QUESTION: Currently all of our records are stored electronically and have been for the past few years. Prior to that we acquired a hospital’s Occ Health program and there are paper records that we have been paying a medical record storage facility to store for us. Our question is, how long do we have to hold/store these records for?
ANSWER: If you are the keeper of records for the employer then you must follow the employer standards: osha.gov/laws-regs/regulations/standardnumber/1913/1913.10
• 30 years – Employers are required to maintain any medical and exposure records created for employees for specific periods of time. Paragraph (d) of 1910.1020 requires that employers keep exposure records for 30 years.
• Training records must be retained for three years from the date on which the training occurred, although it is advisable to retain training records for the duration of employment.
• One year – EEOC Regulations require that employers keep all personnel or employment records for one year. If an employee is involuntarily terminated, his/her personnel records must be retained for one year from the date of termination.
But, if you are not the designated keeper of the record and the employer has copies of all the interactions your clinic provided, then:
• Federal law mandates that a provider keep and retain each record for a minimum of seven years from the date of last service to the patient. For Medicare Advantage patients, it goes up to ten years.
• Providers must also comply with individual state regulations on record retention (which often differ from the national standards) and their states’ statutes of limitations on malpractice lawsuits.
• The idea that records, either in paper or electronic form, should be saved for around ten years to comply with all requirements is an oft-touted rule of thumb. But, of course, there are exceptions.
• Have any records related to workplace injuries? If the Occupational Safety and Health Administration (OSHA) was involved, hang on to them for 30 years after the last date of service.
• Lastly, should you ever discover that legal action is pending from a patient, be sure to save his relevant records, even if you’ve already kept them past their other retention deadlines. No destruction is allowed once you have knowledge of the litigation.
• Destroying records, digital or otherwise, once their retention deadlines arrive is extremely important. Even if your back room is locked and your health IT system offers top-notch encryption, security breaches and HIPAA violations can still occur. “The more data you push through the pipes, the more likely you’ll spring a leak somewhere,” says Jason Straight, managing director of Kroll’s Cyber Security and Information Assurance unit. “Document retention and data security are inextricably linked.” There’s no reason to leave any patient information – especially data that’s unnecessary to retain – vulnerable to being compromised. As long as you keep documented records of all destructions, proper disposal of old data is the best way to ensure patient confidentiality is upheld. So comb through your old charts, dig through your electronic data and destroy what no longer needs to be retained.