Records Retention and Destruction It’s Important to Have Firm Policies in Place

Practice administrators often call us overwhelmed with seemingly endless piles of records, asking us what must be retained, and for how long. Do all financial, personnel, and medical records need to be kept in perpetuity? The answer is no, but it is important to have a policy specifying how long these records are to be retained and what constitutes proper disposal when they are no longer required. Of concern is the need to have access to information in the event of a tax audit, a regulatory audit, or litigation.

A records-ret-ention policy provides for the systematic review, retention, and destruction of documents. It should contain guidelines as to how long certain documents should be retained and how to properly dispose of them once they are no longer needed.

Unfortunately, guidelines for records retention come from various sources and often vary at the state and federal levels. Federal guidelines originate at the Internal Revenue Service, the Depart-ment of Labor, HIPAA, the Occupations Safety and Health Administration (OSHA), the Department of Health and Human Services, and the list goes on. Where discrepancies exist, it is wise to play it safe and always go with the longer retention period.

The chart at right details general rules of thumb.

Document Destruction

The method of record destruction is as important as the storage and retention measures, particularly in regards to patient health information. Neither HIPAA’s privacy standards nor its security standards dictate specific means of compliance. However, it does cite a few examples, including “shredding such documents prior to disposal.” It also requires entities to address the “final disposition of electronic protected health information and/or the hardware or electronic media on which it is stored.” Records must be destroyed to the point where no one can get access to them and misuse them. For health care providers, proper destruction policies are part of ensuring that the organization is protecting against unauthorized access to personal health information.

A record destruction policy should follow a written procedure and should:

  • Specify the length of time the records will be kept;
  • Define which records will be kept on-site/off-site;
  • Determine which employee will be responsible for adherence to the policy;
  • Maintain a log that details which records have been destroyed along with when and how; and
  • Provide a method of disposal.

Electronic media must be wiped clean with software designed to prevent recovery. Disk-wiping software can prevent unauthorized recovery by overwriting entire drives and disks before these magnetic media are discarded or reused. Some software is more thorough than others for permanent erasure. Simply deleting data files is not sufficient. The ‘deleted’ information actually remains on the computer’s hard drive or a formatted disk, and with the proper tools, this data can be recovered.

For paper records and removable media, the use of professional shredding companies has several advantages over in-house shredding or recycling for record destruction. A shredding service provides the security and documentation required at a price below that of doing it in-house.

Companies such as Proshred Security, a regional shredding company servicing Massachusetts, Connecticut, and New York, offer an on-site approach. This ensures the documents are destroyed before leaving the site, thus eliminating the potential liability for those documents. A certificate of destruction is issued for all shredding. Services that haul the documents away face the risk of what happens to those documents from the time they leave their site to the time they are destroyed — and so does your practice.

Guidelines for Record Retention

The following are general rules of thumb based on our experience and information provided by the IRS, the Centers for Medicare and Medicaid Services (CMS), and inquiries of Massachusetts and Connecticut regulatory authorities. However, states vary, and changes occur. To be certain, you should check with your state medical society and your malpractice carrier. If a claim of malpractice, unprofessional conduct, or negligence is raised with respect to a given patient, or if litigation has commenced, the patient’s medical records must be retained until the matter is resolved.

Business Records
Day sheets, cash receipts journals
7 years
Bank statements and canceled checks 7 years
Cash disbursements journals 7 years
Paid bills 7 years
Sales and use tax returns 7 years
Year-end accounts receivable reports 7 years
Interim (quarterly) financial statements 2 years
Monthly accounts receivable and productivity reports 2 years
Forms 5500 for retirement plans Indefinite
Annual financial statements Indefinite
Bylaws and charter Indefinite
Canceled checks for important payments (i.e. land, buildings, and improvements) Indefinite
Capital stock records Indefinite
General ledger Indefinite
Income tax returns Indefinite
Minutes of stockholder and director meetings Indefinite
Property records including costs and improvements Indefinite
Payroll records
Earnings and payroll registers
7 years
Payroll tax returns 7 years
W-2s and year-end earnings records 7 years
Employee benefit plan records 7 years
Personnel Records
Employee personnel files
3 years beyond termination required (6 recommended)
Personnel accident report / injury claim 11 years
COBRA records 3 years
I-9 forms 3 years (1 year after termination)
Medical Records
Patient medical records
* 10 years from last visit
Encounter forms 5 years
Pathology slides, EEG, ECG tracings 10 years
Lab reports (positive readings) 5 years
Insurance claim forms, EOBs 5 years
X-ray films 5 years
Annual billing and productivity reports 5 years

* Note: Generally, for pediatric and ob/gyn practices, records should be retained for at least 10 years after the child attains adult legal status.
These guidelines apply equally to hard copy and electronic medical records.

Documents to be shredded should be kept separate from normal waste. Some of the items to shred include:

  • All accounting and financial documentation;
  • All human resource documentation;
  • Correspondence;
  • CDs, film, microfiche, video tapes, diskettes, photos, etc.;
  • Patient medical records;
  • Billing information and registration records;
  • Prescriptions;
  • X-rays;
  • Printouts from EKGs and EEGs;
  • Ultrasound results;
  • Lab reports;
  • MRI and Radiology film; and
  • All medical testing.


With all the hype and litigation surrounding the confidentiality of patient health information and employee records, it is critical for health care organizations to have a records retention policy and a schedule for the timely and proper disposal of such records once they are no longer required to be maintained. This will not only enhance privacy but also save on unnecessary storage costs.

Lisa A. Patenaude, CPA, is senior manager of the Health Care Services Division of Meyers Brothers Kalicka, P.C., in Holyoke, certified public accountants and business consultants; (413) 536-8510.

Comments are closed.