CMS Record Retention & Privacy Guidelines
State laws generally govern how long medical records are to be retained.
However, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 administrative simplification rules require a covered entity, such as a physician billing Medicare, to retain required documentation for six years from the date of its creation or the date when it last was in effect, whichever is later. HIPAA requirements preempt State laws if they require shorter periods. Your State may require a longer retention period.
The Centers for Medicare & Medicaid Services (CMS) requires records of providers submitting cost reports to be retained in their original or legally reproduced form for a period of at least 5 years after the closure of the cost report. This requirement applies to hospitals and not physician practices.
CMS requires Medicare managed care program providers to retain records for 10 years.
Privacy must be maintained even after record retention timelines have expired. While the HIPAA Privacy Rule does not include medical record retention requirements, it does require that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records and other protected health information (PHI) for whatever period such information is maintained by a covered entity, including through disposal.
Additional information:
- Providers/suppliers should maintain a medical record for each Medicare beneficiary that is their patient.
- Medical records must be accurately written, promptly completed, accessible, properly filed and retained.
- Using a system of author identification and record maintenance that ensures the integrity of the authentication and protects the security of all record entries is a good practice.
- The Medicare program does not have requirements for the media formats for medical records. However, the medical record needs to be in its original form or in a legally reproduced form, which may be electronic, so that medical records may be reviewed and audited by authorized entities.
- Providers must have a medical record system that ensures that the record may be accessed and retrieved promptly.
Providers may want to obtain legal advice concerning record retention after CMS-required time periodshave been met.
OIG To Recover More Than $3 Billion in Healthcare Fraud Enforcement
In its semiannual report to Congress this week, the Department of Health and Human Service’s (HHS) Office of Inspector General (OIG) announced that it expects to recover more than $3 billion from enforcement activities conducted in the six-month period that ended March 31. In the same time period, the OIG:
- Excluded 1,935 individuals and entities from participation in federal health care programs;
- Brought 293 criminal actions against individuals or entities; and
- Initiated 164 civil actions (including some under the False Claims Act, unjust enrichment lawsuits, civil monetary penalties law settlements and administrative recoveries related to provider self-disclosure).
In the months ahead, the OIG will implement the healthcare fraud-related provisions in the Patient Protection and Affordable Care Act (PPACA) and oversee HHS’s healthcare reform activities. It will also continue its efforts with the Health Care Fraud Prevention & Enforcement Action Team (HEAT) in conjunction with the Department of Justice and HHS. HEAT initiatives include the Medicare Fraud Strike Force, which coordinates law enforcement operations with other federal, state and local law enforcement entities in select cities around the country.