June 18, 2012

When Is It Time to Part Ways With Medical Records?
By Lisa A. Eramo
For The Record
Vol. 24 No. 12 P. 14

Whether paper, electronic, or a combination of both, patient files must be retained. But how long to keep them is just one issue that needs to be addressed to make the process less cumbersome.

Kelly McLendon, RHIA, CHPS, president of Health Information Xperts, says when he landed his first job as an assistant medical records director for a large hospital in the late 1970s, he gained valuable insight into the advantages of retaining records beyond what state, federal, or other agencies require.

During this time, health experts had discovered that women who had taken diethylstilbestrol (DES) during their pregnancies in the 1950s had an increased risk of developing vaginal cancer.

“Twenty or 30 years later, these women started making requests for records to see if they’d had DES,” he says, adding that in many cases, the answer was yes. “We were able to pull the records off microfilm and look it up. That was really poignant for me and a big deal.”

Over time—and because of what McLendon says became a perceived increase in liability—hospitals began retaining information only as long as required to meet legal requirements. Two exceptions have always been research facilities and academic medical centers that tend to keep information longer because the data are valuable to third parties, he notes.

“Almost nobody is keeping records 20-plus years anymore,” McLendon says. “But I don’t buy the argument that you’re at less risk of civil liability if you destroy sooner. I think you’re serving the patients better by keeping more information.”

Today’s Retention Landscape
Leslie Fox, a program manager at Iron Mountain, agrees that today’s hospitals don’t tend to keep information beyond legal requirements, attributing the shift in retention policy to the adoption of more stringent privacy safeguards. When hospitals retain information indefinitely, they run the risk of exposing personal health and other information over an extended period of time, she says.

Hospitals must ensure they can maintain the integrity of the record over a potentially long period of time, Fox says. This includes making sure there are proper security and access controls in place.

However, not all experts agree that hospitals are destroying records in a timely manner. Darice M. Grzybowski, MA, RHIA, FAHIMA, founder and president of HIMentors, says even though there may be greater liability for retaining records indefinitely, the majority of hospitals continue to oversimplify—and even ignore—record retention and destruction guidelines.

“I don’t know why this doesn’t rise to the top of the priority list even faster,” she says. “Hospitals spend hundreds of thousands of dollars [on storage] instead of having someone go through and pay attention to the purging and destruction guidelines.” Grzybowski says many hospitals have very basic record retention policies and tend to adopt the out-of-sight, out-of-mind theory, much to their own detriment. “It’s a lot easier to throw it in the corner than to actually spend time sorting through things and administering policies,” she adds.

Hospitals should examine the return on investment of keeping old paper records, Grzybowski says. In particular, they should determine what percentage of records is actually ever retrieved beyond the first 10 years of retention. In most facilities, this figure will be less than 1% of record activity, she says.

Grzybowski says as hospitals migrate toward EHRs, there has been a tendency to hold onto records even longer than if the information had been paper based. “I don’t know one hospital that’s fully electronic that’s actually destroying electronic records, and they really should be. They shouldn’t be keeping records beyond retention dates because of liability, storage, and cost issues and the time it takes to handle all of that, let alone convert it as your system grows and evolves,” she says. “If you’re not doing a good job getting rid of it, you’re leaving yourself open to really high technical costs and technical complexity.”

No Easy Answers
Experts say hospitals hoping for a one-size-fits-all answer to the question of how long records should be retained will be disappointed. That’s because a single, standardized record retention schedule doesn’t exist. Thus, hospitals must follow a variety of retention requirements.

“There are a lot of sources that you can go look at but, at the end of the day, your legal counsel and your facility must come up with your own definitions. Your situation will be unique depending on the systems you have,” Grzybowski says.

Some hospitals apply a blanket retention schedule to all records based on the most stringent requirements. “This is a good way to approach it but, depending on how much you have, you might keep much more than you need to,” Grzybowski says.

In general, organizations must look at all rules and then compare them with those of their state. Ultimately, they must follow whichever rule or regulation is stricter, says Lou Ann Wiedemann, MS, RHIA, FAHIMA, CPEHR, director of professional practice at AHIMA.

It’s important to note that regulations are based on an organization’s definition of the legal health record, and they don’t distinguish between paper vs. electronic records, Fox says. This means if a facility maintains its legal health records in both paper and electronic formats as a hybrid record, then it must manage the hybrid record for the entire retention period, which adds operational complexity, she adds.

Aside from legal requirements, hospitals must also look at the value of the information from a patient care perspective. “I’ve had plenty of physicians tell me that the longer you look back at records, the more misleading or error prone the data is, and you can make mistakes,” Grzybowski says.

In some cases, old data can complicate care. “You don’t want to go back too far, not get a current history, and assume that old data is correct,” Grzybowski says. “A patient could have subsequently gone to see three different practitioners and been on three different medications, and you’re making an assumption that everything is accurate. It’s really only as accurate as the last medical encounter that you’ve had, as information could have changed or been updated. In some cases, if the data was recorded in error, there is no way to know that the information is invalid, especially if it was received from another facility.”

McLendon disagrees. “If I had an anesthesia reaction 10 years ago, I’m going to have that same anesthesia reaction today, and I want to know I had it,” he says.

Retention and Litigation
Understanding retention requirements is an obvious first step toward compliance and not something all providers have mastered, Fox says.

For example, when Newco Imaging, LLC, a state-certified breast cancer screening center in Texas, closed its doors in 2008, it neglected to address one very important question: How would it continue to provide former patients and their physicians access to records the center had created during the 3 1/2 years it was in operation?

According to inspectors with the Texas Department of State Health Services, when patients requested access to mammograms and other records after the center closed, Newco Imaging simply ignored the requests. After the Office of Attorney General got involved, the center was eventually ordered to pay civil penalties of up to $25,000 for each violation of the Texas Radiation Control Act. The center was also ordered to return and properly store former patients’ records and contact patients to let them know how they could access their information.

If hospitals are in compliance with federal and state record retention requirements, they shouldn’t be very concerned from a legal standpoint, Wiedemann says. “The organization should have a clear and concise policy that outlines the retention program and copies of any destruction notices,” she says. However, according to Wiedemann, if records are part of ongoing litigation—meaning a lawsuit was filed before the retention period expired—those records should be retained for as long as necessary to fulfill litigation requirements.

Operational Challenges
In general, retaining records—particularly paper records—for too long may be burdensome for HIM staff on multiple levels. “If an organization maintains the record, they are obligated under the HIPAA Privacy Rule to produce the record upon request, no later than 60 days,” Wiedemann says. “The danger is that as records age and personnel change, locating the records becomes a huge challenge. If you keep it, you must be able to locate it. Responding to a request simply saying the record could not be found may not be enough to meet the intent of the privacy rule.”

Retaining paper records is also labor intensive and something that can be avoided if information is destroyed according to schedule, Grzybowski says, adding that HIM staff spends a lot of time scanning information that is kept unnecessarily. Purging records is another operational burden that, when performed regularly, is at least manageable, experts say.

Typically, hospitals destroy records annually, Wiedemann says. “Each year, the organization takes stock of what records are available and determines what, if any, can be destroyed.” However, records should never be automatically purged because if there is pending litigation, a government investigation, or an audit, an organization must place a legal hold on the record pertaining to the process, Fox says. Hospitals should have a formal destruction procedure in place featuring HIM in a central role in which it identifies records to be destroyed and then passes the list to the legal department for final approval, she says.

Retention Costs
There’s no doubt that record retention is an expensive venture for any hospital. And healthcare organizations with digital records shouldn’t expect to catch any financial breaks when it comes to retaining data for longer periods, Grzybowski says. “When you’re dealing with paper, you’re dealing with space, primarily, and storage. I think it’s going to be more costly on the electronic side not so much because of the space but because of the handling and manipulation of that data, the difficulty of being able to access it from multiple systems, and the conversion of technology when you change applications or vendors,” she says.

Grzybowski was recently contacted by a large physician practice that was converting to a new computer system. It couldn’t automatically exchange data from the old system, which meant it would need to pay someone to hand abstract 44,000 records into the new technology. It isn’t difficult to imagine how these operational challenges—and inflated costs—would translate to a hospital setting, she says. “The cost is going to continue to escalate as we deal with conversion and updates on larger scales, which is why it’s so important for hospitals to purge the information regularly,” Grzybowski says.

Retention and EHRs
It’s impossible to think about retention time frames without first defining your legal health record, experts say. What’s most challenging is trying to ensure that all data are identified, retained, and then purged according to policies that adhere with state, federal, and other guidelines, McLendon says. “There isn’t a lot of case law, and there certainly isn’t a lot of regulation on it,” he says.

Wiedemann agrees: “EHRs challenge record retention because of the multiple media in which information is kept. It is difficult to determine which system can meet the legal retention requirements.”

For example, in most states, if a hospital uses a fetal monitor strip system, those records must be kept for seven years beyond the age of majority. “Can the system archive the strips for that long? What if the system is upgraded? Does the old information remain? What happens if the server crashes? Is there a second backup? All of these items should be taken into consideration,” Wiedemann says.

Hybrid records pose particular challenges because it’s easy to get overwhelmed with information stored in multiple systems, Grzybowski says. To retain hybrid records properly and in the most cost-efficient way, hospitals must first identify all documents included in the legal EHR, she says. Next, determine the source of those documents. Where do they reside? In what formats are they stored? Which individuals are responsible for overseeing them? Finally, apply all state, federal, and other retention guidelines to determine how long records must be kept.

The good news is that as hospitals move forward with EHRs, they may be able to permanently retain a continuity of care document (CCD) that includes details such as medications and allergies when the rest of the record is purged, McLendon says. “Retention can be flexed a bit going forward so that you retain some of the documentation that provides a summary of care and then dispose of the rest of it,” he says.

Some hospitals are already opting to keep an abstract of the record, including a face sheet, a discharge summary, transcribed documents, and lab results, while destroying the rest of the information, Grzybowski says.

At a minimum, hospitals should retain a register of births, deaths, and surgical procedures as well as the master patient index. “These are permanent requirements. At the very minimum, if a patient comes in 80 years later, you should be able to go back to those indices and pull out that information. It will tell you the diagnoses and any procedures a patient had done,” Grzybowski says. One caveat is that the data are stored in terms of medical codes, which change over time as codes evolve and new coding systems are introduced. “You have to have someone who can interpret these indices,” she adds.

Drafting and Following Policies
Drafting a retention policy is paramount, regardless of the retention schedule that a hospital chooses, experts say. A retention schedule should address all data in the legal health record, McLendon says. “It’s also very important to keep those retention time frames current. You have to review your retention policies regularly—every six months,” he says.

Organizations must understand that once they set a policy, they have a legal obligation to follow it. “Inconsistency in records management or in following a policy opens up an organization to huge risk,” Fox says. In the event of medical malpractice litigation, if hospitals can’t produce records they should have on hand per the retention schedule or if there has been inconsistent destruction of records not in compliance with the schedule, they run the risk of incurring significant penalties or sanctions by the court, she adds.

Healthcare organizations are liable for the intentional destruction of records related to pending litigation, Fox says. “If there has been inadvertent destruction because someone didn’t follow the policy but the organization can prove that they’ve trained employees, that they have a policy, that there are compliance audits being conducted … the courts tend to be more lenient. It depends on the case, of course,” she says.

As hospitals migrate toward EHRs, they must address issues of retention early in the process. “Retention may be a ways off. It may be lower on their horizon, but if hospitals want to manage costs or reduce costs, it’s going to behoove them to get retention in place as soon as possible—both on the electronic and certainly on the paper side,” Fox says. “They’ll see a more drastic reduction in paper storage costs when they begin digitizing the records as long as they have a procedure in place to destroy the paper copy.”

Some EHRs include record management functionality that can make destruction easier. Fox says hospitals can—and should—take advantage of that functionality as soon as possible. “If you don’t implement retention capability in the system soon, the volume of those records is going to grow and grow and grow,” she notes. “Ideally, any time you add a record to a PACS system or EHR system or any electronic system, you want to enable metadata to calculate retention in compliance with the retention schedule.”

In an EHR, the key metadata include patient ID, name, address, date of birth, and date of last visit. The retention trigger is usually dependent on the date of the last visit.

To ensure record retention compliance, Fox says HIM, legal, and IT personnel need to work together. “Records management is not the responsibility of one person or one department. Every employee at an organization has to comply,” she says.

— Lisa A. Eramo is a freelance writer and editor in Cranston, Rhode Island, who specializes in healthcare regulatory topics, HIM, and medical coding.

 

Retaining Questions to Keep in Mind
Any information included in a facility’s legal health record is subject to record retention requirements. Hospitals should consider the following questions to ensure record retention compliance:

• How long will you retain paper records once you start scanning them into an EHR? If the paper record is part of the legal health record, it must be retained. Technically, hospitals can destroy the paper record after it’s scanned into the EHR, says Leslie Fox, a program manager at Iron Mountain. “Set a procedure at the department level for the short-term retention of the paper copy to make sure that those copies don’t just sit in storage indefinitely,” she says.

• Will you retain versions? The answer to this question depends on whether and how various versions are incorporated into the legal health record, says Darice M. Grzybowski, MA, RHIA, FAHIMA, founder and president of HIMentors. Does your legal health record include only the signed-off version or does it include only the most recent version? Does it also include previous versions? “What if decision making was made from a version? From a legal perspective, you need to be able to make available this preliminary version to be able to go back to. In the paper world, we never kept preliminary versions. They just got thrown out, and you kept the final, signed copy,” Grzybowski says. “In the computer world, it’s a lot easier to keep versions, but then how do you access them and where do you store them?”

• Will you retain and capture metadata? “There have been cases where hospitals have had to produce dates, for example, that things were moved around or finalized,” Grzybowski says.

• Will you retain alternate media? This includes sound clips, biometric identification factors acquired through technical equipment, videos, Polaroid or digital pictures, and data strips from a monitor, Grzybowski says. How long will you catalog and retain these data?

• Will you retain logs? Clinical logs (eg, emergency department, treatment, nutrition) aren’t generally part of the legal health record, but some facilities may want to consider retaining them, Grzybowski says. “I’ve seen cases where the log material has been subpoenaed. It’s generally not part of the medical record, but how long do you retain them and where do you retain them?” she says.

• Will you retain e-mails and text messages? If e-mails and text messages are part of the legal health record, they must be tracked and retained per retention guidelines, Grzybowski says. Establishing that e-mails or texts are not part of the legal EHR could make retention less complicated, she adds.

• Will you retain records from other facilities? In the past, hospitals never used to incorporate these records into their legal health record out of fear that errors in the source document could proliferate at the hospital where the information was sent, Grzybowski says. “Today, hospitals are starting to keep them because they were what was used at the point of care for decisions. Even if it was bad data, you want to show that’s the document you used and accessed at the time you made your decision. But the problem is that it’s extremely costly,” she notes.

Record retention challenges also extend beyond a hospital’s walls, particularly as health information exchanges become more commonplace, says Kelly McLendon, RHIA, CHPS, president of Health Information Xperts, adding that inconsistent state-specific retention time frames pose challenges. “If you’re sending data out over state lines, the question becomes: What do you keep and for how long about those transactions?”

— LAE