Retention and Destruction of EMR Data
Retaining Medical Records
Every healthcare organization has to adopt and implement medical record retention and destruction policy. Hospitals produce millions of medical documents that contain sensitive information about their patients, such as medical treatments and medical conditions they suffer from.
Healthcare providers and their employees have to know what they should do with their patient’s medical records and how long they should be kept before the facility can destroy medical records.
Some medical records must be kept for years. Additionally, medical records are governed by different regulations and standards, which makes them complex to manage.
What Are Medical Records?
Almost everyone has some kind of medical record. These typically include sensitive information about an individual’s medical condition, well-being, as well as medication they might be on.
Medical records are increasingly digitized. The U.S. healthcare industry currently manages electronic medical records (EMR), electronic health records (EHR), and personal health records (PHR). While EMR holds patients’ treatments and records of patients’ conditions when visiting a doctor, EHR represents a broader system. It can include information from different medical centers, surveys, and information from wearable devices that can help determine a patient’s well-being.
PHR represent information systems typically operated by insurance companies that allow people to track their health information.
HIPPA and Medical Records Retention
In addition to individuals and their family medical history, treatments, and medications, medical records can contain sensitive personal information. Persons’ addresses, phone numbers, and Social Security numbers can be included in medical records. Since medical records contain a lot of information that can be abused, it’s crucial how healthcare organizations handle and retain medical records, as well as when they can destroy them.
The Health Insurance Portability and Accountability Act (HIPAA), passed in 1996, also included HIPAA Privacy Rule. The goal of the Privacy Rule was to hold healthcare providers responsible for protecting sensitive patient medical record information. It also states that medical records must be retained for six years from their creation date or the date they were last in effect.
This provision preempts state laws if they have shorter medical record retention periods, but some state laws can require that medical records are retained for longer.
American Health Information Management Association (AHIMA)
There is no single standardized record retention schedule that organizations and providers must follow. Instead, a variety of retention requirements must be reviewed to create a compliant record retention program.
Organizations must establish appropriate retention and destruction schedules to ensure the availability of timely, relevant data and information for patient care purposes; to meet federal, state, and local legal requirements; and to reduce the risk of legal discovery.
In the absence of specific state requirements, providers should keep health information for at least the period specified by the state’s statute of limitations or for a sufficient length of time for compliance with laws and regulations. A longer retention period is prudent, since the statute may not begin until the potential plaintiff learns of the causal relationship between an injury and the care received.
|Federal Requirement||West Virginia State Requirement||Accreditation Requirement||AHIMA Recommendation|
|42 CFR 482.24(b)(1): Five (5) years. Medicare Conditions of Participation for Hospitals||WV 64CSR12 7.2.f.The hospital shall preserve medical records, including records of patients treated in the emergency room or outpatient department, for a minimum of five years in their original form or in a legally reproduced form.||Joint Commission RC.01.05.01: The hospital retains its medical records. The retention time of the original or legally reproduced medical record is determined by its use and hospital policy, in accordance with law and regulation.||Patient health and medical records (adults): 10 years after the most recent encounter.|
Health information resides in multiple storage media and locations creating the need for a clearly defined record retention plan. At a minimum, record retention schedules must:
- Ensure patient health information is available to meet the needs of continued patient care, legal requirements, research, education, and other legitimate uses of the organization
- Include guidelines that specify what information is kept, the time period for which it is kept, and the storage medium on which it will be maintained (e.g., paper, microfilm, optical disk, magnetic tape)
- Include clear destruction policies and procedures that include appropriate methods of destruction for each medium on which information is maintained
Protecting Sensitive Patient Information
As with record retention, there is no single standard destruction requirement. Destruction of patient health information by an organization or provider must be carried out in accordance with federal and state law pursuant to a proper written retention schedule and destruction policy approved by appropriate organizational parties. Records involved in any open investigation, audit, or litigation must not be destroyed until the litigation case has been closed.
Both state and federal law lay out standards and legal record retention requirements before healthcare facilities can begin destroying medical records. Noncompliance can be costly – one HIPAA violation can result in harsh fines. While HIPAA lays out general standards, each state has its own medical records retention requirements.
If you have a case against a healthcare professional or organization, don’t fight it alone. Reach out to Comperio Legal Services.