CMS Releases Record Retention Guidelines
A updated post on record retention with a simple record retention schedule can be found here.
State laws generally govern how long medical records are to be retained.
However, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 administrative simplification rules require a covered entity, such as a physician billing Medicare, to retain required documentation for six years from the date of its creation or the date when it last was in effect, whichever is later. HIPAA requirements preempt State laws if they require shorter periods. Your State may require a longer retention period.
While the HIPAA Privacy Rule does not include medical record retention requirements, it does require that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records and other protected health information (PHI) for whatever period such information is maintained by a covered entity, including through disposal.
The Centers for Medicare & Medicaid Services (CMS) requires records of providers submitting cost reports to be retained in their original or legally reproduced form for a period of at least 5 years after the closure of the cost report.
CMS requires Medicare managed care program providers to retain records for 10 years.
Image via Wikipedia
Additional information:
- Providers/suppliers should maintain a medical record for each Medicare beneficiary that is their patient.
- Medical records must be accurately written, promptly completed, accessible, properly filed and retained.
- Using a system of author identification and record maintenance that ensures the integrity of the authentication and protects the security of all record entries is a good practice.
- The Medicare program does not have requirements for the media formats for medical records. However, the medical record needs to be in its original form or in a legally reproduced form, which may be electronic, so that medical records may be reviewed and audited by authorized entities.
- Providers must have a medical record system that ensures that the record may be accessed and retrieved promptly.
- Providers may want to obtain legal advice concerning record retention after CMS-required time periods.
Do these retention guidelines apply to the superbill? If the clinical information is documented in the medical record, is the superbill considered “billing records” or just and adminstrative tool which could be destroyed or perhaps kept for a shorter period of time.
Hi Martha,
Unfortunately, the superbill is an accounting record and should be kept for 7 years. However, if you have the capability, you can scan the superbills and destroy the paper copies.
Best wishes,
Mary Pat
Regarding the new 10 year record retention period, when does this go into effect and does this start at the initial visit of the patient or at the effective date of the law?
Hi Martha,
The new record retention is in effect now, and the records must be kept 6 years after the last time the patient was seen.
Best wishes,
Mary Pat
Thus, for a physican office, what distinguishes the “required documentation for six years from the date of its creation or the date when it last was in effect, whichever is later” with the latest 10 years mentioned in your last reply? Thanks!
Hi John,
You caught me in a mistake! You are correct – it is 6 years, not 10 as I previously stated. I’ve fixed that answer and I appreciate you bringing it to my attention.
Thank you & best wishes,
Mary Pat
Could you please clarify – according to Medicare, it’s okay for a physician office to destroy patient records after 6 years, unless the patient was part of a Medicare Advantage plan — at which point the record should be saved for 10 years instead? Thank you!
Hi Lisa,
Yes, this is confusing, isn’t it? My theory is that CMS wants the option to audit Medicare Advantage plans down the road. I think the best solution is to keep the records in electronic format indefinitely, and with off-site servers, price should never be a concern as most, if not all, cloud companies offer unlimited space for one monthly price.
Best wishes,
Mary Pat
So now I am really confused. Our state law says we must keep patient records for 7 years. Is it 6, or 10 years for Medicare that we must keep patient records from their last visit?
I know! So much just doesn’t make sense, does it? But state law does trump all.
Best wishes,
Mary Pat
Thanks for the good info. One question – what about a practice that has recently shut down? Are they under any obligation to keep records?
Hi Lindsey,
Physicians do have an ethical and legal responsibility to house the charts for a period of time following state law. The best situation is to get another physician to accept the charts, although this practice is losing favor fast. Most state medical boards will advise physicians to offer a copy of their records to patients before archiving them. It’s a good thing to get legal advice before doing anything!
Best wishes,
Mary Pat
I have been working on this for 6 months so here is what I know. The 10 year retention rule is for Medicare advantage providers (i.e. insurance companies)Section 422.504 e 4 relates to Medicare Advantage providers that offer access to Medicare insurance programs, not Medical providers. It also states the subcontractors for Medicare Advantage providers (those companies that a larger insurance company might subcontract to in areas they do not cover) must follow this same rule. BUT Medical providers are not insurance companies and must follow the federal law of 6 years, unless their state law overrides this. If you are signing insurance company amendments to retain records for 10 years, you are costing your company money that is unnecessary. The audit of records is the insurance company records, not medical records from a provider.
Thank you, Kathleen, for that clarification!
Best wishes,
Mary Pat
In regards to Insurance EOBs, how long is it required for those documents to be retained?
Thank you
Hi Denise,
The rule is 7 years, but you are not required to keep them in paper form if you have them archived electronically.
Best wishes,
Mary Pat
I would like to get clarification regarding regulation on how to file client’s informations and documents. Is it ok to file documents in different files? Let say: demographics, plan of care, and med profile in on chart; and 485 and communications in a separate file?
Hello Elfrida,
Any form that directly relates to the care a client receives should be located in one central place – the medical chart. Anything related to payment such as a 485 or or EOB or client statement should not be in the medical chart. For each, those documents should stored with all other billing documents after they are recorded in the billing system. If you can, scan all billing-related documents together by date, then shred the documents after 3 or 6 or 12 months, whatever your protocol dictates. A day’s work would include anything that was received and entered into the billing system for that day and is tied to your daily deposit. If you are concerned about finding the necessary billing documents if they are filed by date, rather than patient, make sure your document management program has the ability to search all documents by any information. Most document management systems (including the FileConnect, the system I use and sell to healthcare groups) have the ability to search in several ways.
Communication should be stored in the chart if it relates to care issues, and with the billing work if it relates to any patient financial issues.
I hope this helps, if you need more information, contact me at marypat@managemypractice.com.
Best wishes,
Mary Pat
If a patient request to see the billing forms cms1500, do I have to provide it? I always thought that is internal office paperwork, can you advice me please?
Thank you
Hi Ivana,
I am not sure why the patient would request to see the 1500 as it is essentially be all the same information as on their account statement – unless your patient statements do not disclose the service and diagnosis codes. I have known patients to request a completed claim form, then file the claim themselves and pocket the money. I have also known some patients to use the claim form for their medical reimbursement plan. There could be some innocent reasons and some not-so-innocent reasons.
I would ask the patient why they want the claim form, and based on their answer, make the decision whether or not to provide it. If it is the information they want, you can provide it in a statement format, or do a screen print for them. Most medical reimbursement plans will accept a printout of the day’s transaction. Also, I believe personal insurance (AFLAC, etc.) will accept a receipt from the physician’s office and does not require a 1500.
You do not have to provide the patient with a 1500 form, unless you are requiring full payment at time of service, and the patient will need to file their own claim. Most practices with this policy will file the claim for the patient and assign the benefits to the patient, but some may require the patient to mail the form themselves.
I hope this helps.
Best wishes,
Mary Pat
I have a question in regards to daysheets. How long do these have to be kept?
Hi Bonnie,
If daysheets are the document of origination for patient charges and payments (just like superbills), they must be kept for 7 years. You can, however, scan them and keep them electronically, shredding the paper copy after it has been scanned.
Great question!
Best wishes,
Mary Pat
does the six year retention rule also apply to
claims records Medicare creates?
Hi Ann,
I would archive (save the paper or scan the paper into electronic format) anything that refers to a payment Medicare made to a provider for 7 years. I am not familiar with the situation where a provider would have received claims records, but the minimum time to keep any record that has a financial purpose is 7 years. Any record with a clinical purpose is 10 years.
If this doesn’t answer your question, comment again or email me directly at marypat@managemypractice.com.
Best wishes,
Mary Pat
How long should you keep patient medical record after they have pass way?
Hi Val,
Check your state law first, as most states have their own requirements. The typical requirement is 10 years after the patient’s death, however some practices keep their records longer. If your state doesn’t have a requirement, I suggest defaulting to the 10-year rule. With electronic medical records, patient charts can be kept indefinitely if you so choose.
Best wishes,
Mary Pat
Hi Mary Pat!
Not sure if this is under your expertise, but if not, could you direct me?
I work in a cental NY Hospital in the Medical Records department. I also work closely with our “Forms Design Anaylist”. She does keep copies of all new “paper” medical record forms (over 1,000)that are created in the hospital as well as each revision etc. that is made to each form. She was told recently that ISO (international standards organization) requires that forms be kept for 6 years. Do you know of a law that requires that blank forms and their numerous revisions be kept for that long? Obviously, once the form is documented on then that of course makes it a medical record which we scan in as our “legal” medical record. Thanks for your help!
Hi Kathy,
This is a very good question. I am not an expert in ISO, but I looked it up and but here is a snippet from an ISO website that addresses this in part:
When a document is updated, a record must be kept of the change (the reasons for and nature of the change). In addition, current revision status must be maintained. This includes the current development stage (draft, review, approval, etc.) and the date or revision level (number or letter) identifying the current version of the document. .
Here’s where I found this: http://www.9000world.com/index.php?app=ccp0&ns=display&ref=isoarticle_documentcontrol
I hope this is helpful.
Best wishes,
Mary Pat
is a recorded conversation for appointments a medical record, and if so do you have to maintain recording 10 years?
Hi Dave,
I am not a lawyer so this is not legal advice, but I would not expect that recorded conversations would constitute part of the medical record, and thereby be required to be kept. If there is a particular conversation that you based a decision on – for instance a decision to dismiss a patient from the practice – I would suggest that be kept, but otherwise, no.
Great question!
Best wishes,
Mary Pat
If a physician is leaving a practice and has a large practice, can the original chart be given to the patient or new MD rather than copying the chart? Is a special release required? Thanks.
Ardy
Hi Ardy,
Before I respond, let me first say that it is always important to check for guidelines specific to your state.
I have always been taught that although the information belongs to the patient, the physical chart belongs to the physician. I have never heard of anyone giving the original chart to the patient, although with electronic medical records, you can give patient their records on a jump drive or a DVD. The standard protocol is to have the patient sign a release approving a copy of their record to go to their new doctor/the doctor leaving or to themselves. Some charge a copying fee, and in some cases the new physician/the doctor leaving pays for the copying.
Best wishes,
Mary Pat
I have a question…
For a “cloud-based” practice management system, if the practice changes companies and decide to go with another for XYZ reasons, does the previous practice management company have the right to deny the practice access that information? Isn’t that technically the practices information? Yes the practice technically has the superbills but the actual information billed and entered is housed in that program. Just wondering if anyone has encountered this before. I would greatly appreciate any feedback!
Thanks,
Jackie
Hi Jackie,
Most legitimate vendors will not withhold your data, but they may be not-so-helpful in assisting you in relocating the data. Your contract should be very specific about what your vendor will or will not do and what they will charge. Your new vendor should be able to help you get your data from your old vendor.
Best wishes,
Mary Pat
We are in the process of trying to clean up some papers we have stored. I was wondering if you could tell me how long does a ECS(Electronic Claims Submissions) Report need to be kept?
Hi Patti,
I suggest you keep them for 7 years.
If you can, I also suggest you start scanning these documents in and archiving them on the web. MMP FileConnect (a product I sell) is an affordable way to organize all practice paperwork easily for $75 a month. You can scan or move already-electronic documents over to a secure online location from your desktop. Contact me at marypat@managemypractice.com for more information.
Best wishes,
Mary Pat
Hi I was wondering if someone knows if a practice has to keep fast remit documents especially for Medicare or federally regulated payers. Fast remit documents are EOBs from our payers that are sent from our clearing house electronically for posting. These are payers that we are set up electronically with for EFT. In the old days we were told you had to keep the Medicare EOBS for a period of time. Now that we have them electronically though its not the official EOB as it comes out as a posting sheet, I am wondering if we are still obligated in this new EHR world to do so?
Thanks for any help on this. Sherry
Hi Sherry,
I recommend that electronic documents that you are posting from be electronically archived with other daily work – scanned paper EOBs, deposit slips, reconciliation sheets, etc. The only way you can audit your poster is by pulling the day’s work and matching it to what is in your billing system. Once you have archived your daily work, you can shred the paper copies in 3 months, 6 months, or at whatever interval you feel most comfortable.
Best wishes,
Mary Pat
Hi Mary,
I have a scenario that I Would like your input. You work for a 575 bed acute care level 1 research center, this hospital is also a teaching hospital that is connected to a university. The medical center brings in multimillions of dollars in grants each year. This facility’s maternity ward delivers the most babies in the city. They have an active heart surgery center.
There are 6 months of data in the new EHR. There are 2 years of paper on the self. The 2 years of paper records include the contents of the HER, since administration does not trust the HER yet. All records are maintained on microfilm. You have just run out of storage space. Because of this, you have been asked to evaluate the current retention policy, which is to retain records forever.
What should the minimum retention policy be based on?
What are your options?
which would you recommend and why?
Thanks
Rose
Hi Rose,
Here’s an interesting 2008 survey of 100 top wired hospitals and how long they retain medical records and in what form they retain them: http://www.ncbi.nlm.nih.gov/pmc/articles/PMC2430773/. The survey indicates that hospitals such as yours tend NOT to keep records indefinitely and typically elect to retain records for 10 or 20 years.
Personally, I think once you decide if you are going to limit how long you retain records, you should have the microfilm converted to digital and store everything on the cloud.
Best wishes with your project!
Mary Pat
Hi Mary,
What is the penalty for NOT retaining medical records?
Hi Bill,
If you do not retain a record and you are audited, you will not be able to substantiate that the service was provided and that could initiate a full-blown investigation that other payers could jump on.
If you are sued and you do not have the record to defend yourself, you can close the doors of the practice.
Best wishes,
Mary Pat
Hi Mary,
I am awaiting accredidation soon,and updating the Hipaa Privacy policy and procedure manuel. I don’t see that it has been revised since 2002. Is that right? Also, as a mastectomy fitter what is the fitter responsible for, in accredidation?
Thanks,
Jerilyn V
Hi Jerilyn,
You will need to update your manual with information on the privacy requirements of the HITECH Act if you have an EHR.
I’m sorry I can’t answer your question about accreditation, but maybe another reader can answer your question, or you can contact your specialty society.
Best wishes,
Mary Pat
When sending medical records due you send the superbill or just the electronic record?
Hi Missy,
Just the electronic record.
Best wishes,
Mary Pat
also can you send a corrected claim once the emr has been sealed and you realize the order of diagnosis is wrong?
Hi Missy,
Yes, you can send a corrected claim to reorganize the diagnoses.
Best wishes,
Mary Pat
Hello Mary,
I wanted to know the duration for which Payers (Health Insurance Companies) are suppose to retain documents & information pertaining to Claims, Prior Authorization, Member Enrollment, etc. Are there different retention mandates for the various types of information generated at the Payers?
Regards
Vijay
Hi Vijay,
You ask a great question and one that I do not know the answer to! I would call a payer and ask and they should be able to tell you.
Best wishes,
Mary Pat
Buyer beware! While docs are on the hook for electronic medical storage, EMR vendors don’t have to have an archivable storage ability. That means they can charge you a monthly license fee for 10 years if that’s the only way patients, insurers, government agencies or legal entities can access the complete patient record. If you do not keep the record you can be liable for “spoilage”. Make sure it’s explicitly spelled out in your EMR record two things: chart migration and archiving. You’ll save yourself a LOT of headaches down the road. This is another reason solo practitioners are a dying breed. Who can afford a decades long licensing fee unless you’re a large corporation?
Hi Kurt,
You makes some great points, but I beg to differ on medical record archiving.
Most, if not all EMR systems allow you to upload record copies to cloud storage, just as you can upload charts for chart audits to a secure server for the auditing firm to retrieve.
Practices can easily store medical records securely, then destroy them when they are no longer liable for them.
We are resellers for the only HIPAA-compliant (they sign a BAA) cloud product that allows practices to purge records to a file for any future need. Physicians do not need to pay licensing fees indefinitely if they are no longer using the product. Our program from Box.com costs $75/month for unlimited storage – it’s the best-kept secret around!
Best wishes,
Mary Pat