Madelyn Young contributed to this post
When I went for a recent annual checkup, my doctor came into the room carrying a tablet on top of a folder of paper records.
I asked about the paper files, and she said her medical practice keeps them and will rely on electronic health records going forward. This hybrid paper-past, digital-future approach didn’t seem very efficient. It also got me to wondering about the shelf life of paper or electronic medical records.
Whether you’re still working with paper records or an EHR, you’re undoubtedly housing a huge amount of patient data. What can you toss, what must you keep, and what should you save for just a little while longer?
Read on to get the facts on EOB and medical record retention.
Keep it Simple – Keep EOBs Separate
Even though it usually ends up housed within a patient’s chart, the explanation of benefits form (EOB) is not technically part of the medical record. You’re not required to hang on to it very long.
“We only keep EOBs for three years,” says Ann Crutchfield, former practice administrator at Rehabilitation & Electrodiagnostics PA in Tampa, Florida. “A few years back we added a searchable scanner to our copier/printer, and all EOBs and other billing records are scanned. After 90 days, my billing staff destroys the originals. Less worries about how long to keep!”
Making EOB retention its own separate, seamless process remains a great strategy. When it comes to medical record retention, the answer to “How long to keep?” can get complicated.
Regulations & Record Retention
State law guides how long to keep medical records in most cases, but federal and other requirements come into play as well.
HIPAA and CMS criteria for medical record retention can vary. According to a CMS podcast, “HIPAA rules require a Medicare Fee-For-Service provider to retain required documentation for six years from the date of its creation or the date when it last was in effect, whichever is later. CMS requires that providers submitting cost reports retain all patient records for at least five years after the closure of the cost report. And if you’re a Medicare managed care program provider, CMS requires that you retain the patient records for 10 years.”
Therefore, many practices aim to save records and other personal health information (PHI) for 10 years to comply with these requirements.
Notable exceptions include:
- Caring for minors? State rules vary, but keep their records at least two years after they reach the “age of majority” (twenty in most states) or even longer.
- Treating a workplace injury? The Occupational Safety and Health Administration stipulates you hang on to medical records for at least the duration of the employee’s employment plus 30 years, although OSHA also includes a few exceptions.
- Treating veterans? Stash their charts for a long time – 75 years. If a patient was not mentally competent at the time of treatment, keep the records indefinitely.
- Lawsuit? Also save medical records indefinitely for any patient involved in litigation.
Clear, Purge or Destroy
Proper disposal of old data remains a great strategy to protect patient confidentiality. Destroy or delete old records past their retention deadline to reduce potential security breaches or HIPAA violations, even if you lock your server in a back room at your practice. Options to destroy PHI on electronic media include disintegration, pulverization, melting, incinerating, or shredding, according to HHS.
“The more data you push through the pipes, the more likely you’ll spring a leak somewhere,” Jason Straight said as managing director of Kroll’s Cyber Security and Information Assurance unit. “Document retention and data security are inextricably linked.”
There’s no reason to leave any patient information – especially data that’s unnecessary to keep – vulnerable to compromise. Another tip: keep documented records of all PHI destruction.
So comb through your old charts, dig through your electronic data and destroy what you no longer need to retain.