CMS Record Retention & Privacy Guidelines

State laws generally govern how long medical records are to be retained.

However, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 administrative simplification rules require a covered entity, such as a physician billing Medicare, to retain required documentation for six years from the date of its creation or the date when it last was in effect, whichever is later. HIPAA requirements preempt State laws if they require shorter periods. Your State may require a longer retention period.

The Centers for Medicare & Medicaid Services (CMS) requires records of providers submitting cost reports to be retained in their original or legally reproduced form for a period of at least 5 years after the closure of the cost report. This requirement applies to hospitals and not physician practices.

CMS requires Medicare managed care program providers to retain records for 10 years.

Privacy must be maintained even after record retention timelines have expired. While the HIPAA Privacy Rule does not include medical record retention requirements, it does require that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records and other protected health information (PHI) for whatever period such information is maintained by a covered entity, including through disposal.

Additional information:

  • Providers/suppliers should maintain a medical record for each Medicare beneficiary that is their patient.
  • Medical records must be accurately written, promptly completed, accessible, properly filed and retained.
  • Using a system of author identification and record maintenance that ensures the integrity of the authentication and protects the security of all record entries is a good practice.
  • The Medicare program does not have requirements for the media formats for medical records. However, the medical record needs to be in its original form or in a legally reproduced form, which may be electronic, so that medical records may be reviewed and audited by authorized entities.
  • Providers must have a medical record system that ensures that the record may be accessed and retrieved promptly.

Providers may want to obtain legal advice concerning record retention after CMS-required time periodshave been met.

Federal Stimulus Means New HIPAA Privacy and Security Mandates

“We will make the immediate investments necessary to ensure that within five years, all of America’s medical records are computerized.” President Barack H. Obama, January 8, 2009.

In line with this audacious promise, the American Recovery and Reinvestment Act of 2009 (ARRA) expands, enforces, and enhances the privacy and security safeguards required by the Health Insurance Portability and Accountability Act (HIPAA) for certain individually identifiable health information. The tightening of these safeguards is critical to building the network of computerized record-keeping systems that will service the whole nation. Most businesses will be affected by these changes to some degree. Some of the key changes made by the new law include:

  1. Business Associates subject to HIPPA
  2. Breach notification requirements under HIPPA
  3. States attorneys general will enforce HIPPA violations
  4. Individual rights are expanded under this rules change

Business Associates Become Directly Subject to HIPAA. Generally, individuals and entities are treated as “business associates” when they provide services to “covered entities” under HIPAA. Prior to ARRA, business associates were not directly subject to the privacy and security regulations under HIPAA, but had obligations with respect to HIPAA through the terms of agreements entered into with covered entities.

Under ARRA, beginning 12 months from February 17, 2009 (“date of enactment”), business associates become directly subject to certain requirements under the HIPAA privacy and security regulations in the same manner as those requirements apply to covered entities. These changes likely will require modifications to existing business-associate agreements.
Additionally, ARRA subjects business associates to the same civil and criminal penalties as covered entities for violations of the privacy and security requirements.

Breach Notification Requirement Added to HIPAA and Beyond. As breaches of personal information continue to affect millions of individuals across the United States, the ARRA adds a breach notification requirement to HIPAA. The new requirement follows the general framework established by states that adopted similar laws over the past few years, with some important distinctions:

  • A breach requiring notification does not occur where the unauthorized person who receives a disclosure of protected health information would not reasonably be able to retain the information.
  • Unless a delay in notification is permitted for law enforcement purposes, notification may not be provided later than 60 days after discovery of the breach.
  • If the breach involves 500 or more individuals, covered entities must notify the Secretary of Health and Human Services immediately.
  • Breaches involving 10 or more individuals for whom there is insufficient or out-of-date contact information require conspicuous posting on the covered entity’s website or notice in major print or broadcast media.

The notification requirement applies only to breaches of “unsecured” personal health information, which, subject to future guidance, generally means it is not secured by a technology standard, developed or endorsed by an accredited organization that would render the information unusable, unreadable, or indecipherable. The ARRA directs the Department of Health and Human Services (HHS) to promulgate regulations within 180 days of the date of enactment to carry out this new notification requirement.  The new regulations will apply to breaches discovered on or after the date that is 30 days after final interim regulations are published.
The ARRA also added a similar breach requirement for certain vendors of personal health records.  Vendors include those entities that are not covered entities under HIPAA, but access information in a personal health record or send information to a personal health record. Perhaps with an eye towards a national standard for data breach notification, the breach notification requirement for these vendors will cease to be effective on the effective date of regulations that implement new legislation establishing such a national standard.

State Attorneys General to Enforce HIPAA and Other Enforcement Provisions. Under the ARRA, effective immediately, State Attorneys General may bring a civil action in federal court to enforce the privacy and security regulations under HIPAA. These actions may seek damages on behalf of State residents.  Damages are determined by multiplying the number of violations by $100, subject to a calendar year cap for violations of identical requirements or prohibitions equal to $25,000. If successful, a State Attorney General also could recover attorneys’ fees.

Since the original effective date (April 14, 2003) of the HIPAA privacy regulations, few, if any, “civil penalties” have been assessed against covered entities. The HHS generally has taken a compliant-driven approach to enforcement. However, provisions of the ARRA seek to change this pattern:

  • Effective immediately, penalties for violations are increased through a tiered structure. For example, a violation due to “reasonable cause”, but not “willful neglect”, may bring a penalty of as little as $1,000 but not more than $1,500,000. Even where the person did not know (and, by exercising reasonable diligence, would not have known) of a violation, a penalty of as little as $100 but not more than $1,500,000 may result.
  • Two years after the date of enactment of ARRA, penalties will be required in cases of willful neglect.
  • Where in the course of a preliminary investigation HHS believes a complaint indicates a possible violation due to willful neglect, it must commence a formal investigation.
  • Within three years of enactment of ARRA, a method will be in place to share civil penalties with the individuals harmed.

Increase in Individual Rights with Respect to Protected Health Information. The HIPAA privacy and security regulations outline certain rights individuals have with respect to their protected health information. These rights include a right to request access and restrictions on certain disclosures. The ARRA enhances some of these rights.  For example:

  • A requirement that covered entities comply with certain requested restrictions, despite the existing rule that generally permitted covered entities to decline to grant restriction requests.
  • Increased obligations for covered entities maintaining electronic health records to account for disclosures of protected health information.
  • Limitations on the ability to receive remuneration in connection with an exchange of protected health information.
  • Increased access to protected health information maintained in electronic format.

* * *

Regulation of the use, disclosure and safeguarding of privacy and security of personal information, particularly personal health information, will continue to grow, whether at the federal or state level. Businesses should evaluate the kinds of information they maintain both for their business and their employees in order to determine the extent to which these laws may apply. Implementation of appropriate policies and procedures, among other steps, such as developing a breach response plan, can go far to reducing potential liability. We will be providing more information about the changes under ARRA in the coming weeks.  Members of our Workplace Privacy Group are available to assist your business to understand your obligations and plan accordingly.