Off The Record

Get the FAQ’s: Why medical records retention needs your attention

Paperwork.  Whether it’s electronic or pulp, it’s the job of a Medical Records Manager or Healthcare Information Manager to ensure the security, privacy and accessibility of a patient’s medical record.  No easy feat – especially because, well, paperwork never goes away.  It accumulates and grows faster than dust bunnies under kids’ beds.  Sweep it away but it still comes back.  Sigh, for most people.  But it’s your sweet spot.  Most of the time, right?

So the question inevitably arises – exactly how long must a practice, clinic or hospital be required to keep aging or inactive medical records?

The answer is both easy and complex, because there is no one-sized-fits-all solution.  But in the age of HIPAA compliance and the HITECH Act, plus health care reform, the question can no longer be swept under the rug and procrastinated.  (Caught you!)  Now more than ever, it’s critical to reduce your practice’s vulnerability to liabilities by creating a defensible, sustainable records retention process.

That means – you’ve got to face into pruning when necessary.  In other words – you’ve got to purge.  And let’s be honest – it’s not the most glamorous part of your job, but an important one.

Purging is necessary, but to ensure your process is a viable one, check out a few FAQ’s on the topic.


Does the HIPAA Privacy Rule require covered entities to keep patients’ medical records for any period of time? No, the HIPAA Privacy Rule does not include medical record retention requirements.  State laws typically dictate the length of medical records retention. However, the HIPAA Privacy Rule does require that covered entities apply appropriate administrative, technical, and physical safeguards (across the chosen medium) to protect the privacy of medical records and other protected health information (PHI) for whatever period such information is maintained by a covered entity, including through disposal

Where do I source medical record retention laws by state?  Check out your state’s website to find applicable laws or try searching your state’s Department of Health website for legislation passed regarding retention laws. If you have one, your medical records department might be familiar with those regulations or could connect you to legal counsel for direction.

What are Medicare and Medicaid’s requirements for record retention?   HIPAA rules require Medicare Fee-For-Service providers to store required documentation for six years from the date of its creation or the date when it last was in effect, whichever is later.  CMS (Centers for Medicare & Medicaid Services) requires that providers submitting cost reports retain all patient records for at least five years after the closure of the cost report. And if you’re a Medicare managed care program provider, you are required to retain patient records for 10 years.  Medicare requires healthcare providers to retain records for Medicare patients for 5 years; if the provider is a HIPPA covered entity, the HIPAA 6-year requirement takes precedence. As for Medicaid, those vary by state.

As the keeper of all that critical documentation of a patient’s history and care, it pays to get the facts.  Impeccably documented, safeguarded, accessible medical records serve as the lynchpin of your practice’s protection of both patients, and your business.

And, it makes you an unsung hero.  Think about that when you’re down in the trenches!

For more information, visit or

Want to get Off the Record delivered directly to your in-box?  Sign up in the right-hand corner, and join the conversation with your comments!  As always, if you have a question about Medical Transcription, contact me at  Until then, here’s hoping your day is a successful one – and that’s on the record.


Kendall Tant
President and CEO




Leave a Reply

iData image