How long should I keep my records?
Neither the Illinois Medical Practice Act nor Rules specify the number of years that office medical records must be retained. However, other laws, including statutes of limitation on medical malpractice, personal injury claims, and the False Claims Act, may be used as guidelines for record retention. A physician should consider these laws in formulating a policy that is tailored to the needs of the individual practice.
To comply with the varying laws and purposes explained below, the Illinois Chiropractic Society recommends as a general rule that chiropractic physicians retain medical records for:
- Adult patients – 10 years from the date of the last encounter
- Children (under age 18) – 10 years from the date of the last encounter OR when the child reaches 22 years of age, whichever is longer.
Of course, physicians may establish record retention policies that are longer than the above-recommended guidelines, based on the nature and needs of the individual practice.
Factors to be considered are discussed below:
MEDICAL MALPRACTICE STATUTES OF LIMITATION
An important factor to consider in developing a retention policy is protection against malpractice suits. A practitioner should retain records for a period that would cover the longest possible statute of limitations for medical malpractice. The Illinois statutes of limitation now impose a malpractice case deadline of 2 years from when the malpractice is discovered, but in no event no longer than 4 years from the date of the wrongdoing, in a case involving an adult. In the case of a child (a person under 18 years of age), the case must be filed within 8 years from the date of the wrongdoing, but not later than when the child reaches age 22. For example, if a liability event occurred to the child during childbirth, the statute of limitations would be 8 years. For a liability event occurring to a 16-year-old, the statute of limitations would be 22.
OTHER LAWS TO CONSIDER—PERSONAL INJURY, HOSPITAL LAWS, HIPAA, FALSE CLAIMS ACT
Other laws to be considered include the statute of limitations for ordinary personal injury claims. In Illinois, that deadline is two years from the date of injury for an adult, or, in the case of a minor, two years after his or her 18th birthday. The Rules for the Health Insurance Portability and Accountability Act (“HIPAA”) require that records be maintained for a minimum of 6 years from the date of their creation and that records of any disclosure be maintained for 6 years from the disclosure date.
Hospitals are required to maintain x-rays for 5 years and patient records for 10 years from the last patient encounter.
The False Claims Act (FCA) makes it a crime to knowingly file a false claim for payment under any federal government program. Under that law, an FCA action may be brought: (1) 6 years from the date of the violation; or (2) 3 years from the date the federal enforcement agency knew or should have known of the violation, but no later than 10 years from the date the violation occurred. Therefore, the statute of limitations under the FCA could be up to 10 years.
The U.S. Supreme Court affirmed this interpretation in the case of Cochise Consultancy, Inc. v. United States Ex Rel. Hunt. The Cochise decision clarifies that the statute of limitations for FCA qui tam actions may be up to 10 years, depending upon when the government is notified of alleged violations. The Court explained, “If the government discovers the fraud on the day it occurred, it would have 6 years to bring suit, but if a relator [whistleblower] instead discovers the fraud on the day it occurred and the Government does not discover it, the relator could have as many as 10 years to bring suit.” As a result, providers who treat Medicare patients should consider keeping records for a minimum of 10 years, because these records would become critical in defending a False Claims Act prosecution.
PROFESSIONAL LIABILITY INSURANCE PROVISIONS
Providers should review their malpractice insurance policies. Insurers may have specific record retention requirements for conversion to EHR. If your insurance contains a provision that requires records to be kept for longer or in a different format than what is required under other guidelines, the insurance terms will need to be incorporated into your office policy.
NETWORK PROVIDER AGREEMENTS – MANAGED CARE
Providers should also review their managed care agreements to determine whether the agreements require a specific duration or format of record retention. Office policy should conform to the most stringent of the participating provider agreements.
LITIGATION – LAWS REGARDING DESTRUCTION OF EVIDENCE.
Of course, parties to ongoing litigation have a duty not to destroy evidence in the case. However, state and federal courts have recognized that parties may have a duty to preserve potentially relevant evidence before the commencement of a lawsuit if it is reasonably foreseeable that a lawsuit will be filed. Therefore, physicians who know that a case may be filed again them should take steps to preserve the relevant records, even when the records may be scheduled for destruction under the office’s established retention policy. If the physician has no notice of possible litigation, records may be destroyed according to the practice’s usual policy.
In consideration of the above laws, the ICS’ general recommendation for minimum record retention is 10 years from the date of the last encounter for adult patients. For children, the recommendation is 10 years from the date of the last encounter, or when the child reaches 22 years of age, whichever is longer. This standard accommodates the medical malpractice statutes of limitation and exceeds the requirement in the HIPAA Rules. Of course, this is a general recommendation and may be superseded by some of the other factors discussed above.
Here is a video that covers this subject. As to disposing of records, they must be destroyed to the point of nonrecognition, including the very name of the patient, to protect patient confidentiality under both state and federal standards. Since most municipalities no longer allow the burning of materials in backyard incinerators, the usual and prudent practice is shredding. If the project is too big for staff, many larger cities have commercial shredding services that guarantee confidentiality but note that any health care entity covered by HIPAA must require the shredding service to sign a business associate agreement that requires the service to safeguard protected health information.