HIPAA stands for Health Insurance Portability & Accountability Act. This act came into picture in 1996. Its administrative rules simply require a covered entity like physician billing Medicare to retain required documentations from the date of its creation or the date when it was last in effect. Each state has their own requirement regarding the retention of medical records in its laws. HIPAA doesn’t apply to old records as far as medical records are on old papers.
Although, HIPPA privacy regulations apply to electronically stored and transmitted electronically. In-fact HIPAA covers all patient records, regardless of their nature.
While the HIPAA Privacy Rule does not include medical record retention requirements, it does require that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records and other protected health information (PHI) for whatever period such information is maintained by a covered entity, including through disposal.
The Centres for Medicare & Medicaid Services (CMS) requires records of providers submitting cost reports to be retained in their original or legally reproduced form for a period of at least 5 years after the closure of the cost report.
Providers/suppliers should maintain a medical record for each Medicare beneficiary that is their patient. Remember that medical records must be accurately written, promptly completed, accessible, properly filed and retained. Using a system of author identification and record maintenance that ensures the integrity of the authentication and protects the security of all record entries is a good practice.
The Medicare program does not have requirements for the media formats for medical records. However, the medical record needs to be in its original form or in a legally reproduced form, which may be electronic, so that medical records may be reviewed and audited by authorized entities. Providers must have a medical record system that ensures that the record may be accessed and retrieved promptly.
Providers may want to obtain legal advice concerning record retention after these time periods and medical document format. CMS is currently engaged in a multi-year project to offer incentives to eligible providers that meaningfully use certified electronic health records (EHRs).
In close coordination with this incentive program, the Office of the National Coordinator for Health IT (ONC) has developed the initial set of standards and certification requirements for EHRs in order to promote health information exchange and interoperability. You may be eligible to receive incentive payments to assist in implementing certified EHR technology systems.
Although HIPAA does not lay down any retention requirement for medical records, but there is a retention period requirement for other HIPAA-related data. CFR §164.316(b)(2)(i) specify that covered entities or business associates must retain the documents for at least 6 years from when the document was created, or from when it was last in effect.