Medical Practices: How Long Should You Retain Patient Records and Tax Records?
Guidelines for Retaining Medical Records
While state guidelines vary, the following timeframes are recommended for keeping medical records:
|Type of Record||Timeframe to Retain|
|Patient Charts – Alternative (adults)||10 years after the most recent encounter
|Patient Charts – Alternative (minors)||Age of majority plus statute of limitations
|Medical Correspondence (to patients, to referrers, about patients, etc.)||Permanently with chart
|X-rays||Permanently with chart
Various medical record issues may also arise when a patient requests transfer, a physician relocates or ceases a practice, or a group practice changes. When a patient requests a transfer, the physician should maintain the original records and transfer only a copy. A patient can be charged a reasonable fee to reflect the cost of the materials used, the time required to prepare the material, and the cost of sending the materials to the requesting physician.
In the case where a physician relocates their practice, the physician may take medical records with them or leave the records with a designated custodian under the agreement they will be permitted access to the records in the future upon request. For medical records that exist in a situation where a group practice is changing, physicians should be aware that any agreements made with their associates do not supersede their responsibility to patients. Ultimately, physicians in any setting, whether solo practice, group practice, hospital, etc., are individually responsible for their own patient records.
With respect to retaining medical records, some statutory requirements do exist. There are certain Medicaid / Medicare reimbursement regulations requiring medical records of program recipients be available for review for up to seven years. For participants in an Accountable Care Organization (ACO), the requirement to retain records, contracts, documents, etc. is for a period of 10 years. A longer retention period may apply if there is a termination, fraud allegation, dispute, or if the Centers for Medicare and Medicaid Services (CMS) determines there is a special need to retain for a longer period. The Office of Inspector General (OIG) recommends all physicians, regardless of size, consult federal and state statutes, as well as their state medical society, for assistance in ascertaining specific time frame requirements for their specific specialty and location.
Guidelines for Retaining Tax and Financial Records
Under the three-year statute of limitations, the IRS and state taxing authorities are barred from conducting any audit once the time period has elapsed. Under IRS guidelines, every medical practice should retain bank statements with cancelled checks for at least three years after filing their income tax returns. During an audit, the IRS will routinely request all bank statements to search for unreported income. If the practice is unable to provide copies of bank statements, the IRS can issue summonses to financial institutions to obtain this information. In addition, any tax documents that relate to the tax return such as billing system receipts, paid invoices, employee W-2’s and 1099 forms, and any other documents that support an item of income deduction, or credit on the tax return should be retained for at least three years. As a general guide, most taxpayers can now discard their records for the years 2013 and earlier, as the statute of limitations has expired for those tax years.
An exception to the normal three-year statute of limitations is New Jersey’s four-year statute of limitations for both Corporation Business Tax (CBT) and Sales & Use Tax (SUT). If you file in multiple states, it is important to know the statute of limitations for each state as state statutes vary.
Some records should never be discarded. These include, but are not limited to, prior year tax returns, closing statements on the purchase of real estate ownership records, such as property deeds and formation documents, contracts, depreciation schedules, general ledgers, and payroll and sales tax returns.
Diligent Record-Keeping and Proactive Cybersecurity
Careful record-keeping should go hand-in-hand with a strategic cybersecurity program in order to prevent sensitive patient information, such as social security numbers, private health information, credit card numbers, and the like, from being stolen and used for identify theft. This cybersecurity program should proactively identify, protect, and detect against malicious Internet-related activities, such as email scams and hacking. The rise in attacks and data breaches requires medical practitioners, data controllers, and processors alike to have strong, effective security measures in place that are designed effectively and operate consistently to mitigate the latest cybersecurity risks.
For further information on retaining tax, financial, and patient records, please contact Neil Becourtney, partner, at firstname.lastname@example.org or 732-380-8678; or Susan Cooper, Senior Manager, at email@example.com or 732-380-8634.
Any advice contained in this communication, including attachments and enclosures, is not intended as a thorough, in-depth analysis of specific issues. Nor is it sufficient to avoid tax-related penalties. This has been prepared for information purposes and general guidance only and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its members, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.