Record Keeping 101

May 1, 2004

How to develop a formal document retention policy and what is required

Is the mountain of paper in your office growing out of control? Do you spend more and more time trying to scale that mountain to locate documents?

It would be nice to get rid of some of that paper, but how do you know what to keep on-site, what to store off-site, and what to throw away? Maybe it's time to review the basics of document retention. Developing a formal document retention policy for your practice -- and following it -- can help you sort through and manage the stacks of paper.

Begin by segregating office records into three basic categories: patient records (including HIPAA records), business records, and human resource-related records.

Storing patient records

Physicians have an obligation to retain medical records that may reasonably be of value to patients (Section E-7.05, Code of Ethics, American Medical Association). While this duty may not be legally binding for physicians, it strongly suggests that medical records should not be randomly disposed of.

Many factors go into determining which patient records to retain and which ones to toss. Many states have no requirements regarding storage of patient records, but to be safe, check with your state's medical licensing board. Your state medical society also may be able to guide you.

Next, consider the malpractice implications of record storage. Patient records are the written proof of your medical care and, thus, the best defense in any malpractice or other legal or administrative actions filed against you or your practice. At a minimum, store patient records for at least the duration of your state's statute of limitations.

If your state extends the statute of limitations for minors and persons who are incompetent, then you may need to permanently retain those records. Also, determine whether or not your state follows the "discovery rule" for filing malpractice cases. In states that follow this rule, the statute of limitations for plaintiffs to take action begins when they knew or should have known of the alleged malpractice. That rule extends even further the length of time that you must retain patient records.

Hang onto any records related to legal actions in which you have been named as a defendant or in which you think you may be called as a witness. Keep those records until the conclusion of the case and all applicable appeals have been exhausted.

Don't overlook other legal obligations regarding patient record retention. Medicare records must be maintained for a minimum of four years. Depending on the type of patient, Medicare may require an even longer retention period. Review your applicable third-party payer agreements to see what your contractual obligations are to maintain records of their insured patients.

HIPAA rules for records

HIPAA, of course, also impacts your record-keeping decisions. Patients who feel they have been subjected to a HIPAA violation can file complaints with the Office of Civil Rights (OCR). Generally, patients have 180 days from when they knew or should have known that a violation of HIPAA occurred to file the complaint with OCR.

OCR has the ability to extend this vague time frame with "good cause," and may pursue the action against your practice for up to six years. Prudence suggests that you retain patient records, documents related to uses and disclosures of HIPAA information, and other HIPAA-related documents for at least six years. Save copies of all patients' requests to amend their medical records and your responses to their requests for at least six years.

Don't toss business files

Record keeping doesn't stop at patient records. In sorting through your filing cabinets, think twice before discarding business records. Make sure to save all tax returns, as well as all supporting documentation for those tax returns for a minimum of six years.


Most people agree that seven years is a good rule of thumb for saving tax returns and supporting documentation. Unfortunately, this means that you must save every receipt that substantiates your business deductions for this length of time (e.g., original acquisition information, depreciation information, substantiation of the business use of your automobile, and so on).

Recognize that the IRS can start a criminal prosecution against you within six years of the occurrence of certain events including, but not limited to, alleged tax fraud, willful failure to pay tax, and tax evasion. The IRS also has up to 10 years after a tax is assessed against you to collect the tax, so proper retention of these records is vital.

If your practice is incorporated or a limited liability corporation, save your corporate records indefinitely. Ideally, your practice's attorney will keep these records in your corporate minute book. These records should not be destroyed until your legal entity has been formally dissolved by your state, plus the state's statute of limitations beyond the dissolution of the legal entity.

If your practice has any loans, save copies of the original loan agreements and all supporting documentation regarding the loans for at least the duration of the loan plus the applicable statute of limitations. After a loan is paid off, keep a copy of the loan payoff notice to ease record keeping. Also, verify with the applicable financial institution or finance company that they extinguish all of their applicable security interests after you fully satisfy the terms of the loan.

Store the practice's insurance policies indefinitely. Make sure your insurance company's contact information is easily accessible should you need to file a claim under these policies.

Retention times vary

Perhaps the most challenging burden of all is determining how long to keep human resource records. The amount of time you are required to retain human resource-related records depends on the law involved.

Under the Fair Labor Standards Act (FLSA), employers must retain detailed payroll records for at least three years after the employee's last payroll entry. Employers also must retain for at least three years records relating to "exempt" employees. This precaution can help you prove that an employee was correctly classified as an exempt employee as opposed to a nonexempt employee. Note that employers are required to maintain for at least two years any time cards, wage-rate tables, work-time schedules, and documentation of additions to or deductions from employee wages.

The Equal Pay Act of the FLSA requires you to retain for at least two years' worth of records relating to payment of wages, job evaluations, job descriptions, and any other pay or bonus systems. This information will be needed if your practice should ever have to show that it did not discriminate in wages on the basis of sex.

Note the difference in retention requirements between the Equal Pay Act and the Age Discrimination in Employment Act (ADEA). Under the ADEA, employers are required to maintain job applications and other personnel-related records for at least one year after the date of the personnel action to which the records relate. This also includes keeping a copy of the advertisements or notices related to employment opportunities with your practice, including new positions, promotions, additional work opportunities, and the like.

If the Family and Medical Leave Act (FMLA) applies to your practice, you are obligated to maintain all FMLA-related information for at least three years. This would include such items as a copy of your practice's FMLA policy as well as payroll and benefits information for each employee, dates of FMLA leave for each employee, and all written correspondence relating to FMLA leave.

Employers are required to withhold income tax on behalf of employees. Records relating to income tax withholding should be retained for a minimum of four years after the occurrence of whichever occurs later: the date the employer pays the withholding tax or the date the tax is due.

Employers are also required to have each employee complete an INS form I-9 to verify employment eligibility. Employers must keep an employee's completed I-9 form for three years after the employee's date of hire or one year after the date of termination, whichever occurs later.

Due to the great disparity in record-keeping requirements under the various applicable rules, you would be wise to institute a blanket record retention policy requiring maintenance of all human resource records covered under the laws mentioned above for a minimum period of five to seven years. Check first with your state's laws to see if they require even longer retention periods.

Keep records secure


Proper storage of all records is essential to your practice. While it may be tempting to store old records in a local self-storage unit, recognize that those units may not be sufficiently secure, thereby jeopardizing your safe maintenance of records.

Also consider that the rental agreement with the self-storage facility likely contains a clause permitting the owner of the company to sell or dispose of the contents of your storage unit if your payment is late. It does not take much to imagine the serious liability and HIPAA issues in such an event. For this reason, medical records should never be stored in a self-storage unit. Avoid the temptation to store important records (including patient records) in your basement or attic. A better choice for storage is a document storage and retrieval company.

When disposing of records, make sure you do it properly. Never throw out business records with your regular refuse. Invest in one or more high-quality crosscut paper shredders or hire a company to properly destroy your documents. Failure to properly destroy your discarded records may lead to embarrassment and liability. More than a few medical providers have been embarrassed by reports in their local media when patients' records were found at a landfill, in a dumpster, or otherwise improperly disposed of. The Internet has spawned numerous Web sites devoted to "dumpster divers," some of whom post copies of documents they have retrieved from dumpsters.

Be careful when disposing of old computers and electronic storage media -- readily available software makes it easy to restore supposedly deleted electronic files.

A written policy for all employees to follow regarding the proper storage and destruction of records will hopefully minimize your practice's liability and improve your office's efficiency. Because of the wide variety of retention schedules for different types of records, and the legal implications for disposing of records improperly, or too soon, it's a good idea to consult with your attorney for further guidance.

Joan M. Roediger, JD, LLM, is a partner with Obermayer Rebmann Maxwell & Hippel LLP, of Philadelphia. As a member of the firm's health law department, her practice is focused on advising physician practices on legal and regulatory issues, including hiring new doctors, buy-in and buy-out arrangements, income division, practice sales, physician termination, fraud and abuse, HIPAA, and other issues. Ms. Roediger is a nationally recognized speaker on practice management-related issues. She can be contacted at (215)665-3216 or via email at joan.roediger@obermayer.com or editor@physicianspractice.com.

This article originally appeared in the May 2004 issue of Physicians Practice.