Record retention sounds simple. You keep the records for a set amount of time to provide information about your patient’s care and health history to other healthcare professionals. However, underneath this simplistic view of data retention requirements lies state and federal laws, medical association policies, and organizational procedures.

Attempting to meet all of these rules and regulations can be exhausting. The general rule of thumb is to meet the most stringent of all the rules that govern your practice. Frequently, the strictest laws are those issued by your state.

Basics of Data Retention

Keeping medical records is the law. Retention provides patients access to their health information and communicates a patient’s history with other providers. Creating and executing a data retention process ensures that you will avoid penalties, fines, and the loss of critical certifications.

A well-documented and maintained medical record can become vital during possible and actual litigation. Entries in medical records are considered reliable evidence in judicial proceedings. Without a medical record, physicians, nurses, and other healthcare professionals won’t be able to provide proof of services delivered to meet the required standard of care rules.

Federal Rules

The Health Insurance Portability and Accountability Act of 1996 requires you keep medical records for six years from the date of creation or the last patient contact, whichever is later. Of course, at the end of this period, you need to have a process for data disposal, which also falls under the physical safeguard rules of HIPAA for medical records and other forms of protected health information (PHI).

To further complicate retention requirements, the Centers for Medicare and Medicaid Services (CMS) issued their own set of rules for both financial and medical data. To meet the CMS rules, you must maintain cost reports for at least five years after the closure of the financial account.  Patient files must be retained for ten years in its original form to comply with CMS.

State Laws

Understanding data retention laws for your home state is essential to your success. State laws also provide individual access to medical records for consumers within a set time frame, which is a provision of HIPAA. These laws can be the same, stronger, or preempted by HIPAA. Many states provide additional rules for entities not covered by HIPAA, too.

We’ve created a tool here to make it simple for you to find the EHR data retention requirements for your state. If you need further information, consult with your compliance office, accountant, or HIPAA director to better understand the Federal, IRS, and state-specific requirements that you must meet.

Move your mouse over a state to explore the minimum medical record retention periods for records held by physicians and hospitals.