September 2018

September 2018

Retaining Medical Records

HIPAA Privacy Rules, State Regulations, and You

There are certain topics for which HIPAA rulings and individual state guidelines seem to provide conflicting information.  The timeline for retention of medical records is often mistakenly considered to be one of those topics, causing many providers to fear discarding anything at all. Let us clear up some of the confusion and set your mind at ease.

Current Guidelines

According to current law, most healthcare providers are required to retain patient records for seven to ten years after a patient's last visit. In the case of a minor patient, doctors must keep the record for at least 10 years following the final office visit or until the child is 19 years old, whichever is longer. Keep in mind that this rule may vary per your individual state law.

There is often a bit of confusion regarding how HIPAA Privacy Rules come into play. Many providers are so consumed with making certain they are HIPAA compliant in this aspect, they neglect to take state guidelines into consideration. This is a mistake, as your state law is truly the determining factor here. In fact, you may be surprised to learn that HIPAA does not have any requirements for the length of time records must be retained. See the following taken from

Does the HIPAA Privacy Rule require covered entities to keep patients’ medical records for any period of time?

No, the HIPAA Privacy Rule does not include medical record retention requirements. Rather, State laws generally govern how long medical records are to be retained. However, the HIPAA Privacy Rule does require that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records and other protected health information (PHI) for whatever period such information is maintained by a covered entity, including through disposal. See 45 CFR 164.530(c).

It is crucial to remember that where and how long you keep records on file is an important component of your compliance policy. Although HIPAA has no regulations in place for the length of time a record should be retained, there are requirements regarding the creation of policies and procedures relating to the proper retention and destruction/disposal of records.  

Suggestions for Retaining Records

Regardless of state or federal regulations, there are some malpractice carriers who will advise you to keep patient records indefinitely. This may seem overwhelming, especially if you have space constraints. See the following suggestions to assist with this dilemma:

  1. Scan patient records into an electronic format. Don’t use EHR?  No problem.  Utilize paper files only for the most recent day-to-day use. Scan any completed episodes of care, along with any other records to a network drive, or other device that is backed up regularly.
  2. Periodically dispose of any archived, or inactive patient files. We suggest scanning the entire file, and then shredding it. Be certain to create and implement a policy that clearly indicates at what length of time a file should be considered inactive, scanned, and shredded. (Adhere to HIPAA guidelines for the disposal of PHI.)
  3. Exclude insurance information from patient files (such as EOB’s). Rather, file these in a daily bundle style format with other important documents such as sign in sheets, deposit tickets, daily EOB postings, credit card vouchers, etc. None of these items should be contained within the patient records. For the sake of saving space and organization purposes, this information should be filed by date, and periodically archived. You may opt to eventually scan and shred these as well.

A compliance policy that describes how you handle each aspect of the retention and destruction of patient records is a must have for every office. It should be included in your HIPAA or OIG Compliance Policy Manual. Click HERE for a sample policy template to get you started.

KMCU - HOL 2018 Bottom Banner.jpg