Taking a Healthy Approach to Medical Records Retention
Most healthcare providers and organizations are aware that medical records must be retained in compliance to the Health Insurance Portability and Accountability Act (HIPAA). What may be less commonly known is that, pursuant to HIPPA, each state determines its own laws regarding medical record retention. In fact, HIPPA is actually silent on the issue of medical record retention requirements. The following information and overall purpose of this article is to answer frequently asked questions regarding medical records retention under California law.
1. How long must medical records be retained under California law?
In short, medical records must be retained at a minimum for seven (7) years in compliance with state law. However, the many medical associations recommend that records should be retained for ten (10) years.
California law under 22 CCR §72543 states that records shall be kept on all patients admitted or accepted for care. “All health records of discharged patients shall be completed and filed within 30 days after discharge date and such records shall be kept for a minimum of 7 years, except for minors whose records shall be kept at least until 1 year after the minor has reached the age of 18 years, but in no case less than 7 years.”
2. After a patient passes away, how long must records be retained?
The same law as described above applies when a patient passes away. Again, per 22 CCR §72543 medical records shall be retained at a minimum for seven years after the patient’s discharge date.
The HIPPA Privacy Rule does require that an individuals' identifiable health information remain protected for 50 years following their death. However, medical records do not need to be retained by healthcare providers or organizations during this period. Therefore, the medical record retention requirements and covered entities may destroy such records at the time permitted by state or other applicable law.
3. Which documents are considered medical records?
California’s Health and Safety Code Section 123105, defines medical records or patient records as records of any form or medium that, “is maintained by, or in the custody or control of, a health care provider relating to the health history, diagnosis, or condition of a patient, or relating to treatment provided or proposed to be provided to the patient.”
Here, federal law under 45 CFR 164.524 (HIPPA) is clearer as it provides specific examples designating that medical records “include medical records, billing records, payment and claims records, health plan enrollment records, case management records, as well as other records used, in whole or in part, by or for a covered entity to make decisions about individuals.”
4. How should medical records be disposed of?
Summarily, state and federal law requires that medical records be disposed of in a manner that makes patient’s personal information unreadable and undecipherable.
Here, California law requires compliance with privacy and security standards regarding the disposal of health records. Under Cal. Civ. Code Section 1798.81 states that a “business must take reasonable steps to dispose, or arrange for the disposal, of customer records containing “personal information,” by (a) shredding, (b) erasing, or (c) otherwise modifying the personal information to make it unreadable or undecipherable.”
Additionally, HIPPA also states that covered entities must implement reasonable safeguards to limit incidental - and avoid prohibited - uses and disclosures of protected health information (PHI), including in connection with the disposal of such information. See 45 CFR 164.310(d)(2)(i) and (ii).
The U.S. Department of Health and Human Services proposes the following examples of proper disposal methods which may include, but are not limited to:
• For PHI in paper records, shredding, burning, pulping or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable and impossible to reconstruct.
• Maintaining labeled prescription bottles and other PHI in opaque bags in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI.
• For PHI on electronic media, clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains) or destroying the media (disintegration, pulverization, melting, incinerating or shredding).