Lynn Boyes, RHIT
Health Information Management Director,
HIPAA Privacy Officer
7010 S. Yale Ave | Tulsa, OK 74136 firstname.lastname@example.org | 918.236.4135
Website | Facebook | Twitter | LinkedIn | Instagram
Hope this helps!
Over time and with the implementation of EHRs, some providers have been retaining information longer than state law or HIPAA and federal mandates require to meet other goals, like research and clinical trials mentioned above, where having a lengthy patient history can be a major benefit. This is also true of patients who had major past or childhood diseases or traumas; for example, a neurologist can benefit from viewing MRIs, EEGs, and other scans over a lengthy period of time to review how the patient's condition has progressed over the years to address chronic, life-long conditions, such as epilepsy or multiple sclerosis.
As EHRs have advanced, it's become easier and a more viable option to permanently retain a continuity of care document (CCD) that includes critical details such as medications, allergies, and an encounter date listing when the rest of the record is purged. Some provider organizations already keep some elements, like an abstract, of the record, including a face sheet and discharge records, while destroying the rest of the PHI. At the least, providers should retain a register of births, deaths, procedures, as well as the master patient index when purging old records or systems.
Some EHR systems do include record management features that can make destruction easier, such as enabling metadata to calculate retention schedules in compliance with various variables. In an EHR, critical metadata are usually considered to be the patient ID, name, address, date of birth, and date of last visit. The retention triggers could be customized to be dependent on the date of the last visit or whatever criteria are desired – if the EHR supports that capability, or it could possibly be programmed as an add-on.
Other Retaining Issues to Consider --> Will you retain and capture the EHR metadata? Will you retain any alternate media, logs, or records from other facilities?
Also of significant importance is the May 2019 decision on Cochise Consultancy Inc. v. United States, ex rel. Hunt that impacted medical record retention law and changed how long provider organizations and offices might want to keep medical records (beyond state/HIPAA statutory requirements). Last year's decision in the Cochise case set a new medical record retention standard for how long providers should keep patient records -- > 10 years. For providers, the Cochise medical record retention standard means that providers/organizations may be vulnerable to FCA claims for up to ten years after an alleged violation.
The decision info on that case is here --> https://www.natlawreview.com/article/unanimous-supreme-court-ruling-expands-statute-limitations-filing-qui-tam-cases
Records should only be 'automatically' and fully purged from an EHR after review of the chances for pending or future litigation, a government investigation, audits, expanding quality reporting programs, population health efforts, precision medicine, and other concerns. (Example: Would a provider want to delete the results of a patient's genetic profile, just because it was done eight years ago, or past whatever the retention schedule indicated, and then have to repeat the genetic testing because the results were gone? A brain surgeon who implants an anuerysm clip in a patient's brain is another example of a medical record that it would be beneficial to maintain for a lengthy period of time, so that the alloys used in the clip will be on file to determine safety of future MRIs or other brain scans and diagnostics for the patient.)
Unfortunately, providers and HIM professionals seeking a simple, one-size-fits-all answer to the question of record retention will be frustrated because a single, common/universal record retention schedule just doesn't exist. There are so many factors that must be taken into consideration, not to mention different systems, and there are a lot of best practices and recommendations that you can review, but, ultimately, a provider's risk management and legal counsel at their facility should draft its own definitions. Every provider's situation could be unique depending on the EHR system, practice setting, state laws, payor contracts, and potentially other reporting programs, and activities like MA/ACO program participation, who are required to keep their records ten years.When medical records are destroyed (or de-identified or converted to CCD subset), a PHI Destruction/ Archival Log should ideally also be maintained, containing the information destroyed or archived, when, how, and who did it, along with a witness, so that proof of the destruction or archival is readily available. If you are using an external destruction service, I would recommend looking for one that is NAID-certified to ensure that guidelines are followed, although this shouldn't be an issue with EHR data.
Hope this helps!