Quarter 1 2024 - Volume 29, ISSUE 1

During a session at the HBMA Fall Conference in Indianapolis, a question was asked about the Centers for Medicare & Medicaid (CMS) record retention requirements. This question led to additional conversation at the round table discussion regarding how long other records should be retained, including HIPAA-related records and medical records.

CMS Record Retention Requirements  

While the scope of records to be retained under CMS requirements is comprehensive, there are a few specific record retention requirements to consider:

• CMS requires certain records such as cost reports in their organically or legally reproduced form to be kept for at least five years after the closure of the cost report. 
• Medicare and/or Medicaid records related to program reimbursement must be kept for six years from the date of reimbursement or final determination of costs.
• Medicare Advantage Care program providers are required to maintain records for 10 years.

Types of records CMS requires to be retained include:

• Patient Records – medical histories, treatment plans, test results, prescriptions, and any other documentation related to patient care.
• Financial Records – billing records, payment information, cost reports, and any financial data related to services provided.
• Administrative Records – policies, procedures, contracts, and any other administrative materials that govern the operations of the healthcare provider.
• Compliance Documents – records related to compliance with regulations, certifications, accreditations, and any other regulatory documentation.

HIPAA-Related Records    

HIPAA outlines standards for the retention and secure handling of patient health information and specifies record retention requirements for HIPAA related records. HIPAA related records include:

• Policies and procedures
• Business Associate Agreements
• Authorizations
• Audit records
• Training records
• Breach notifications
• Security Risk Assessments
• Other HIPAA-related documentation

There is often confusion regarding medical records retention requirements; specifically, it is often cited as a HIPAA requirement. HIPAA does not address medical records requirements. According to the U.S Department of Health and Human Services (HHS):  

No, the HIPAA Privacy Rule does not include medical record retention requirements. Rather, State laws generally govern how long medical records are to be retained. However, the HIPAA Privacy Rule does require that covered entities (and business associates) apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records and other protected health information (PHI) for whatever period such information is maintained by a covered entity (or business associate), including through disposal.

There is also guidance stating that HIPAA requires medical records to be kept for seven years. While that requirement is not included in the HIPAA regulations, several states do have a seven-year minimum requirement.

Medical Records Retention

Each state has regulations that specify how long records are required to be retained. This can also vary based on entity type (e.g., physician practice vs hospital). HealthIT.gov has published a helpful resource titled, State Medical Records Laws: Minimum Medical Record Retention Periods for Records Held by Medical Doctors and Hospitals. Most states range from a five to 10 years minimum requirement; North Carolina has an 11-year minimum requirement.

• Five years: Alabama, Arkansas, Florida, Kentucky, Maryland, Nevada, Virginia
• Six years: New York, Washington
• Seven years: Arizona, California, Connecticut, Delaware, District of Columbia, Hawaii, Idaho, Indiana, Maine, Massachusetts, Michigan, Minnesota, Mississippi, New Jersey, Ohio, Oklahoma, Pennsylvania, South Dakota, Texas, Utah, Wisconsin
• 10 years: Colorado, Georgia, Illinois, Iowa, Kansas, Louisiana, Maine, Missouri, Montana, New Hampshire, New Mexico, North Dakota, Oregon, Rhode Island, South Carolina, Tennessee, Vermont, West Virginia, Wyoming
• 11 years: North Carolina    

Recommendations to Ensure Compliance  

It is important to consider what is the same and what is different among federal, states, and other agencies. Additionally, some healthcare facilities or professional bodies might have their own retention policies that exceed these minimum requirements for legal, ethical, or practical reasons. Be sure to consider the nature of the information, the patient’s age, the statute of limitations for medical malpractice lawsuits, and any other legal considerations when determining the retention period. To err on the side of caution, it is a good idea to start with the longest retention period (e.g., Medicare 10 years) and go from there.

Generally, retention requirements for electronic medical records (EMRs) are the same as for paper records. However, each has their own considerations. Information on paper is just as valuable to a bad actor as information in an electronic record. Therefore, both should be properly safeguarded. It is important to ensure the long-term confidentiality, integrity, and availability of electronic and paper records.

Finally, do not forget about the destruction of records. When it comes time to dispose of medical records and other confidential information, the records should be destroyed securely to ensure the privacy and confidentiality of the information being destroyed; for example, shredding paper records and purging electronic records.

Chad Schiffman joined Healthcare Compliance Pros (HCP) in 2014 as the director of compliance. He has more than 20 years combined experience in healthcare, information technology and compliance consulting services. Chad is primarily involved in consulting with healthcare clients about their HIPAA and HIPAA HITECH-related issues including breach determination, breach mitigation and corporate OIG and CMS compliance.