CMS Record Retention & Privacy Guidelines
State laws generally govern how long medical records are to be retained.
However, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 administrative simplification rules require a covered entity, such as a physician billing Medicare, to retain required documentation for six years from the date of its creation or the date when it last was in effect, whichever is later. HIPAA requirements preempt State laws if they require shorter periods. Your State may require a longer retention period.
The Centers for Medicare & Medicaid Services (CMS) requires records of providers submitting cost reports to be retained in their original or legally reproduced form for a period of at least 5 years after the closure of the cost report. This requirement applies to hospitals and not physician practices.
CMS requires Medicare managed care program providers to retain records for 10 years.
Privacy must be maintained even after record retention timelines have expired. While the HIPAA Privacy Rule does not include medical record retention requirements, it does require that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records and other protected health information (PHI) for whatever period such information is maintained by a covered entity, including through disposal.
Additional information:
- Providers/suppliers should maintain a medical record for each Medicare beneficiary that is their patient.
- Medical records must be accurately written, promptly completed, accessible, properly filed and retained.
- Using a system of author identification and record maintenance that ensures the integrity of the authentication and protects the security of all record entries is a good practice.
- The Medicare program does not have requirements for the media formats for medical records. However, the medical record needs to be in its original form or in a legally reproduced form, which may be electronic, so that medical records may be reviewed and audited by authorized entities.
- Providers must have a medical record system that ensures that the record may be accessed and retrieved promptly.
Providers may want to obtain legal advice concerning record retention after CMS-required time periodshave been met.
CMS Delivers Additional Information Regarding Medicare Timely Filing Rule
In the MLN Matters dated July 30, 2010, Change Request (CR) 7080, CMS gives additional instructions on the timely filing rule:
- For professional claims (CMS-1500 Form and 837P) submitted by physicians and other suppliers that include span dates of service, the line item“From” date will be used to determine the date of service and filing timeliness. (This includes supplies and rental items). For physicians and other suppliers that bill claims with span dates, these span date services cannot exceed one month.
- For institutional claims that include span dates of service (i.e., a “From” and “Through” date span on the claim), the “Through” date on the claim will be used to determine the date of service for claims filing timeliness.
- BE AWARE: If a line item “From” date is not timely, but the “To” date is timely, Medicare contractors will split the line item and deny untimely services as not timely filed.
- Claims having a date of service of February 29th must be filed by February 28th of the following year to be considered as timely filed. If the date of service is February 29th of any year and is received on or after March 1st of the following year, the claim will be denied as having failed to meet the timely filing requirement.
Change request (CR) 6960 specified the basic timely filing standards established for FFS reimbursement, which are a result of Section 6404 of the Patient Protection and Affordable Care Act of 2010 (ACA) that states that claims with dates of service on or after January 1, 2010, received later than one calendar year beyond the date of service will be denied by Medicare.
