Patient record retention: Tips for compliance and protection

Sometimes, electronic health record (EHR) systems fail to live up to their full potential as tools to assist with patient care. The same can be said for their promise to ease patient record storage, retention and retrieval.

Although electronic records are easier than paper to store and search, they still present an array of technical, legal and regulatory issues. Consultants and attorneys say that working through these issues proactively can alleviate records-related headaches, especially during practice transitions, such as a change in ownership or EHR vendor.

When developing a records retention policy, one of the first hurdles practices may encounter is that retention laws vary from state to state. Many state medical societies have thorough online guidelines explaining state laws about medical record ownership and retention, such as this one from the Michigan State Medical Society.

Other states may offer less guidance or have no clear law at all. “Here in North Carolina, we don’t have a specific records retention law for physician practices,” says Heather Cook Skelton, an attorney with Gardner Skelton, a Charlotte, N.C.-based law practice dedicated to helping healthcare providers and their medical practices. But, she says, practices can look to other sources, such as the guidelines within HIPAA, payer contracts and federal programs governed by the Centers for Medicare & Medicaid Services (CMS). Medicare Advantage contracts usually require the longest retention period. Often, it is 10 years after the end of the contract.

“It would be nice to have one rule that is consistent across all the regulators, payer contracts and state and federal government,” she says. “I also recommend that clients contact their malpractice carrier for record retention advice, because they are going to be the ones in a position to defend you in case of a lawsuit.” Attorney recommendations may depend on the statute of limitations on medical malpractice.

Another thorny issue to contend with is how to deal with pediatric records in EHRs. Again, state laws vary. The American Academy of Pediatrics (AAP) recommends that, at a minimum, pediatric records should be retained for 10 years or the age of majority plus the applicable state statute of limitations (time to file a lawsuit), whichever is longer. In some states, the statute of limitations does not start until the patient turns 18.

As a recent AAP publication describes, “adolescent privacy and/or confidentiality is a special case of the limited segmenting of functionality capabilities in EHRs that is compounded by variations in state laws regarding adolescent health records.” But practices may find it difficult to comply with state requirements and professional recommendations for adolescent privacy because of federal rules for disclosure. “For example, a portion of care may be protected by law as confidential for which the patient consents independently, but other aspects of care may not be protected, turning a simple routine visit into a potential series of confidentiality challenges,” the report notes.

Partnership transitions

The additional legal issues around medical partnership creation and dissolution can also impact patient records - and be a potential landmine. If one doctor is leaving a partnership after the partners had shared one EHR system, there is a high probability the records are comingled because the physicians have covered each other’s patients.

“There is no easy way to surgically remove only the records that apply to the one doctor,” says Jeffery Daigrepont, senior vice president of the Coker Group, an Atlanta-based consulting firm that works with physician practices and hospitals.

He says one practice manager he consults with is living through a “records nightmare” as two equal partners are dissolving their partnership. “Neither one wanted the other to have a full copy of the EHR database,” he explains. “They had comingled all their records. We told them they both owned the business, so they are both responsible for the recordkeeping. A judge got involved and said each was entitled to a full copy of the data even if it means each was getting a copy of the other physician’s records.”

James A. Ellzy, MD, a family physician in Washington, D.C., and a member of the board of directors of the American Academy of Family Physicians, recommends that when forming a practice agreement, decisions be made up front about whether patients belong to the practice or to the individual physician and how their records will be divided should the practice split up.

“If I am closing my practice, let’s say there is a requirement that those records be available in my state for five years,” Ellzy says. “I would contact my patients to inform them I am closing the practice and to see if there is somewhere they want me to forward their records. I would also explain that I am required to keep their records for five years. If I am in a practice of four physicians, I could have an agreement with the other three that they would become custodians of those records.”

Likewise, Cook Skelton says that if two practices are merging, how records are going to be handled should be contemplated as part of the merger talks. The discussion should include whose platform they are going to be using after the merger and how they are going to transition the records. If they are using two different EHR vendors, the data migration can be complex and costly, she adds.

Working with EHR vendors

Cloud-based EHRs are popular because they are easy to set up quickly and upgrades happen almost automatically. But they also mean that patient records are not on a server in your office. Rather, the vendor hosts them off-site. Cook Skelton often helps practices assess contracts with EHR vendors, particularly regarding language about accessing their records if they decide to switch vendors.

“You have to make sure that your EHR vendor is going to be cooperative if you decide to switch,” she says. “The current vendor is going to be unhappy you are leaving and may not want to make it easy for you to leave. We make sure there is language in the contract about making that transition a smooth one. There is case law that involves disputes where EHR vendors have held data hostage, which is totally inappropriate, and medical boards do not take kindly to that because the EHR vendor is compromising patient care.”

Most people will agree that practices have a right to their data, Daigrepont says. But what is it going to cost you to get access to it, how long is it going to take and what format are you going to get it in? He says he has seen it cost as much as $20,000 for practices to get their data from a cloud-based EHR vendor.

“If they give you your data in PDFs, that is not meaningful in a data migration,” he says. “Never assume when a vendor says it is your data that they will give you your data in the right format and at a reasonable cost. Also, if you wait until you are ready to terminate your contract with them, that is the point you have virtually zero leverage left. The vendor may see this as an opportunity to poke you in the eye on the way out.”

Daigrepont recommends getting a weekly or monthly backup of your data from the EHR vendor. There are several reasons to have a backup, including disaster recovery. The vendor may charge extra for it, but if the cost is reasonable, you might decide to do it on a quarterly basis, he adds.

Important decisions also need to be made when practices transition from paper records to EHRs for the first time. When Ellzy’s practice went digital, they opted not to scan all the paper records into the EHR. Instead, they made the first patient visit a longer visit to incorporate their history into the EHR and had paper records available for referral.

“After that, you found you were using the EHR for 95 percent of what you were doing and only had to go back to the paper record for lab values occasionally,” he says. If you decide to scan the documents into PDF format and they are not easily searchable, then trying to find anything is like finding a needle in a haystack, he adds.

Practices also can expect significant changes to regulations concerning how they respond to patient requests for records in terms of timeliness, charges and format. Some practices have already had to change their methodologies for charging patients for copies of their records to comply with recent Health and Human Services Office for Civil Rights (OCR) HIPAA guidances. Although not required to purchase new software or equipment in order to accommodate every possible individual request, practices currently must have the capability to provide patients an electronic copy of their protected health information.

Related: Failure to provide patient records can result in a HIPAA fine

The Office of the National Coordinator for Health IT is proposing to require that EHR vendors be able to export granular data from patient records in a standardized format using application programming interfaces (APIs), which is an enormous change in the industry, says Robert Tennant, director of health information technology policy for the Medical Group Management Association (MGMA). CMS’s MyHealthEData initiative aims to allow patients to receive copies of their entire record in the EHR and share their health data with anyone they choose.

“That is potentially a game changer for practices,” Tennant says.

While the proposed ideas on how to handle electronic patient records are still in flux, Tennant and others say they see significant changes coming. Practices would be wise to ask their EHR vendors the hard questions about data protection sooner rather than later. Physician practices that initiate conversations with EHR vendors, IT and managed service providers now will be ready to make informed business decisions about records retention and patient health data access when the time comes.

David Raths is a freelance technology writer based in Philadelphia.