Medical Records Issues: Frequently Asked Questions
Richard F. Cahill, JD, Vice President and Associate General Counsel
How long should records be kept?
You must follow federal and state-specific guidelines or laws. If no federal or state statutory requirements apply, The Doctors Company recommends the following:
Adult patients, 10 years from the date the patient was last seen.
Minor patients, 28 years from the patient's birth.
Deceased patients, five years from the date of death.
State medical boards or associations may also be able to provide policies or recommendations on how long a physician should keep records. For example, the Colorado State Board of Medical Examiners Policy 40-07 recommends retaining medical records for a minimum of seven years after the last date of treatment for an adult and for seven years after a minor has reached the age of majority, or age 25. In California, the California Medical Association recommends that medical records be retained indefinitely or for at least 25 years after the patient’s last visit.
Does the medical record include financial information, such as billing and insurance data?
It is recommended that physicians check with their business attorneys or state medical boards for retention laws on billing and insurance records—especially as the laws may relate to Medicare or Medicaid patients.
How long should billing records, telephone calls/messages, and appointment books be kept?
The Doctors Company recommends the following:
Retain billing records for seven years, in accordance with Internal Revenue Service standards for all states. Billing records may be kept in a separate file.
Document in the medical record all telephone calls that pertain to medical care, and keep the documentation according to the above-referenced medical record retention guidelines.
Keep appointment books for one year.
If I obtain copies of medical records from a patient or another provider, am I required to maintain them?
The physician should review, extract, and copy any information that he or she might need from that record for patient diagnosis or treatment. The retained information or documentation then becomes part of the patient’s permanent office record. Be aware that if the physician keeps all of the patient’s medical records, he or she could be held liable for information related to other specialties. If the information is not used for patient care, it should be destroyed or returned to the source.
How should medical records and other associated media, such as photos, CDs, films, etc., be destroyed?
Any destruction method must maintain the confidentiality of the information. The only safe methods for destroying paper records are incineration or shredding. A destruction method for electronic media must render the information unreadable. Simply deleting the record is not sufficient. It is recommended that you use a reputable company for destruction of paper and electronic information and equipment, such as computers and copiers. Keep a log of the records destroyed.
Where can medical records be stored?
Inactive records may be thinned from the active patient cases. Take the following factors into consideration when making arrangements for long-term storage:
Privacy. Will the records be protected from unauthorized persons in a manner that is consistent with federal and state privacy laws?
Safety. Will the records be protected from fire or flood damage and from unauthorized access or theft?
Accessibility. Will the records be easy to retrieve and copy?
Can records be transferred to an electronic format?
Yes. The factors in the previous question can also guide you on transferring records to an electronic format. Any protected health information (PHI) transferred or stored electronically must be encrypted. Computer data should be backed up at regular intervals and stored offsite.
Is it sufficient to back up a copy of an electronic health record (EHR) onto a disk?
Yes. However, you should store a copy of the EHR software, along with the data itself, to make sure the records can be read in the future. Alternatively, you could save the data in PDF format so it can be read without special software. Regardless, all PHI stored electronically must be encrypted. If you use an application service provider—where your data is stored by the EHR vendor and you access it online—your contract should include terms that ensure your data will be available to you when you’re ready to make arrangements for long-term storage.
Can I thin and purge medical records prior to storage?
Yes. Copies of other healthcare providers’ medical records that are not directly related to your care, such as hospital records, can be purged because the originals will be maintained by the hospital. Records from other providers that are directly related to your care and are maintained as a regular part of your chart should be kept for the same period of time that you retain your own records.
Can I sell my records when I sell my practice?
Yes. We suggest that you include the recommended retention time and access capability as part of your sales agreement. For more information, see The Doctors Company guide, Closing or Relocating a Healthcare Practice.
If I move to another state, can I take my records with me?
Yes, with the same conditions for retention and accessibility that prevail in a sale. It might be reasonable to alert the patients in your active/current caseload of your move to give them an opportunity to request a copy of their medical records.
If a patient requests a copy before I move or close my practice, can I hand over the original record?
No. The original is the property of the physician, who has a duty to maintain the record.
Can a physician complete medical record documentation from home?
The only time an active, original paper medical record should be out of an office is when it is required to be present in a court of law. Any access to electronic records while away from the office must be through an encrypted, HIPAA-compliant format.
If someone claiming to be a representative of a deceased patient’s estate requests a copy of the chart, what should I do?
You must first verify through your own records or from a death certificate that the patient has expired. Then, ensure that the individual is a qualified representative of the decedent’s estate (for example, the executor). The individual should provide a copy of an official document from the state as proof.
The guidelines suggested here are not rules, do not constitute legal advice, and do not ensure a successful outcome. The ultimate decision regarding the appropriateness of any treatment must be made by each healthcare provider considering the circumstances of the individual situation and in accordance with the laws of the jurisdiction in which the care is rendered.