The practice’s documented policies and procedures should outline when records can be destroyed, as well as when and where the destruction will take place. A comprehensive, consistent policy and procedure may help avoid allegations that records were destroyed deliberately or maliciously and help to maintain patient confidentiality.

Computerized medical records must have the same confidentiality considerations applied as with paper records. It is recommended that practices consult their software vendor to determine how to purge or destroy old computerized records to ensure patient confidentiality is protected.

Additional considerations include AMA guidelines that physicians have an obligation to retain patient records that may reasonably be of value to a patient. An appropriate criterion is whether a physician would want the information if he or she were seeing the patient for the first time. The AMA guidelines also recommend that before discarding old records, patients should be given an opportunity to claim the records or have them sent to another physician, if it is feasible to give them the opportunity. There are separate distinct New Jersey Board of Medical Examiners requirements for physicians ceasing to practice (retirement, sale, leaving a practice) that should be followed. 

State the purpose of the policy

The purpose is to establish specific minimum guidelines for the retention of medical records and the methodology for destruction that is consistent with the policy to protect patient confidentiality.

Policy contents

According to these guidelines, medical record information must be maintained in order to facilitate continuity of care, compliance with regulatory agencies and fulfill the mission of patient care. The confidentiality of the information should be protected up until the final point of destruction.

1.       Record retention time schedule for adults is seven years from the last professional contact or date of record entry plus two years for the statute of limitations to initiate a lawsuit. For minors to age 18, plus two years for the statute of limitations or seven years from last record entry, whichever is greater. Dental records for minors are age 18 or seven years from the last date of record entry, whichever is greater, plus two years for statute of limitations. Diagnostic models should be maintained for three years.      

2.       Immunization records and records of incompetent patients should be kept indefinitely. It is recommended that records of deceased patients be kept long enough for the probate of the estate to close or the schedule listed above, whichever is greater. Practices that are affiliated with federal or state Health and Human Services programs should consult with the requirements of these agencies. Practices that are involved in research should also consult with any FDA requirements or research study contract language.
 

3.       Medical records should be kept for longer periods of time than those cited above when requested by one of the following:

a.       A physician of a patient

b.       The patient or someone acting legally in his/her behalf, when requested in writing, or

c.       The practice’s legal counsel/risk management representative, or when there is a potential claim. All records that have been the subject of an incident that could lead to litigation and all records that have been requested by an outside attorney or administrative agency, such as licensing boards, should be excluded from the general retention policy and retained indefinitely. These records should not be destroyed until the matter is fully resolved and only with the advice of your liability carrier or your attorney. If these files are not retained appropriately, the result may be a claim of spoliation, whereby a plaintiff charges that evidence, that the physician had a duty to retain, was destroyed.

4.       Administrators/custodians of systems must ensure that the stored information is accessible, readable and reproducible for the life of the record. Indicate who is responsible for deciding what to keep and when to purge.

5.       Destruction of records must be accomplished in a manner that protects the confidentiality of the documents being destroyed. Documents should be shredded or burned rather than simply disposed of in a garbage receptacle.

6.       Any contracts with outside vendors for record destruction must abide by HIPAA rules and must maintain the confidentiality of the information up to the point of destruction.  These contracts should be reviewed by the practice’s attorney.

7.       Notwithstanding the above, federal and state laws and regulations (e.g., Medicare and OSHA) will determine the length of time that a medical record is retained. Managed care contracts should be scrutinized to determine if your general retention policy meets the contract requirements.

8.       The practice should maintain some basic information in a log, including the patient's name, date of birth, Social Security number, dates of first and last visit, general problems and procedures performed in the office. Documentation of what was destroyed, how it was destroyed and the date of the destruction should also be maintained.

This article is intended to make healthcare professionals aware of medical record retention requirements and to serve as a general guideline in developing policies and procedures. This article is not intended as legal advice. Readers should consult professional counsel familiar with federal and state laws for guidance with specific legal, clinical or ethical questions.