How long should I keep my records?
Neither the Illinois Medical Practice Act nor the Rules specify the number of years that office medical records must be retained. However, other laws, including statutes of limitation on medical malpractice and personal injury claims, may be used as guidelines for record retention. A physician should consider these laws in formulating a policy that is tailored to the needs of the individual practice.
An important factor to consider in developing a retention policy is protection against malpractice suits. A practitioner should retain records for a period that would cover the longest possible statute of limitations for medical malpractice. The Illinois statutes of limitation now impose a malpractice case deadline of 2 years from when the malpractice is discovered, but in no event no longer than 4 years from the date of the wrongdoing, in a case involving an adult. In the case of a child, the case must be filed within 8 years from the date of the wrongdoing, but not later than when the child reaches age 22.
Other Laws to Consider
Other laws to be considered include the statute of limitations for ordinary personal injury claims. In Illinois, that deadline is two years from the date of injury for an adult, or, in the case of a minor, two years after his or her 18th birthday. The Rules for the Health Insurance Portability and Accountability Act (“HIPAA”) require that records of disclosures be maintained for 6 years. Hospitals are required to maintain x-rays for 5 years and patient records for 10 years from the last patient encounter.
In consideration of the above laws, the ICS’ general recommendation for record retention is 10 years from the date of the last encounter for adult patients. For children, the recommendation is 10 years from the date of the last encounter, or when the child reaches 22 years of age, whichever is longer. This standard accommodates the medical malpractice statutes of limitation and exceeds the requirement in the HIPAA Rules.
As to disposing of records, they must be destroyed to the point of nonrecognition, including the very name of the patient, to protect patient confidentiality under both state and federal standards. Since most municipalities no longer allow the burning of materials in backyard incinerators, the usual and prudent practice is shredding. If the project is too big for staff, many larger cities have commercial shredding services that guarantee confidentiality but note that any health care entity covered by HIPAA must require the shredding service to sign a business associate agreement that requires the service to safeguard protected health information.