Medical Records Issues: Frequently Asked Questions

Richard F. Cahill, JD, Vice President and Associate General Counsel

You must follow federal and state-specific guidelines or laws. If no federal or state statutory requirements apply, The Doctors Company recommends the following:

  • Adult patients, 10 years from the date the patient was last seen.
  • Minor patients, 28 years from the patient's birth.
  • Deceased patients, five years from the date of death.

State medical boards or associations may also be able to provide policies or recommendations on how long a physician should keep records. For example, the Colorado State Board of Medical Examiners Policy 40-07 recommends retaining medical records for a minimum of seven years after the last date of treatment for an adult and for seven years after a minor has reached the age of majority, or age 25. In California, the California Medical Association recommends that medical records be retained indefinitely or for at least 25 years after the patient’s last visit.

For a more detailed discussion of record retention, see The Doctors Company article, “Medical Record Retention.”

Yes. Regardless of format, any and all data collected at the time of a patient encounter is part of the medical/legal document.

It is recommended that physicians check with their business attorneys or state medical boards for retention laws on billing and insurance records—especially as the laws may relate to Medicare or Medicaid patients.

The Doctors Company recommends the following:

  • Retain billing records for seven years, in accordance with Internal Revenue Service standards for all states. Billing records may be kept in a separate file.
  • Document in the medical record all telephone calls that pertain to medical care, and keep the documentation according to the above-referenced medical record retention guidelines.
  • Keep appointment books for one year.

The physician should review, extract, and copy any information that he or she might need from that record for patient diagnosis or treatment. The retained information or documentation then becomes part of the patient’s permanent office record. Be aware that if the physician keeps all of the patient’s medical records, he or she could be held liable for information related to other specialties. If the information is not used for patient care, it should be destroyed or returned to the source.

Any destruction method must maintain the confidentiality of the information. The only safe methods for destroying paper records are incineration or shredding. A destruction method for electronic media must render the information unreadable. Simply deleting the record is not sufficient. It is recommended that you use a reputable company for destruction of paper and electronic information and equipment, such as computers and copiers. Keep a log of the records destroyed.

Inactive records may be thinned from the active patient cases. Take the following factors into consideration when making arrangements for long-term storage:

  • Privacy. Will the records be protected from unauthorized persons in a manner that is consistent with federal and state privacy laws?
  • Safety. Will the records be protected from fire or flood damage and from unauthorized access or theft?
  • Accessibility. Will the records be easy to retrieve and copy?

Yes. The factors in the previous question can also guide you on transferring records to an electronic format. Any protected health information (PHI) transferred or stored electronically must be encrypted. Computer data should be backed up at regular intervals and stored offsite.

Yes. However, you should store a copy of the EHR software, along with the data itself, to make sure the records can be read in the future. Alternatively, you could save the data in PDF format so it can be read without special software. Regardless, all PHI stored electronically must be encrypted. If you use an application service provider—where your data is stored by the EHR vendor and you access it online—your contract should include terms that ensure your data will be available to you when you’re ready to make arrangements for long-term storage.

Yes. Copies of other healthcare providers’ medical records that are not directly related to your care, such as hospital records, can be purged because the originals will be maintained by the hospital. Records from other providers that are directly related to your care and are maintained as a regular part of your chart should be kept for the same period of time that you retain your own records.

Yes. We suggest that you include the recommended retention time and access capability as part of your sales agreement. For more information, see The Doctors Company guide, Closing or Relocating a Healthcare Practice.

Yes, with the same conditions for retention and accessibility that prevail in a sale. It might be reasonable to alert the patients in your active/current caseload of your move to give them an opportunity to request a copy of their medical records.

No. The original is the property of the physician, who has a duty to maintain the record.

The only time an active, original paper medical record should be out of an office is when it is required to be present in a court of law. Any access to electronic records while away from the office must be through an encrypted, HIPAA-compliant format.

You must first verify through your own records or from a death certificate that the patient has expired. Then, ensure that the individual is a qualified representative of the decedent’s estate (for example, the executor). The individual should provide a copy of an official document from the state as proof.

The guidelines suggested here are not rules, do not constitute legal advice, and do not ensure a successful outcome. The ultimate decision regarding the appropriateness of any treatment must be made by each healthcare provider considering the circumstances of the individual situation and in accordance with the laws of the jurisdiction in which the care is rendered.

J12396 05/20