Deciding how long to hold on to specific records in your hospital can be a challenging task, especially when the facility deals with so many different types of records. You may be tempted to hold on to everything indefinitely – an option we know can be space- and cost-prohibitive, especially within the hospital environment. Our reluctance to dispose of records is also driven by several critical questions: What if I need this record to defend our hospital in a lawsuit? What if a state or government agency audits or investigates our hospital for issues contained within this record?

This is why it makes sense from a compliance and risk management standpoint to have a comprehensive and consistently applied record retention policy that includes all forms of hard copy and electronic data. There are many reasons to implement a record retention policy, including compliance with statutory or regulatory requirements, maintaining control of records during litigation, improving your
responsiveness and efficiency in complying with discovery demands, and avoiding the disclosure of unnecessary or obsolete records.

An effective policy will also help you avoid liability for any inadvertent destruction of evidence when litigation or a government investigation is pending or reasonably foreseeable, such as when a subpoena has been served. Generally speaking, anytime your organization is aware (or should have been aware, in the exercise of reasonable diligence) of a pending dispute like an audit, investigation, or lawsuit, you will be required to retain any record potentially related to the matter. For this reason, you’ll want to make sure that your record retention policy includes procedural steps for preserving relevant evidence and instructing employees not to delete or destroy relevant records, as when a “Litigation Hold” is placed on records that are the subject of an investigation or lawsuit. As recent court decisions illustrate, organizations can be subject to large sanctions for the destruction of records when litigation, government investigations, or other disputes are, or should have been, anticipated. If you inadvertently and in good faith dispose of relevant records as part of your fully implemented, consistently applied, active records management program, you are more likely to persuade a court or government investigator that missing records were not willfully destroyed. Courts generally do not look favorably on organizations that mismanage or dispose of records on an inconsistent basis, even if there was no bad-faith motive in that inconsistency.

A good record retention policy will not only specify a record retention period for each type of relevant record (see chart at end of article for suggested general-purpose retention guidelines), but it will also establish a standard disposition policy. It may, for example, specify that the preferred method of disposition is shredding. A professional records management company or IT consultant can also assist you in managing and disposing of all records appropriately, including archived electronic files. As you develop your records disposal program, bear in mind that state and federal laws may dictate a certain type of records disposal process when certain information is included in a record. North Carolina law, for example, requires a written disposal procedure, necessitates certain diligence on records disposal vendors, and mandates a certain manner of disposal whenever “personal information” is included in your records. Finally, your record retention policy should identify a records custodian who is responsible for ensuring that the program is rigorously enforced from top management down.

The chart below provides some general records categories and suggested retention periods for commonly used records within the hospital setting, and may serve as a good starting point for creating a record retention policy uniquely suited to your hospital. Please remember, however, that many different sources of law may suggest specific record retention periods for specific types of records that may not be incorporated in this list. These retention periods are provided for informational purposes only and are not an adequate substitute for legal advice based on your individual business needs and legal requirements.

Type of Record Suggested Retention Period?
Clinical/Medical/Infection Control Records

HIPAA-Related Records 6 years from the date most recently in effect for HIPAA-mandated records such as policies or procedures, notices of privacy practices, consents, authorizations, and accountings of PHI disclosures
Governance (board minutes, bylaws, foundation documents, etc.)
Typically retained permanently
Quality Assurance, Safety Committee, and Abuse Investigation Records
5 years Finance/Accounting Medicare specifies a retention requirement of 4 years; the recently revised Medicaid Provider Participation Agreements specify a minimum retention period of 6 years for all Medicaid finance and accounting records; it is common to retain these records for 7 years due to certain tax and financial reporting obligations at the federal level.
Employment Application, Résumé,
Hire/Promotion/Demotion/Transfer
Decision, Request for Accommodation, Evaluations, FMLA Records
4 years after date of termination/resignation I-9 Immigration Forms 3 years after hiring or 1 year after termination, whichever is later
Wage Records (rates of pay, time
earning sheets, etc.)
5 years after the calendar year in which compensation was paid
Most OSHA/Safety Records (including inspection/training records)
5 years following end of the calendar year covered by the record (some specific types of OSHA records, such as exposure records and employees’ medical files, have much longer retention periods) Contracts with Vendors/Suppliers For contracts valued at $10,000 or more over a 12-month period, Medicare regulations specify a retention period of 4 years after the service(s) is furnished under the contract or subcontract; state laws imposing statutes of limitation on contracts actions may be as long as 15 years, however Tax Records 7 years after taxes at issue were due or paid, whichever is later Compliance Records (committee
minutes, reports to the board, internal audits, etc.) 10 years appears to be the most common retention period for these records

◀︎ Back to Thought Leadership