How to Manage Your Medical Record Retention and Destruction

With a wide range of different medical record retention and destruction requirements on both a federal and state level, it’s critical you’re following best practices to ensure you’re staying in line with HIPAA and state standards. Not only is it essential in terms of protecting yourself from legal consequences, but also for protecting patients and their health information.

Learn more in this video or transcription below about why medical record retention and destruction tracking needs to be a priority, HIPAA’s background and retention standards, general recommendations for how long to keep different types of medical records, and how to best manage retention and destruction for both your paper medical records and EMRs.

Video Transcription

What Makes Medical Record Retention and Destruction So Important?

At its core, staying on top of medical record management is essential for protecting patients by ensuring their sensitive information is safely stored and destroyed, however there are also legal incentives for making medical record retention and destruction a priority.

Legal requirements on both a federal and state level that lay out standards for how long medical records need to be kept and when they should be destroyed, and noncompliance with them can be costly—a single HIPAA violation fine can run as high as $50,000.

HIPAA and state retention requiremetsHIPAA and State Retention Requirements

There’s a wide range of different medical record types, and with that comes a range of different retention times for them as well.

While federal laws like HIPAA lay out general medical record retention standards, there are also state laws that have specific retention requirements which can vary from state to state.

Medical Record Retention According to HIPAA

Passed in 1996, HIPAA (the Health Insurance Portability and Accountability Act) includes the HIPAA Privacy Rule, which is designed to hold healthcare providers accountable for protecting sensitive patient information.

Although the HIPAA Privacy Rule doesn’t give specific retention times for the various types of medical records, it does state that a medical record must be retained for 6 years from the date of its creation or the date it was last in effect, whichever is later.

HIPAA’s retention requirements preempt state laws when they have shorter retention periods, however state laws can also require medical records to be retained for longer than HIPAA’s 6 year standard.

Medical Record Retention According to State Laws

Each state has different minimum retention requirements, and in some cases they’re much longer than HIPAA’s requirements.

Some states will also try to set shorter retention requirements, however as before HIPAA’s 6 year standard would preempt them. Some of the most common medical record types and their recommended retention times include:

Medical Record

Recommended Retention Period

Patient Health/Medical Records – Adults 10 years after the date of its last use
Patient Health/Medical Records – Minors Age of majority plus statute of limitations
Diagnostic Images (x-ray films, etc.) – Adults 5 years*
Diagnostic Images (x-ray films, etc.) – Minors 5 years after the age of majority*
Master Patient/Person Index Permanently
Physician Index 10 years
Disease Index 10 years
Operative Index 10 years
Register of Surgical Procedures Permanently
Register of Births/Deaths Permanently

* Preempted by the HIPAA Privacy Rule

Medical Record Retention and Destruction Logs

By keeping medical records and destruction logs you can keep track of the medical records you’re currently retaining and have already destroyed.

Maintaining a log for managing retention and destruction helps to not only simplify records management, but also help ensure you’re staying compliant with HIPAA and other state laws.

How It Works: Keeping a Medical Record Retention Log

There are two formats for medical records used in healthcare today—paper records and EMRs (electronic medical records)—and because of that there are also two methods for storing and tracking their retention times.

Paper Medical Record Retention

When you’re storing hard-copy medical records in bulk with an off site storage provider, your file boxes can be labeled with their individual retention times.

While stored you can check up on the status of records and their retention times, and once they expire storage providers will handle the medical record destruction.

Digital Medical Record Retention

An EHR (electronic health record) system is used to house and manage individual EMRs, and can be configured to track the retention times for medical records. Once retention periods expire, an EHR system can also be configured to automatically delete the files.

How It Works: Keeping a Medical Record Destruction Log

Shred Events with Shred NationsJust like how there are two methods used for tracking paper and EMR retention periods, there are also two different ways to destroy medical records once their retention times expire.

Paper Medical Record Destruction

When retention times expire for medical records stored off site, storage providers can also shred the records with either an on-site industrial shredder in their facility or a secure partner shredding provider.

Once medical records are destroyed, you receive a formal certificate of destruction with details including the date, location, and witnesses to the shredding which in the event of any legal dispute can be used as proof of compliance.

Digital Medical Record Destruction

When the retention periods expire for EMRs, an EHR system can also be configured to delete them.

It’s important to note though that deleting files on a hard drive doesn’t mean they’re completely erased. When a file is deleted, the actual file stays stored on the hard drive and instead only a small bit of information on the hard drive pointing to where the file was located is erased.

With special software those deleted EMRs can still be recovered from a hard drive, meaning the only way to truly “erase” digital medical records is to destroy the hard drive altogether. Similar to shredding medical records, with hard drive destruction you also receive a certificate of destruction for proof of compliance.

Staying On Top of Your Medical Record Retention and Destruction Requirements?

At Shred Nations we partner with a nationwide network of readily-available medical records storage, shredding, and hard drive destruction providers in order to help ensure there are no gaps in the medical records retention and destruction practices of members of the healthcare industry.

Get free quotes and join the American Cancer Society, the Red Cross, and countless other organizations we’ve helped to find the best options for streamlining their medical record retention and destruction tracking by simply filling out the form to the right, giving us a call at (800) 747-3365, or contacting us directly using our live chat. 

The Medical Records Retention and Destruction Process