Breaking medical records retention and destruction rules means big-time financial penalties — up to $50,000 per violation.
And while you generally recognize the most common forms of protected health information (PHI) for example patient names and addresses, you’ll be surprised by the many, many types of patient information that are subject to medical records retention and destruction laws and fines.
That’s dangerous, because not only will your practice suffer financially if you violate medical record retention and destruction laws, but those violations could make your practice the subject of additional HIPAA audits and investigations. PHI medical records.
What Are Examples of PHI?
Here’s a list of often overlooked pieces of protected patient information that you need to keep according to HIPAA and state medical record retention and destruction laws:
Social Security Numbers: Of course, you never want anyone’s SSN to fall into the wrong hands — identity theft is a constant worry — but patient SSNs count as PHI.
Credit Card Numbers: Misplacing a patient’s payment information can result in credit card fraud or their info ending up on the dark web for purchase from the highest bidder. But credit card numbers are also PHI, and you can get in trouble for destroying patient credit card numbers prematurely.
Vehicle Identifiers: Because vehicle information including license plate numbers can be tied to an individual, this is considered PHI.
Surveillance Camera Footage: You can install security cameras in areas that are considered public, like entrances, elevators, fire escapes, and hallways. However, since videos may contain identifiers like full-face images or voice recordings, the footage qualifies as PHI.
No-Show Records: A patient’s missed appointment(s) should always be documented in the patient record to be retained according to HIPAA logs. Not only could no show records be used as a basis for terminating a patient, but they can also protect your practice in case of malpractice accusations or poor outcomes due to patient noncompliance.
Text Messages/Video Calls: If your practice’s providers communicate with patients via methods like Skype, Face Time, or regular text messages from their personal devices, the provider must make sufficient notes in the patient record so that the information can be properly retained/destroyed when appropriate.
Research Records: Depending on the type and area of investigation, research records may have different retention and destruction requirements than everyday patient records. For example, you must keep research records pertaining to cancer patients for 30 years, as required by the FDA.
Patient Invoices: The IRS requires that patient invoices and other financials be kept for seven years. However, you could keep them for 10 years, to be on the safe side. Why? While it’s unlikely that patient invoices would be used in a false claims investigation, it’s still possible. Providers are now vulnerable to FCA claims for up to 10 years after an alleged violation.
The above list is only a sample of what’s considered PHI according to HIPAA. While there are only 18 patient identifiers, those identifiers can include many different formats. With federal laws, state laws, court decisions, and regulations from entities like the FDA, CDC, or OSHA, figuring out what patient PHI must be retained and for how long can quickly become overwhelming.
So can’t you hang on to everything, indefinitely, just-in-case? That might be safe, but it’s rarely possible. Due to storage constraints, keeping all patient PHI forever isn’t a reality for most providers. Chances are, you must continue to properly destroy records when it’s legally appropriate to do so.