Some people assume that the Health Insurance Portability and Accountability Act (HIPAA) of 1996 requires doctors and other covered entities to retain patient records for a specific period of time. However, this isn't entirely true. While the HIPAA Privacy Rule covers many elements of patient privacy, it does not include requirement for record retention.
According to the Department of Health and Human Services (HHS), state laws govern the time of retention for medical records. In Arizona, for instance, both doctors and hospitals are required by state law to retain patients' medical records for a minimum of 6 years from the last date of service from the provider. In Connecticut, doctors must retain patients' medical records for 7 years from the last date of treatment, or 3 years upon the death of the patient. Hospitals in Connecticut, however, must retain patients' medical files for a minimum of 10 years after the patient has been officially discharged.
What's the purpose of requiring doctors and hospitals to retain patients' medical files? There are a number of reasons why many states have their own laws that require healthcare providers to retain medical records, one of which is for follow-up treatment. If a patient succumbs to a disease or illness, a doctor may attempt to access his or her past medical records. The information contained within a patient's file could prove invaluable in treating his or her condition.
While HIPAA doesn't require covered entities to retain patients' medical records for any specified length of time, it does require covered entities to implement meaningful and appropriate administrative, technical and physical safeguards to medical files that are retained. In other words, a doctor who practices in Arizona must apply these HIPAA safeguards to all medical records that he or she retains. And as we mentioned earlier, doctors in Arizona must retain patients' medical records for a minimum of 6 years. Throughout the course of this 6-year period, doctors must implement technical, physical and administrative safeguards to protect patients' medical records from unauthorized access.
If you operate a medical practice, you should refer to your state's laws regarding medical record retention requirements. Also, remember that all Protected Health Information retained as medical records must be protected through the use of technical, physical and administrative safeguards.