Bottom line: We must keep our records for the amount of time our
state/jurisdiction requires. Additionally, for HIPAA, you must maintain – until 6 years after the last date of
service - your privacy policies and procedures, privacy practices notices,
disposition of complaints, and other actions, activities, and designations that
the Privacy Rule requires to be documented. And, for Medicare, records need to
be saved for 7 years.
More specifically:
In MD and VA, this means we need to retain them for a minimum of 5 years after
our discharge date. For minors, we must keep them either 5
years after their discharge date, or 3 years after they reach
the age of majority, whichever is later.
In DC, records need to be retained for 3
years after last seeing the patient. For minors we must keep records 3 years
after last seeing the patient or for 3 years after the patient turns 18,
whichever is later.
FOR
HIPAA:
Does the
HIPAA Privacy Rule require covered entities to keep patients’ medical records
for any period of time? No, the HIPAA Privacy Rule does not include
medical record retention requirements. Rather, State laws generally
govern how long medical records are to be retained. However, the HIPAA Privacy
Rule does require that covered entities apply appropriate administrative,
technical, and physical safeguards to protect the privacy of medical records
and other protected health information (PHI) for whatever period such
information is maintained by a covered entity, including through disposal. See
45 CFR 164.530(c). (From a CURRENT HHS.GOV posting: https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/enforcement/examples/disposalfaqs.pdf)
For
"a Medicare provider or supplier
providing covered ordered, certified, referred, or prescribed Medicare Part A
or B services….(t)he regulation requires you to maintain medical
records for 7 years from the Date of Service (DOS).”
