Medical and Dental Record Issues: Frequently Asked Questions

You must follow federal and state-specific laws, administrative code regulations, and guidelines. Failure to follow these requirements and guidelines may negatively affect your ability to defend yourself in a civil action or administrative investigation if an adverse event occurs.

Professional licensing boards, professional associations, and specialty societies may also be able to provide information on state statutes, administrative code provisions, policies, or recommendations on patient record retention.

If no federal or state statutory requirements exist and reference to secondary resources is not sufficiently instructive, The Doctors Company recommends the following:

• Adult patients: 10 years from the date the patient was last seen.
• Minor patients: 28 years from the patient’s birth.
• Deceased patients: Five years from the date of death.

For a more detailed discussion of record retention, see The Doctors Company’s article “Medical and Dental Record Retention.”

Yes. Regardless of the format, any and all data collected at the time of a patient encounter is part of the healthcare legal document. Retain computerized and physical 3D models used for surgical and dental treatment plans according to the same retention schedule.

Financial information, including medical and billing records, is part of the designated record set as defined by HIPAA (45 CFR § 164.501). Such materials are often requested by CMS as well as third-party private payers when auditing documentation submitted to request reimbursement. Financial information, which should be kept separate from patient care entries, is not part of the legal health record (a subset of the designated record set). Follow a consistent policy on what is released as part of the legal health record for all patients who request a copy of their medical or dental record. Healthcare providers should periodically review their internal policies and procedures to ensure that they are current and consistent with existing rules and regulations and third-party payer agreements.

It is recommended that you check with your business attorney or state professional licensing board for details regarding retention laws on billing and insurance records—especially as the laws may relate to Medicare or Medicaid patients. For example, CMS requires Medicare managed care providers to retain records for 10 years, and the Internal Revenue Service requires billing records to be retained for seven years.

Electronic messages play an important role in evaluating patient care and helping to achieve optimum clinical results. For these materials, The Doctors Company recommends the following:

• Document in the patient record all telephone calls and messages and email or text messages that pertain to patient care, and keep the documentation according to the above-referenced record retention guidelines.
• Keep patient scheduling records for one year.

Review, extract, and copy any information that might be needed from that record for accurate patient diagnosis or treatment. The retained information or documentation is then incorporated into the patient’s permanent office record. Be aware that keeping all of the patient’s records could make the healthcare professional inadvertently liable for information related to other specialties. If the information is not used for patient care, promptly and timely destroy it or return it to the source.

Any destruction method must maintain the confidentiality of the information, and the methodology must be consistently applied by the practice. The only safe methods for destroying paper records are incineration and shredding. A destruction method for electronic media must render the information unreadable. Professionals must be mindful that metadata can often be retrieved and reproduced for inspection by IT experts. Simply deleting the record is not sufficient. Use a reputable company to destroy paper and electronic information, models/casts, and equipment, such as computers and copiers. Keep a log of the records destroyed, when, and by whom.

Inactive records that have been kept for the required or recommended time may be thinned from the active patient cases. Take the following factors into consideration when arranging long-term storage:

• Privacy. Will the records be protected from unauthorized disclosures in a manner that is consistent with federal and state privacy laws?
• Safety. Will the records be physically secure and protected from fire, flood, or other damage, and from unauthorized access or theft?
• Accessibility. Will the records be easy to retrieve and copy?

Yes. The factors in the previous question on privacy, safety, and accessibility can also guide you on transferring records to an electronic format. Any protected health information (PHI) transferred or stored electronically must be encrypted. Back up computer data at regular intervals and store it offsite.

Yes, best practice is to perform a backup every evening to the cloud or to a separate server stored in another physical location. Establish a schedule and periodically assess the backup function to help ensure compliance with federal and state requirements. All PHI stored electronically must be encrypted. If you use an application service provider—where your data is stored by the EHR vendor and you access it online—confirm that your contract includes terms that guarantee your data will be available to you when you are ready to arrange for long-term storage or in connection with legal proceedings.

Yes. Copies of other healthcare practitioners’ records that are not directly related to your care, such as hospital records, may be purged because the originals will be maintained by the hospital. Keep records from other practitioners that are directly related to your care and are maintained as a regular part of your record for the same period that you retain your own records.

Yes. We suggest that you include the recommended retention time and access capability as part of your sales agreement. For more information, see The Doctors Company guide, Closing or Relocating a Healthcare Practice.

Yes, with the same conditions for retention and accessibility that prevail in a sale. It is reasonable to alert the patients in your active/current caseload—through individual letters or emails, electronic notification in the patient portal, reference on your website, or an advertisement in a publication of general circulation in the community—about your move, in order to give them ample opportunity to request a copy of their records.

No. The original documentation is the property of the healthcare professional, who has a legal duty to maintain the record. The patient should be given a copy upon written request, preferably using a HIPAA-compliant authorization signed by the patient or their legal representative. The practitioner should never relinquish custody of the original record.

The only time an active, original paper patient record should be out of an office is when it is required to be present in a judicial proceeding or pursuant to a lawful court order. Any access to electronic records while away from the office must be through an encrypted, HIPAA-compliant format.

You must first verify through your own records or from a certified death certificate issued by the appropriate public entity that the patient has expired. Then, ensure that the individual requesting the record is a qualified representative of the decedent’s estate (for example, the executor). The individual should provide a copy of an official document from the state as proof, and the record request should be in writing and signed by the individual acting as the estate’s qualified representative. Additionally, the person requesting the records should present proof of identity through a valid passport or government-issued REAL ID.