Because patient medical records communicate essential information to health care teams, including history, clinical findings, diagnostic test results, medications, diagnoses, treatment plans, and patient progress, it is important for medical practices to have formal policies and procedures to ensure records are properly maintained. The following provides general guidance for consideration.
What should be considered when creating a formal medical record retention policy?
- How long are medical records required to be maintained?
- How will medical records be maintained (onsite vs. offsite or paper vs. electronic)?
- Who will have the ultimate responsibility of overseeing medical record maintenance and destruction?
- How will protected health information (PHI) be maintained, including HIPAA considerations for medical record destruction?
- What are the specific requirements made by federal and state laws, and medical board requirements and rules, that apply to medical records? Regulations and laws for medical record retention vary from state to state, so it is important to understand your state’s requirements.
The American Medical Association outlines the need for proper maintenance of medical records in its Ethics Opinion 3.3.11
What medical records need to be retained?
Records related to medical care for patients including provider notes, diagnostic tests and results, medication lists, imaging (photos, X-rays, videos), specialty-specific information obtained for the care of a patient, and billing information should be retained. If the patient has provided medical records from other providers that are directly related to the care provided or have influenced any medical decision-making, these should also be maintained as part of the patient’s record.
What are COPIC’s general record retention recommendations?
COPIC recommends the retention of medical records for 10 years from the last date of service or 10 years after a minor patient reaches the age of majority, whichever is later. While the Privacy Rule under the Health Insurance Portability and Accountability Act (HIPAA) requires the protection of the decedent’s health information for 50 years, HIPAA defers to state law on how long the records must be retained.
How should medical records be destroyed?
Practices should implement a policy that applies the HIPAA Privacy and Security Rules to properly safeguard personal health information contained within medical records.2 The HIPAA Security Rule also requires covered entities to implement policies for the proper destruction of electronic or electronically stored personal health information.3
Medical records in paper form should be shredded so they are unreadable and unrecoverable; medical records stored electronically, either on a CD or similar medium, hard drive, or flash drive, should be overwritten, incinerated, pulverized, melted, shredded, or exposed to a strong magnetic field (for records maintained on a CD). It may be beneficial to engage with a company that specializes in medical record destruction to ensure full destruction and disposal. A Business Associate Agreement will be needed.
1https://code-medical-ethics.ama-assn.org/ethics-opinions/management-medical-records
2 45 CFR 164.310(d)(2)(i) and (ii)
3https://www.hhs.gov/hipaa/for-professionals/faq/575/what-does-hipaa-require-of-covered-entities-when-they-dispose-information/index.html
Article originally published in 3Q23 Copiscope.
