How to craft an effective record retention policy
As healthcare organizations create and manage vast quantities of electronic data from various sources, record retention has become an increasingly vital and challenging aspect of information governance. Providers are pressed to make tough decisions—what to keep, what to destroy, and how to retain or archive information in a cost-effective manner.
Many uphold the idea that storage is cheap—why not keep records forever? However, a “keep everything” approach is not a practical long-term plan.
In a recent Health Data Management article, Enabling Information Governance: The Importance of Retention Policy and Management, Greg Slabodkin, managing editor, states, “Unfortunately, healthcare professionals often struggle with their records retention schedule, and that’s why organizations tend to have a ‘keep everything’ culture, exposing themselves to increased cost and legal risk. In addition, they maintain policies and retention schedules with manual time-intensive processes and piecemeal spreadsheets, which puts them at risk of noncompliance.”
Meeting compliance includes ensuring the ability to retrieve and access any information that is retained, regardless of storage format. Linda Kloss, author of Implementing Health Information Governance: Lessons from the Field, emphasizes the importance of establishing retention and disposition practices: “A comprehensive retention schedule that applies to all types and formats of information is a fundamental requirement for sound governance and management of information content, records and databases.”
Retention guidelines can help organizations avoid legal liability, compliance risk, legacy application fees and storage costs. An effective plan should cover:
- Legacy medical records, EHRs and other health data
- Operational and business records (paper and electronic)
- Information from technologies such as email, SharePoint and cloud storage
In addition, guidelines must ensure accountability by the governing body responsible for implementing retention practices.
Every state has different retention and disposition guidelines. Adding to the complexity, guidelines often vary by provider type—private clinics, physician practices, hospitals, governmental facilities and more. In any case, providers must understand federal and state requirements along with standards imposed by agencies such as The Joint Commission and the Centers for Medicare and Medicaid Services (CMS). When guidelines vary, always follow the most stringent requirements.
CMS requires records of providers submitting cost reports to be retained in their original or legally reproduced form for a period of at least five years after the closure of the cost report, while requiring managed care program providers to retain records for 10 years. Now CMS is proposing a “big bucket approach” to records scheduling and disposition, which includes nine specific buckets or categories of records). For example, Bucket 1 (Leadership and Operations Records) has been approved by the National Archives and Records Association (NARA) and provides a schedule for those records.
A sample comparison among federal, state, and accreditation requirements and AHIMA recommendation is shown below. The more restrictive requirement is highlighted.
Federal requirement: Hospitals: five years. Conditions of Participation 42 CFR 482.24(b)(1)
State requirement: Healthcare facilities must retain medical records for a minimum of five years beyond the date the patient was last seen or a minimum of three years beyond the date of the patient's death. Oklahoma Dept. of Health Reg. Ch. 13, Section 13.13A
Accreditation requirement: Joint Commission RC.01.05.01: The hospital retains its medical records. The retention time of the original or legally reproduced medical record is determined by its use and hospital policy, in accordance with law and regulation.
AHIMA recommendation: Patient health and medical records (adults): 10 years after the most recent encounter.
Health Information & the Law provides a comparative map (updated as of Jan. 27, 2016) showing medical record retention requirements applicable to healthcare providers in all 50 states and the District of Columbia. Based on state laws, the map categorizes states by the minimum length of time providers must retain records. Some states have different time limits that apply to certain types of providers and/or certain patients.
As an example of variations by state, the following retention guidelines (CCR 1011-1 Chap 04 Section 8.102) apply to hospitals in Colorado, stating that medical records shall be preserved as original records, on microfilm or electronically:
- Minors—for the period of minority plus 10 years (i.e., until the patient is age 28) or 10 years after the most recent patient usage, whichever is later
- Adults—for 10 years after the most recent patient care usage of the medical record
The state of Kansas imposes a statute that extends beyond the 10-year minimum retention guideline. For medical records that are destroyed, the statute requires maintenance of summaries that must be retained for 25 years. Each summary includes the patient’s age, name, date of birth; name of nearest relative; name of attending/consulting practitioners; any surgical procedures; and if applicable, the final diagnosis.
Adhering to various state mandates can be challenging for health systems with facilities located in different states. Knowledge of all requirements is necessary to be sure the most stringent guidelines are considered.
It’s important to note the meaning of disposition as it applies to healthcare records. According to AHIMA’s IG Principles, “Disposition includes not only destruction, but also any permanent change in custodianship of information, such as when it is transferred to another party due to a merger or acquisition of another hospital, clinic or physician practice or when an organization discontinues a practice, service or other business.”
Sometimes disposition is in fact the destruction of information, which requires secure, complete and proper certification of the process. In some cases, records may be transferred to patients when a healthcare provider terminates services. Or, records may be moved to different media, which may require disposition of the previous media. In all cases, according to AHIMA, the organization should document its disposition process.
Deleting electronic data can be difficult. The process involves much more than pressing the delete button or “turning off” a legacy system. Many older document management systems didn’t have the capability to properly delete data, leading some organizations to impose a moratorium on destruction in the absence of proper procedures.
Although big data solutions are providing alternatives for the retention of electronic records, determining what information to keep from legacy systems, where to move it, and how to manage it in a cost-effective manner can be daunting. A multidisciplinary team approach is critical for proactive planning as organizations convert to new systems.
Many providers are having difficulty following retention guidelines. In some cases, the policy may be so vague that it’s not meaningful. The first step toward an effective strategy is to reinforce the importance of a retention policy as part of an enterprise IG structure. A retention schedule set in a silo simply will not work. Here are key questions to consider:
- Does your organization have a retention policy/schedule?
- If so, is it current and properly documented?
- Have you analyzed all requirements (laws, regulations) that affect your organization?
- Are you following the most restrictive guidelines?
- Do you have an oversight committee?
- Are you familiar with established IG guidance?
As your organization evaluates progress toward establishing a retention program, here are steps to get started or improve current practices:
Build a multidisciplinary team. Include representatives from all departments to develop retention policies and procedures—HIM, IT, clinical, compliance, legal, financial, privacy and security—with support from senior leadership to ensure accountability. Assign responsibilities for overall management including proper storage, retrieval, access and disposition.
Determine specific requirements for various types of records. In addition to the patient health record, consider other types of data and information including financial, human resources, credentialing, email and other electronic files. When guidelines vary by state, agency or other regulatory entity, adhere to the most stringent policy.
Conduct internal audits. Routine audits support efforts to ensure retention and destruction policies are being followed. This practice also targets guidelines that need to be modified or strengthened as systems are replaced.
Provide ongoing training and education. Train staff at all levels on the importance of establishing and understanding retention policy, and following a retention schedule. Conduct periodic training aligned with updates to all federal, state and accreditation requirements that affect your organization. Make sure internal policies and procedures are kept current.
Implementing retention practices based on sound governance can help your organization avoid liability risk, reduce costs, decrease inefficiencies and ensure overall data integrity—healthcare’s greatest asset in today’s value-based world.