Healthcare providers generate a wide range of records, including patient health records and business records. These records help providers maintain critical information and allow them to deliver quality services and care. Healthcare records must be appropriately maintained and managed throughout their lifecycle — from creation to destruction. To protect records, it is imperative that healthcare providers develop and implement formal record retention policies and procedures. Healthcare providers should establish these policies to mitigate the risks associated with all Federal, State and local laws and regulations; or for audits from Federal or State authorities, as well as to help defend against allegations that records were deliberately or maliciously destroyed during Litigation Holds established pursuant to legal proceedings.
The Centers for Medicare & Medicaid Services (CMS) requires healthcare providers and organizations to retain patient records for Medicare beneficiaries for at least 5 years. Medicaid requirements vary by state. Further, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) established a Privacy Rule[1] which requires “covered entities”, (defined by the statute to encompass health care providers, health plans, and health care clearinghouses) and their business associates to apply appropriate administrative, technical, and physical safeguards to protect the privacy of health records and other forms of Protected Health Information (“PHI”) for as long as they are maintained. Some states have specific requirements for the retention of patient health records. Often, these state-specific record retention requirements are accessible via providers’ professional licensing boards. Regardless of any State or Federal record retention guidelines, once any judicial or investigative proceeding is contemplated, a Provider should automatically suspend all document retention policies and send out a “red alert letter” that informs employees to save documents related to the contemplated proceeding. Upon receipt of a subpoena, a Provider should suspend any document destruction policy in place so as to prevent the destruction of responsive documents. For questions or advice related to the maintenance of healthcare records, contact Frier Levitt today for guidance.
[1] 45 CFR Part 160
