CMS Record Retention & Privacy Guidelines
State laws generally govern how long medical records are to be retained.
However, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 administrative simplification rules require a covered entity, such as a physician billing Medicare, to retain required documentation for six years from the date of its creation or the date when it last was in effect, whichever is later. HIPAA requirements preempt State laws if they require shorter periods. Your State may require a longer retention period.
The Centers for Medicare & Medicaid Services (CMS) requires records of providers submitting cost reports to be retained in their original or legally reproduced form for a period of at least 5 years after the closure of the cost report. This requirement applies to hospitals and not physician practices.
CMS requires Medicare managed care program providers to retain records for 10 years.
Privacy must be maintained even after record retention timelines have expired. While the HIPAA Privacy Rule does not include medical record retention requirements, it does require that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records and other protected health information (PHI) for whatever period such information is maintained by a covered entity, including through disposal.
Additional information:
- Providers/suppliers should maintain a medical record for each Medicare beneficiary that is their patient.
- Medical records must be accurately written, promptly completed, accessible, properly filed and retained.
- Using a system of author identification and record maintenance that ensures the integrity of the authentication and protects the security of all record entries is a good practice.
- The Medicare program does not have requirements for the media formats for medical records. However, the medical record needs to be in its original form or in a legally reproduced form, which may be electronic, so that medical records may be reviewed and audited by authorized entities.
- Providers must have a medical record system that ensures that the record may be accessed and retrieved promptly.
Providers may want to obtain legal advice concerning record retention after CMS-required time periodshave been met.