Sunset Treatment Records

Frequently practitioners ask what to do about patient records upon patient termination, or in other words, records retention and destruction. This challenge is multi-part and not as easy as one would think. For example, from a technical aspect, let’s start with where the patient treatment records repose. Besides paper records, your patient records may repose on all or some of three information technology storage hierarchies:

• Primary Storage items such as notebook computers, laptop computers, i-phones or similar devices, PC, social media, or telephone voice record are all considered online.
• Secondary Storage such as an external memory or auxiliary storage device like a hard drive, CD, DVD, USB flash drive stick, are considered “nearline”.
• Tertiary Storage which is the third level of storage that requires a robotic arm or mechanism (also called “nearline or Cloud storage”), which at times includes a human to mount or insert the storage media into the computer. Offline is detached from the computer and requires physical intervention to load the data.

Map out where your records are so you can address the challenge.

The next important question to answer, and is frequently asked by practitioners, is: How long should I keep patient treatment records before they are to be destroyed or are they to be permanently retained? This is conditioned on many elements, most importantly, the laws and regulations in your state.

If there are no applicable requirements specifying the duration of time that adult treatment records must be retained in your jurisdictional venue, industry practice indicates that at least seven years and possibly ten years from the date of patient termination is a reasonable time period. In states that have requirements applicable to healthcare professionals including physicians and healthcare facilities, these retention times are required. In California, which is considered a relatively strict state for patient protection regulations, for example, there is no law that we know of applicable to marriage and family therapists or clinical social workers. However always check with your attorney to verify the most recent laws pertaining to patient records storage and duration. Laws change rapidly in society today.

Minors are a different challenge. Special care should be given regarding records storage involving a minor. It is recommended that the patient records of a minor should be kept for at least seven to ten years after the minor has reached the age of majority (adult) unless a longer time is specified in law or regulation. We at the Preferra, have found that in some claims adjudication cases, malpractice liabilities can protract well past majority age from acts that occurred to children as young as nine years of age.

There are some health practitioners who retain records indefinitely, as long as storage does not become a costly problem. Generally, state laws do not require the destruction of records after a given number of years, however, check with your state. The key reason to retain records indefinitely is to assure that if the patient was later involved in therapy or in litigation, the records may prove helpful. Destruction of the patient records after a certain number of years (within the dictates of law, regulation, or ethics), is to protect the privacy of the patient. The patient records must be destroyed in a manner and by a means which will assure that the patients’ privacy and confidentiality will not be compromised. The practitioner should keep a written account of which records are destroyed and the date of destruction.

Consider the risks to you of patient records loss or unauthorized disclosure. HIPAA has long held social workers and other health practitioners directly responsible for patient records unauthorized disclosure. Except for the Preferra professional liability insurance policy, virtually all professional liability insurance policies on the market exclude this coverage at least digitally which includes fax transmissions. In 2013, Congress imposed the patient records responsibility a step further and enacted HITECH 45 CFR Part 160 which holds social workers directly liable for third-party breach of patient records. This means that you are directly responsible if your mover loses your paper patient records, or if your digital storage provider, such as a cloud data storage provider, allows a data breach of your patient records. Unique to the Preferra Cyber Liability Choice Select liability insurance policy, no other insurance carriers cover third-party breach of digital or paper records. Check the Tip-of-the-Month articles published during the past several years for more detail on this matter. Start with the June, July, and September 2014 Tip articles, and September 2015 Tip article.

Undoubtedly, the practitioner will be requested or subpoenaed for patient records. This is the most frequent occurrence we see, and the Preferra professional liability provides coverage. Here is an interesting fact. Patients have certain rights to inspect, copy, amend, or addend records, but they do not own the records. The records are owned by the practitioner who is the sole proprietor of the practice. Otherwise, the organization that owns the practice owns the records, and the practitioner is an employee who merely created the records on behalf of the employer.

Most states, as well as HIPAA, grant the patients broad rights to access the records, however, those rights are not absolute. Requests to access, inspect, and/or copy the records may be denied in certain circumstances. This is when you need to consult with your attorney. Your attorney may suggest that a summary of the records be provided initially instead of the actual records under other circumstances.

Published February 2019