It is essential that health organizations comply with medical record retention laws both in their state and with any licensing agencies. Non-compliance can result in consequences, including fines and increased legal liability. By taking the time to create an effective medical record retention policy, you reduce risk for non-compliance and secure protected health information (PHI) so it’s easily accessible as inquiries from patients, payers, auditors, law firms and other entities are fielded in years to come.
Here are some tips for helping to create a medical record retention policy:
- Determine how long you must retain medical records. While HIPAA requires health organizations to retain records for six years from the date of creation or the date the record was last in effect, some states and other agencies may require records to be retained for a longer period of time. Check your state requirements as well as any accrediting agencies for the impact on your organization. Note that Medicare managed care providers are required to retain records for ten years. Follow the guidelines for health information retention and archiving law that require you to retain records for the longest period of time. A good resource for record retention guidelines is the American Health Information Management Association’s (AHIMA) recommendation for retention.
- Document your medical record retention and archiving policy. Documentation of the policy is important for both succession purposes and emergencies when the primary health information management staff is unavailable. Be sure to include the process by which medical records will be retained in your organization’s official policy (i.e., process for storing records in paper format as well as in scanned or discrete data element format). Sample medical records management and retention policies can be found in an online search.
- Evaluate options available for electronic medical record retention. Many health organizations opt to electronically archive scanned images and/or discrete health data elements from historical patient records. This usually involves a data extraction from a legacy health application and a migration of that data into a secure relational database. A typical health data archive includes a front end user interface that allows easy access for viewing historical patient records. This is different from a backup of the historical data which makes it more difficult to access information on-demand. Electronic medical record retention into an archive is a great option when one hospital information system, electronic health record, practice management system or any other healthcare application containing PHI is replaced with another. Scanned paper documents may also be stored in such an archive. As it is essential to adhere to HIPAA regulations when archiving legacy electronic patient data, consider HIPAA data retention safeguards.
- Review your documented medical record retention policy with legal counsel. Due to the number of variables affecting the length of time a provider should keep a medical record, it is recommended that your retention policy gets reviewed by legal counsel. An attorney will be able to validate federal and state laws as well as medical board and state association or agency policies. They may also offer guidance on policies regarding the destruction of records.
- Train your staff on the procedures for both retaining and accessing medical record data. Your retention strategy is only effective if the information is secure and the necessary personnel can quickly access the records when needed. Train all relevant employees on the process for accessing retained medical data and update the employee handbook with the guidelines health information retention and archiving.
Is a documented medical record retention policy in place for your organization? If so, when is the last time it was reviewed?