Federal law typically requires the retention of medical records for five years. In contrast, states tend to mandate longer retention periods that average seven to ten years after a patient’s most recent visit. However, there are exceptions, such as Massachusetts, which requires the retention of medical records for at least twenty years. Mississippi is another exception, which requires different retention periods based on the type of patient, but mandates the destruction of certain medical records after twenty-eight years.

Nuances in state law may also require specific retention methods or impose additional requirements for certain healthcare entities. For example, Alabama requires hospitals to retain records for five years, but only requires physicians to retain medical records for as long as necessary to treat the patient. Similarly, Minnesota has a stringent requirement that requires hospitals to digitize medical records and retain them permanently, but allows nursing homes to forego the conversion and delete records after five years.

Although state law tends to mandate longer retention periods for medical records, federal law has more stringent requirements for medical records related to specialized services and treatments. These regulations may expand the scope of medical records, mandate longer retention periods, or identify different retention triggers not required by state laws.

For example, consider the distinct record requirements for medical imaging or dialysis services. Federal regulations require healthcare entities that perform mammography services to retain all film and reports for no less than ten years. Healthcare entities that perform dialysis services must centralize all clinical information in the patient medical record and retain it for at least six years after the patient’s discharge, transfer, or death.

There are also specific retention requirements imposed on healthcare entities that perform outpatient services, such as rehabilitation facilities and home health agencies. For instance, outpatient rehab facilities must retain medical records for five years from the date of a patient’s discharge, and the regulations dictate very specific content that must be retained as part of the record. Home health agencies must retain medical records for five years as well, but the retention period does not begin until the agency files the cost report related to the patient.

Finally, federal regulations allow government agencies to audit certain types of records maintained by a healthcare entity. Where you have knowledge of industry practices, such as government audits, you should account for the frequency and scope of the practices when determining appropriate retention requirements.

Accrediting agencies add an additional layer to the complexity. These agencies generally don’t mandate specific retention requirements, but they do require healthcare entities to have records readily available for surveyor review, and impose specific requirements on the types of records you must retain.

The Joint Commission, for example, allows healthcare entities to retain records in accordance with state and federal law, but requires entities to have records available dating back to the last full survey. Similarly, Det Norske Veritas requires the retention of receipt and disposition records for radiopharmaceuticals, but does not identify a retention period.

Since a deficiency can lead to a corrective action plan or worse, it is important to incorporate the accreditation standards into your retention policy alongside state and federal regulations.

Because of the competing retention requirements, healthcare entities often retain medical records permanently. But this is not an ideal or long-term solution. Permanent retention increases storage costs, is inefficient to manage, and exposes entities to heightened risks of data breaches. Instead, healthcare entities can benefit from a functional records retention schedule that allows for the disposal of medical records at specific intervals. A critical part of this task is to analyze the competing retention requirements and identify a retention baseline that walks the fine line between under- and over- retention of medical records.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Solving the Medical Records Puzzle: Identifying Retention Requirements appeared first on Zasio.

The Office of Inspector General (OIG) has broad authority to exclude a healthcare organization from participating in federal healthcare programs (e.g. Medicare, Medicaid). Although exclusions commonly arise from violations of the False Claims Act and Anti-Kickback Statute, there are many other violations that could lead to a permissive exclusion. For instance, the OIG can request immediate access to inspect and copy certain records, and can exclude a healthcare entity for failure to produce the demanded records.[1]

The OIG can demand immediate access to records and data in any medium to ensure compliance with federal healthcare program requirements. You may have to produce records within twenty-four hours from receipt of the OIG request, or sooner if the OIG believes the records are at risk of being altered or destroyed. If you can’t produce the requested records, the OIG can immediately exclude you from participating in federal healthcare programs for at least ninety days.[2]

If you cannot produce the records within the time allotted, you can provide a compelling reason for the delay. However, the OIG decides whether a reason for the delay is truly compelling. The regulations are not clear on what a “compelling reason” is, and responses to comments during the rulemaking process provide only limited context. Fortunately, it appears the OIG does not exclude entities that inadvertently fail to provide access to requested records (e.g. because of a clerical error). However, the OIG is also the sole authority that decides whether a failure to produce records is truly inadvertent.[3]

Because the OIG can request immediate access to records, it’s important to be proactive and maintain a current inventory of the types of records relevant to participation in federal healthcare programs. One way you can prepare to respond to a demand for records on short notice is to create a data map that identifies how records are used, stored, and accessed. You can use the data map to identify relevant records, and determine how you would access and produce those records on short notice. This should help you identify and evaluate any pain points that might arise if you do receive a demand from the OIG.

If you do not already have a data map, consider the following tips as you gauge the accessibility of records:

• Format & Location – Determine the type of media used to store relevant records and identify where records are maintained. For example, clinic billing records may be maintained by each clinic, whereas hospital billing records could be maintained by shared services in the corporate operations center.
• Archives – Ensure archived records are easy to retrieve. If records are stored offsite, determine whether storage boxes sufficiently describe the content of the records. Further, determine whether you can locate, copy, and deliver relevant records to the appropriate facility within twenty-four hours. With respect to electronic or digital records, appoint specific users with access and expertise to quickly find and retrieve archived records.
• Business Associates – Determine whether any records are primarily maintained or stored by business associates (e.g. a remote coding vendor). If so, maintain a list of primary contacts for all business associates, and ensure the Business Associate can produce the records within twenty-four hours. Ideally, this should be a condition of the Business Associate Agreement.
• Unnecessary Records – Determine whether there are redundant, obsolete, and/or trivial records that could delay the production of relevant records. For example, if multiple versions of the relevant records exist, you may need to produce all versions of the same record, rather than the most recently updated version. Destroy unnecessary records in accordance with applicable laws and the organization’s retention schedule to help eliminate unnecessary records.
• User Access – Determine whether any records are only accessible by certain individuals in the organization. If so, create an action plan to contact these individuals on short notice and grant access to backup personnel in case the primary contact is unavailable.

If possible, source and implement one technology solution to track all physical and electronic records across multiple locations. Also consider hiring experts to help create custom retention and destruction procedures customized to how your organization creates and uses records. If a technology solution is not an option for your organization, use the guidelines above. Be sure to take extra care to establish a records management plan that enables you to meet the requirements of federally funded programs. At the very least, map the location and accessibility of records to craft a strategy to respond to a demand to produce records.

[1] 42 CFR § 1001.1301(a)(1)(iii). The OIG may exclude any individual or organization that fails to grant immediate access upon reasonable request to . . . the OIG for reviewing records, documents, and other material or data in any medium (including electronically stores information and any tangible thing) necessary to the OIG’s statutory functions

[2] 42 CFR § 1001.1301(a)(3). See definition of Failure to grant immediate access.

[3] 82 FR 4107 accessed at https://www.federalregister.gov/d/2016-31390/page-4107

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Poor Records Management May Lead to OIG Exclusions appeared first on Zasio.