Penalties for mismanaging medical records are steep. Make sure you understand your practice's legal obligations as medical records custodian.
Penalties for mismanaging medical records are steep. Punitive damages (not covered by insurance policies) and court-imposed sanctions are two of the penalties often assessed for the failure to produce a medical record at trial. Mismanagement of records or improper disclosure of protected health information (PHI) can lead to regulatory sanctions, network exclusions, and could affect licensure, accreditation, and Medicare and Medicaid reimbursement and participation. To complicate things, medical record management is governed by a myriad of laws on both the state and federal levels. Legal requirements for medical record management are not universal for all physician group practices - the rules vary depending on the type of medical practice that you operate and your practice's home state.
What is a "medical record?"
It is important to define what is included in a patient's medical record. This definition will not only determine the overall scope of the policy, but will also raise awareness among your staff of its responsibility to protect and appropriately manage all components of the patient's medical record - not just those components with which they are most familiar.
In defining "medical record" for your practice's policy, keep in mind that a "record" is any recorded information, regardless of medium or characteristics. A "medical record" includes both clinical and non-clinical information, from the patient's medical history and demographics to relevant clinical research and financial data. There is no one-size-fits-all definition, and your practice should clearly define a "medical record" as it relates to the systems in place at your individual practice.
Is the medical record stored in a secure, yet easy-to-access manner?
To protect against unauthorized access and release, your practice's medical record management policies should address the physical security of paper-based documents, electronic record system security measures, and personnel access to both electronic and paper records. Consult with your practice's legal counsel to determine whether your policies comply with state and federal laws regarding the storage and release of PHI. In doing so, make sure you and your lawyer talk about the following issues:
• Creating policies and procedures pertaining to both the on-site and off-site storage of medical records.
• Accurately labeling and storing records to aid in record retrieval and prevent improper access and/or destruction.
• Establishing functional redundancy to allow for medical record storage system back-up should the primary storage system fail.
• Entering into Business Associate Agreements with any outside vendors with whom the practice may contract to store, retrieve, and/or destroy medical records on behalf of the practice.
• Tailoring policies and procedures to address special considerations pertaining to the electronic medical records (e.g., protections by password and encryption, storage and protection of metadata, etc.).
How long should the medical record be retained?
Retention requirements vary by state, but a general rule is to hold records for 10 years from the date of the last visit for adult patients, and 10 years from the date the patient turns 18 for minor patients. Keep in mind that your state may place additional requirements on retention of certain records (e.g., register of deaths, advance directives, immunization records). Work with your practice's legal counsel to develop an easy-to-follow retention schedule. When possible, request a written copy of retention guidelines from medical malpractice carriers to ensure compliance.
Medical record retention policies should also take into account the increasingly aggressive government payer audit environment. The "look back" period for many government auditors appears to increase with the passage of each new policy legislation and/or regulation aimed at protecting the integrity of federal health care programs. Most recently, Congress passed the American Taxpayer Relief Act of 2012, which extended the "look back" time period of the "without fault" provision of the Social Security Act (SSA) from three to five years. The "without fault" provision of the SSA establishes a presumption that a healthcare provider who has been overpaid by a federal program is "without fault" after a certain time period - previously three years. The American Taxpayer Relief Act expands the "without fault" time frame to five years. Government reimbursement auditors, such as Recovery Audit Contractors, may attempt to expand their audits from claims of up to three years old to claims up to five years old. Clearly, medical record retention policies should reflect these current policy changes by requiring storage of records covering the audit "look back" period.
How is the medical record destroyed?
Your medical record management policies should address the process in which records are destroyed once they have been retained for the required period of time. Although some fully-electronic practices may attempt to permanently retain all medical records, it is wise to develop effective methods of destroying records to avoid unnecessary electronic storage and management costs. Instead of retaining the patient's complete medical record after it becomes ripe for destruction under your practice's record retention schedule, consider developing and permanently retaining a consolidated record on each patient to preserve a minimal set of patient care information (e.g., a brief summary of the patient's condition and medical history, medications/care provided, and instructions for follow-up care).
Your practice's policies and procedures should allow for medical record destruction in a manner that upholds confidentiality. Remember that deleting electronic files does not necessarily constitute destruction. Metadata and lingering backups can survive preliminary electronic deletions. Be aware of laws and regulations in your area; some states require notification of patients whose records are primed for destruction. When destroying documents, the destruction should always be documented to include (i) the date and method of destruction; (ii) a description of the disposed records; (iii) the dates covered; and (iv) a statement confirming that the records were destroyed in adherence with policies and procedures of the practice, signed by the supervising parties.
For those practices with outdated or no medical records management policies, sample policies may be found at a variety of resources; one place to start is the Medical Group Management Association's book store: "Operating Policies and Procedures Manual for Medical Practices," by Elizabeth W. Woodcock, MBA, FACMPE, CPC, and Bette A. Warn, CMPE.
If your practice's medical record management policies already address the above core concepts, you have gotten off to a good start. But your work is not complete. The above core concepts must be addressed with relatively detailed policies that not only comply with state and federal law, but allow for practical and meaningful implementation within your own practice. Even after the details are added, a physician practice should periodically review its medical record management policies to ensure that (1) the policies remain compliant with the ever-evolving regulatory rules; and (2) practice staff are adhering to the policy.
Lucien W. Roberts, III, MHA, FACMPE, is vice president of Pulse Systems, Inc., and a former practice administrator. For the past 20 years, he has worked in and consulted with physician practices in areas such as compliance, physician compensation, negotiations, strategic planning, and billing/collections. He can be reached at firstname.lastname@example.org.
Emily W.G. Towey, MHA, JD, is a director with the health law firm of Hancock, Daniel, Johnson & Nagle, P.C. She regularly advises physicians and other healthcare providers on federal and state regulatory compliance matters, including Medicare/Medicaid administrative appeals processes, enrollment, and certification. She may be reached at email@example.com.