CMS Releases Record Retention Guidelines


A updated post on record retention with a simple record retention schedule can be found here.

State laws generally govern how long medical records are to be retained.

However, the Health Insurance Portability and Accountability Act (HIPAA) of 1996  administrative simplification rules require a covered entity, such as a physician billing Medicare, to retain required documentation for six years from the date of its creation or the date when it last was in effect, whichever is later. HIPAA requirements preempt State laws if they require shorter periods. Your State may require a longer retention period.

While the HIPAA Privacy Rule does not include medical record retention requirements, it does require that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records and other protected health information (PHI) for whatever period such information is maintained by a covered entity, including through disposal.

The Centers for Medicare & Medicaid Services (CMS) requires records of providers submitting cost reports to be retained in their original or legally reproduced form for a period of at least 5 years after the closure of the cost report.

CMS requires Medicare managed care program providers to retain records for 10 years.

A medical record folder being pulled from the ...

Image via Wikipedia

Additional information:

  1. Providers/suppliers should maintain a medical record for each Medicare beneficiary that is their patient.
  2. Medical records must be accurately written, promptly completed, accessible, properly filed and retained.
  3. Using a system of author identification and record maintenance that ensures the integrity of the authentication and protects the security of all record entries is a good practice.
  4. The Medicare program does not have requirements for the media formats for medical records. However, the medical record needs to be in its original form or in a legally reproduced form, which may be electronic, so that medical records may be reviewed and audited by authorized entities.
  5. Providers must have a medical record system that ensures that the record may be accessed and retrieved promptly.
  6. Providers may want to obtain legal advice concerning record retention after CMS-required time periods.
Enhanced by Zemanta

Posted in: Electronic Medical Records, Medicare & Reimbursement

Leave a Comment (53) ↓


  1. Martha Lampley August 20, 2010

    Do these retention guidelines apply to the superbill? If the clinical information is documented in the medical record, is the superbill considered “billing records” or just and adminstrative tool which could be destroyed or perhaps kept for a shorter period of time.

    • Mary Pat Whaley August 21, 2010

      Hi Martha,

      Unfortunately, the superbill is an accounting record and should be kept for 7 years. However, if you have the capability, you can scan the superbills and destroy the paper copies.

      Best wishes,

      Mary Pat

  2. Martha Green December 8, 2010

    Regarding the new 10 year record retention period, when does this go into effect and does this start at the initial visit of the patient or at the effective date of the law?

    • Mary Pat Whaley December 8, 2010

      Hi Martha,

      The new record retention is in effect now, and the records must be kept 6 years after the last time the patient was seen.

      Best wishes,

      Mary Pat

  3. John Pruitt December 10, 2010

    Thus, for a physican office, what distinguishes the “required documentation for six years from the date of its creation or the date when it last was in effect, whichever is later” with the latest 10 years mentioned in your last reply? Thanks!

    • Mary Pat Whaley December 13, 2010

      Hi John,

      You caught me in a mistake! You are correct – it is 6 years, not 10 as I previously stated. I’ve fixed that answer and I appreciate you bringing it to my attention.

      Thank you & best wishes,

      Mary Pat

  4. Lisa January 21, 2011

    Could you please clarify – according to Medicare, it’s okay for a physician office to destroy patient records after 6 years, unless the patient was part of a Medicare Advantage plan — at which point the record should be saved for 10 years instead? Thank you!

    • Mary Pat Whaley January 25, 2011

      Hi Lisa,

      Yes, this is confusing, isn’t it? My theory is that CMS wants the option to audit Medicare Advantage plans down the road. I think the best solution is to keep the records in electronic format indefinitely, and with off-site servers, price should never be a concern as most, if not all, cloud companies offer unlimited space for one monthly price.

      Best wishes,

      Mary Pat

  5. judy depalma February 25, 2011

    So now I am really confused. Our state law says we must keep patient records for 7 years. Is it 6, or 10 years for Medicare that we must keep patient records from their last visit?

    • Mary Pat Whaley February 28, 2011

      I know! So much just doesn’t make sense, does it? But state law does trump all.

      Best wishes,

      Mary Pat

  6. lindsey March 11, 2011

    Thanks for the good info. One question – what about a practice that has recently shut down? Are they under any obligation to keep records?

    • Mary Pat Whaley March 14, 2011

      Hi Lindsey,

      Physicians do have an ethical and legal responsibility to house the charts for a period of time following state law. The best situation is to get another physician to accept the charts, although this practice is losing favor fast. Most state medical boards will advise physicians to offer a copy of their records to patients before archiving them. It’s a good thing to get legal advice before doing anything!

      Best wishes,

      Mary Pat

  7. Kathleen Miller April 26, 2011

    I have been working on this for 6 months so here is what I know. The 10 year retention rule is for Medicare advantage providers (i.e. insurance companies)Section 422.504 e 4 relates to Medicare Advantage providers that offer access to Medicare insurance programs, not Medical providers. It also states the subcontractors for Medicare Advantage providers (those companies that a larger insurance company might subcontract to in areas they do not cover) must follow this same rule. BUT Medical providers are not insurance companies and must follow the federal law of 6 years, unless their state law overrides this. If you are signing insurance company amendments to retain records for 10 years, you are costing your company money that is unnecessary. The audit of records is the insurance company records, not medical records from a provider.

    • Mary Pat Whaley April 26, 2011

      Thank you, Kathleen, for that clarification!

      Best wishes,

      Mary Pat

  8. Denise Gilley May 24, 2011

    In regards to Insurance EOBs, how long is it required for those documents to be retained?

    Thank you

    • Mary Pat Whaley May 24, 2011

      Hi Denise,

      The rule is 7 years, but you are not required to keep them in paper form if you have them archived electronically.

      Best wishes,

      Mary Pat

  9. Elfrida Ruber July 8, 2011

    I would like to get clarification regarding regulation on how to file client’s informations and documents. Is it ok to file documents in different files? Let say: demographics, plan of care, and med profile in on chart; and 485 and communications in a separate file?

    • Mary Pat Whaley July 11, 2011

      Hello Elfrida,

      Any form that directly relates to the care a client receives should be located in one central place – the medical chart. Anything related to payment such as a 485 or or EOB or client statement should not be in the medical chart. For each, those documents should stored with all other billing documents after they are recorded in the billing system. If you can, scan all billing-related documents together by date, then shred the documents after 3 or 6 or 12 months, whatever your protocol dictates. A day’s work would include anything that was received and entered into the billing system for that day and is tied to your daily deposit. If you are concerned about finding the necessary billing documents if they are filed by date, rather than patient, make sure your document management program has the ability to search all documents by any information. Most document management systems (including the FileConnect, the system I use and sell to healthcare groups) have the ability to search in several ways.

      Communication should be stored in the chart if it relates to care issues, and with the billing work if it relates to any patient financial issues.

      I hope this helps, if you need more information, contact me at

      Best wishes,

      Mary Pat

  10. Ivana H. July 28, 2011

    If a patient request to see the billing forms cms1500, do I have to provide it? I always thought that is internal office paperwork, can you advice me please?
    Thank you

    • Mary Pat Whaley July 29, 2011

      Hi Ivana,

      I am not sure why the patient would request to see the 1500 as it is essentially be all the same information as on their account statement – unless your patient statements do not disclose the service and diagnosis codes. I have known patients to request a completed claim form, then file the claim themselves and pocket the money. I have also known some patients to use the claim form for their medical reimbursement plan. There could be some innocent reasons and some not-so-innocent reasons.

      I would ask the patient why they want the claim form, and based on their answer, make the decision whether or not to provide it. If it is the information they want, you can provide it in a statement format, or do a screen print for them. Most medical reimbursement plans will accept a printout of the day’s transaction. Also, I believe personal insurance (AFLAC, etc.) will accept a receipt from the physician’s office and does not require a 1500.

      You do not have to provide the patient with a 1500 form, unless you are requiring full payment at time of service, and the patient will need to file their own claim. Most practices with this policy will file the claim for the patient and assign the benefits to the patient, but some may require the patient to mail the form themselves.

      I hope this helps.

      Best wishes,

      Mary Pat

  11. Bonnie Mote August 16, 2011

    I have a question in regards to daysheets. How long do these have to be kept?

    • Mary Pat Whaley August 18, 2011

      Hi Bonnie,

      If daysheets are the document of origination for patient charges and payments (just like superbills), they must be kept for 7 years. You can, however, scan them and keep them electronically, shredding the paper copy after it has been scanned.

      Great question!

      Best wishes,

      Mary Pat

  12. ann walton August 19, 2011

    does the six year retention rule also apply to
    claims records Medicare creates?

    • Mary Pat Whaley August 20, 2011

      Hi Ann,

      I would archive (save the paper or scan the paper into electronic format) anything that refers to a payment Medicare made to a provider for 7 years. I am not familiar with the situation where a provider would have received claims records, but the minimum time to keep any record that has a financial purpose is 7 years. Any record with a clinical purpose is 10 years.

      If this doesn’t answer your question, comment again or email me directly at

      Best wishes,

      Mary Pat

  13. val kittel September 6, 2011

    How long should you keep patient medical record after they have pass way?

    • Mary Pat Whaley September 6, 2011

      Hi Val,

      Check your state law first, as most states have their own requirements. The typical requirement is 10 years after the patient’s death, however some practices keep their records longer. If your state doesn’t have a requirement, I suggest defaulting to the 10-year rule. With electronic medical records, patient charts can be kept indefinitely if you so choose.

      Best wishes,

      Mary Pat

  14. Kathy Findley September 8, 2011

    Hi Mary Pat!
    Not sure if this is under your expertise, but if not, could you direct me?
    I work in a cental NY Hospital in the Medical Records department. I also work closely with our “Forms Design Anaylist”. She does keep copies of all new “paper” medical record forms (over 1,000)that are created in the hospital as well as each revision etc. that is made to each form. She was told recently that ISO (international standards organization) requires that forms be kept for 6 years. Do you know of a law that requires that blank forms and their numerous revisions be kept for that long? Obviously, once the form is documented on then that of course makes it a medical record which we scan in as our “legal” medical record. Thanks for your help!

    • Mary Pat Whaley September 9, 2011

      Hi Kathy,

      This is a very good question. I am not an expert in ISO, but I looked it up and but here is a snippet from an ISO website that addresses this in part:

      When a document is updated, a record must be kept of the change (the reasons for and nature of the change). In addition, current revision status must be maintained. This includes the current development stage (draft, review, approval, etc.) and the date or revision level (number or letter) identifying the current version of the document. .

      Here’s where I found this:

      I hope this is helpful.

      Best wishes,

      Mary Pat

  15. Dave Mabar September 8, 2011

    is a recorded conversation for appointments a medical record, and if so do you have to maintain recording 10 years?

    • Mary Pat Whaley September 9, 2011

      Hi Dave,

      I am not a lawyer so this is not legal advice, but I would not expect that recorded conversations would constitute part of the medical record, and thereby be required to be kept. If there is a particular conversation that you based a decision on – for instance a decision to dismiss a patient from the practice – I would suggest that be kept, but otherwise, no.

      Great question!

      Best wishes,

      Mary Pat

  16. Ardy Martini September 27, 2011

    If a physician is leaving a practice and has a large practice, can the original chart be given to the patient or new MD rather than copying the chart? Is a special release required? Thanks.


    • Mary Pat Whaley September 27, 2011

      Hi Ardy,

      Before I respond, let me first say that it is always important to check for guidelines specific to your state.

      I have always been taught that although the information belongs to the patient, the physical chart belongs to the physician. I have never heard of anyone giving the original chart to the patient, although with electronic medical records, you can give patient their records on a jump drive or a DVD. The standard protocol is to have the patient sign a release approving a copy of their record to go to their new doctor/the doctor leaving or to themselves. Some charge a copying fee, and in some cases the new physician/the doctor leaving pays for the copying.

      Best wishes,

      Mary Pat

  17. Jackie Diaz October 5, 2011

    I have a question…
    For a “cloud-based” practice management system, if the practice changes companies and decide to go with another for XYZ reasons, does the previous practice management company have the right to deny the practice access that information? Isn’t that technically the practices information? Yes the practice technically has the superbills but the actual information billed and entered is housed in that program. Just wondering if anyone has encountered this before. I would greatly appreciate any feedback!


    • Mary Pat Whaley October 5, 2011

      Hi Jackie,

      Most legitimate vendors will not withhold your data, but they may be not-so-helpful in assisting you in relocating the data. Your contract should be very specific about what your vendor will or will not do and what they will charge. Your new vendor should be able to help you get your data from your old vendor.

      Best wishes,

      Mary Pat

  18. Patti H December 20, 2011

    We are in the process of trying to clean up some papers we have stored. I was wondering if you could tell me how long does a ECS(Electronic Claims Submissions) Report need to be kept?

    • Mary Pat Whaley December 23, 2011

      Hi Patti,

      I suggest you keep them for 7 years.

      If you can, I also suggest you start scanning these documents in and archiving them on the web. MMP FileConnect (a product I sell) is an affordable way to organize all practice paperwork easily for $75 a month. You can scan or move already-electronic documents over to a secure online location from your desktop. Contact me at for more information.

      Best wishes,

      Mary Pat

  19. Sherry February 27, 2012

    Hi I was wondering if someone knows if a practice has to keep fast remit documents especially for Medicare or federally regulated payers. Fast remit documents are EOBs from our payers that are sent from our clearing house electronically for posting. These are payers that we are set up electronically with for EFT. In the old days we were told you had to keep the Medicare EOBS for a period of time. Now that we have them electronically though its not the official EOB as it comes out as a posting sheet, I am wondering if we are still obligated in this new EHR world to do so?
    Thanks for any help on this. Sherry

    • Mary Pat Whaley February 27, 2012

      Hi Sherry,

      I recommend that electronic documents that you are posting from be electronically archived with other daily work – scanned paper EOBs, deposit slips, reconciliation sheets, etc. The only way you can audit your poster is by pulling the day’s work and matching it to what is in your billing system. Once you have archived your daily work, you can shred the paper copies in 3 months, 6 months, or at whatever interval you feel most comfortable.

      Best wishes,

      Mary Pat

  20. Rose February 28, 2012

    Hi Mary,

    I have a scenario that I Would like your input. You work for a 575 bed acute care level 1 research center, this hospital is also a teaching hospital that is connected to a university. The medical center brings in multimillions of dollars in grants each year. This facility’s maternity ward delivers the most babies in the city. They have an active heart surgery center.
    There are 6 months of data in the new EHR. There are 2 years of paper on the self. The 2 years of paper records include the contents of the HER, since administration does not trust the HER yet. All records are maintained on microfilm. You have just run out of storage space. Because of this, you have been asked to evaluate the current retention policy, which is to retain records forever.
    What should the minimum retention policy be based on?
    What are your options?
    which would you recommend and why?

    • Mary Pat Whaley February 29, 2012

      Hi Rose,

      Here’s an interesting 2008 survey of 100 top wired hospitals and how long they retain medical records and in what form they retain them: The survey indicates that hospitals such as yours tend NOT to keep records indefinitely and typically elect to retain records for 10 or 20 years.

      Personally, I think once you decide if you are going to limit how long you retain records, you should have the microfilm converted to digital and store everything on the cloud.

      Best wishes with your project!

      Mary Pat

  21. Bill March 7, 2012

    Hi Mary,

    What is the penalty for NOT retaining medical records?

    • Mary Pat Whaley March 11, 2012

      Hi Bill,

      If you do not retain a record and you are audited, you will not be able to substantiate that the service was provided and that could initiate a full-blown investigation that other payers could jump on.

      If you are sued and you do not have the record to defend yourself, you can close the doors of the practice.

      Best wishes,

      Mary Pat

  22. Jerilyn March 12, 2012

    Hi Mary,
    I am awaiting accredidation soon,and updating the Hipaa Privacy policy and procedure manuel. I don’t see that it has been revised since 2002. Is that right? Also, as a mastectomy fitter what is the fitter responsible for, in accredidation?
    Jerilyn V

    • Mary Pat Whaley March 14, 2012

      Hi Jerilyn,

      You will need to update your manual with information on the privacy requirements of the HITECH Act if you have an EHR.

      I’m sorry I can’t answer your question about accreditation, but maybe another reader can answer your question, or you can contact your specialty society.

      Best wishes,

      Mary Pat

  23. Missy May 17, 2012

    When sending medical records due you send the superbill or just the electronic record?

    • Mary Pat Whaley May 20, 2012

      Hi Missy,

      Just the electronic record.

      Best wishes,

      Mary Pat

  24. Missy May 17, 2012

    also can you send a corrected claim once the emr has been sealed and you realize the order of diagnosis is wrong?

    • Mary Pat Whaley May 20, 2012

      Hi Missy,

      Yes, you can send a corrected claim to reorganize the diagnoses.

      Best wishes,

      Mary Pat

  25. Vijay Gaware August 21, 2012

    Hello Mary,

    I wanted to know the duration for which Payers (Health Insurance Companies) are suppose to retain documents & information pertaining to Claims, Prior Authorization, Member Enrollment, etc. Are there different retention mandates for the various types of information generated at the Payers?


    • Mary Pat Whaley August 26, 2012

      Hi Vijay,

      You ask a great question and one that I do not know the answer to! I would call a payer and ask and they should be able to tell you.

      Best wishes,

      Mary Pat

  26. Kurt Brewster MD March 3, 2013

    Buyer beware! While docs are on the hook for electronic medical storage, EMR vendors don’t have to have an archivable storage ability. That means they can charge you a monthly license fee for 10 years if that’s the only way patients, insurers, government agencies or legal entities can access the complete patient record. If you do not keep the record you can be liable for “spoilage”. Make sure it’s explicitly spelled out in your EMR record two things: chart migration and archiving. You’ll save yourself a LOT of headaches down the road. This is another reason solo practitioners are a dying breed. Who can afford a decades long licensing fee unless you’re a large corporation?

    • Mary Pat Whaley March 3, 2013

      Hi Kurt,

      You makes some great points, but I beg to differ on medical record archiving.

      Most, if not all EMR systems allow you to upload record copies to cloud storage, just as you can upload charts for chart audits to a secure server for the auditing firm to retrieve.

      Practices can easily store medical records securely, then destroy them when they are no longer liable for them.

      We are resellers for the only HIPAA-compliant (they sign a BAA) cloud product that allows practices to purge records to a file for any future need. Physicians do not need to pay licensing fees indefinitely if they are no longer using the product. Our program from costs $75/month for unlimited storage – it’s the best-kept secret around!

      Best wishes,

      Mary Pat