CMS Record Retention & Privacy Guidelines

Posted by on August 11, 2010 · Leave a Comment 

State laws generally govern how long medical records are to be retained.

However, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 administrative simplification rules require a covered entity, such as a physician billing Medicare, to retain required documentation for six years from the date of its creation or the date when it last was in effect, whichever is later. HIPAA requirements preempt State laws if they require shorter periods. Your State may require a longer retention period.

The Centers for Medicare & Medicaid Services (CMS) requires records of providers submitting cost reports to be retained in their original or legally reproduced form for a period of at least 5 years after the closure of the cost report. This requirement applies to hospitals and not physician practices.

CMS requires Medicare managed care program providers to retain records for 10 years.

Privacy must be maintained even after record retention timelines have expired. While the HIPAA Privacy Rule does not include medical record retention requirements, it does require that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records and other protected health information (PHI) for whatever period such information is maintained by a covered entity, including through disposal.

Additional information:

  • Providers/suppliers should maintain a medical record for each Medicare beneficiary that is their patient.
  • Medical records must be accurately written, promptly completed, accessible, properly filed and retained.
  • Using a system of author identification and record maintenance that ensures the integrity of the authentication and protects the security of all record entries is a good practice.
  • The Medicare program does not have requirements for the media formats for medical records. However, the medical record needs to be in its original form or in a legally reproduced form, which may be electronic, so that medical records may be reviewed and audited by authorized entities.
  • Providers must have a medical record system that ensures that the record may be accessed and retrieved promptly.

Providers may want to obtain legal advice concerning record retention after CMS-required time periodshave been met.

Filed under CMS, Compliance, Practice Management · Tagged with , ,

Expect Stricter HIPAA Enforcement

Posted by on August 11, 2009 · Leave a Comment 

GavelFiveThe Department of Health and Human Services (HHS) announced that the Office for Civil Rights (OCR) will now be responsible for enforcing the Health Insurance Portability and Accountability Act of 1996 (HIPAA) security rule in addition to the privacy rule. (The Centers for Medicare & Medicaid Services was previously responsible for the security rule). This consolidation of HIPAA enforcement activity highlights the Administration’s heightened scrutiny of security and privacy of health information. In fact, the American Recovery and Reinvestment Act of 2009 mandates enhanced patient privacy rights and physician practice requirements, increased financial penalties for violations of the privacy rule and the security rules and allocated additional resources for enforcement.

How will this affect you? Well if your group practice has not yet put in place a plan to implement the Red Flag rules, you will be at risk of a  HIPPA violation once the enforcement begins.

Filed under Compliance · Tagged with , , , , ,

« Previous Page