As this year comes to a close and it may be time for some practices to review which medical records can be archived. We have been asked many times what is the “difference” between HIPAA documentation vs medical record retention requirements. Many organizations think these have the same requirements, and they do not!
If you are not sure about the differences, let Aris Medical Solutions offer you a complimentary consultation. We want to be your HIPAA partner!
HIPAA documentation retention:
HIPAA requires that your privacy and security rule policies, procedures, and documentation be retained for at least 6 years from the date of creation or the last date it was in effect. If a policy was implemented three years before it was revised, the original policy must be retained for a minimum of 9 years after its creation. If state privacy law is more stringent, then state law must be followed.
Here is an example of what is covered under HIPAA:
- Audit logs of access to ePHI
- Business associate agreements
- Contingency plans
- Employee sanction policy and documentation
- Notice of Privacy Practices
- Patient authorizations (unless included in their medical record)
- Patient complaints and resolutions
- Privacy policies (patient access, amendments, and authorizations)
- Security incident reports and Breach notification documentation
- Security policies (administrative, physical, and technical)
- IT reports that include updates and device status
Medical record retention:
Most people think HIPAA controls the medical record retention requirements. HIPAA is a federal law, and each state has their own set of medical record retention requirements. State retention requirements can vary depending on the type of records and who they belong to.
Florida state law requires medical practices to maintain records for at least 5 years after the last visit. Hospitals are required to retain records for 7 years after the last visit.
Claims may be brought up to 7 years after the incident under the False Claims Act; however, on occasion, the time has been extended to 10 years.
Medicare managed care program providers must also retain their records for 10 years.
Some states required Pediatrics to retain records until the patient reaches the age of 23.
North Carolina has some of the lengthiest requirements, 11 years from the date of discharge and patients that are minors must be retained until 30 years of age.
It is recommended to retain any documentation that may be needed in a personal injury or breach of contract dispute for as long as necessary.
As you can see, there are many variables.
Proper organization of patient records and dates can assist you when the time comes to purge your records. This can also protect you from storing unnecessary records that could be a liability should you suffer a data breach.
If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. It’s an online compliance system that has everything you need to get compliant and stay compliant! Best of all you will have a HIPAA security analyst to guide you every step of the way!
For more information about Aris Medical Solutions call 877.659.2467 or click here to contact us.
“Simplifying HIPAA through Automation, Education, and Support”