patients.

Although your practice bears the burden of retaining medical records, all records belong to the patients named in them. So, set up your medical records to make patient access easy.

Medical software, such as EHR systems and medical practice management system (PMS) patient portals, streamline this access. Note that you must comply with all patient requests to share their medical records with any parties they request.

Did You Know?Did you know
The terms EMR and EHR (electronic health record) are often used interchangeably. However, while EMRs are essentially digital patient charts, EHRs have additional functions like digital prescribing capabilities.

5. Destroy medical records appropriately.

Eventually, all medical records will exist long enough that you’re no longer required to keep them. In this case, follow destruction best practices, including the following:

  • Confirm that confidential information will remain private during the destruction process.
  • Hire a record destruction agency instead of doing it yourself.
  • Create a log of all destroyed records that lists the name of the patient and the date of destruction.

Medical record retention FAQs

Technically, patients own their EMRs. The practice remains responsible for storing them but patients can demand access at any time. Patients can even demand you hand over their records without retaining copies.
If your practice closes, you can't just destroy your patient records and call it a day. After all, records belong to patients, not you. Notify your patients of your impending closure and inform them of their right to designate another practitioner to hold their records. Alternatively, you can release the patient's records directly to them.
Medical records and other sensitive documents go through a life cycle comprising three stages. The first stage is the document's creation and the second and more involved stage is maintenance. During this stage, you may need to edit your medical records and move them to new locations within your top medical software. The third and final stage is the destruction of your medical records in compliance with HIPAA regulations.
Although state regulations may tell you the date after which you can destroy records you no longer need, many experts suggest retaining documents indefinitely. However, if you need to clear up storage space, delete only documents you've retained long after the final date permitted by law.
In almost all circumstances, doctors cannot refuse to release medical records when patients request them. Extremely limited exceptions may exist in certain states or localities, but it's best to assume that when a patient demands their records, you should hand them over. However, you don't have to release a patient's medical records to a third party unless you receive direct authorization from the patient. Getting the patient's explicit permission for record release is best. This way, you avoid breaching the patient's confidentiality and winding up with a lawsuit on your hands. After all, that's one of your biggest reasons for following medical records retention guidelines in the first place.
Did you find this content helpful?
Verified CheckThank you for your feedback!
author image
Written by: Max Freedman, Senior Analyst
Max Freedman has spent nearly a decade providing entrepreneurs and business operators with actionable advice they can use to launch and grow their businesses. Max has direct experience helping run a small business, performs hands-on reviews and has real-world experience with business technology. At Business News Daily, Max covers accounting software, POS systems and digital payroll solutions, as well as leading medical software and text message marketing services. Max has written hundreds of articles for Business News Daily on a range of valuable topics, including small business funding, time and attendance, marketing and human resources.
Back to top
Desktop background imageMobile background image
In partnership with BDCBND presents the b. newsletter:

Building Better Businesses

Insights on business strategy and culture, right to your inbox.
Part of the business.com network.