Chief Compliance and Ethics Officer Health Care

Patient files for pharmacy closing

  • 1.  Patient files for pharmacy closing

    Posted 04-27-2020 02:54 PM
    Sadly in these times I am assisting a pharmacy closing and transferring patients to another entity.

    I am looking for time frame for record (100% Paper) retention and eventual destruction.

    My state (CA) regs are 7 years or 1 year following the patients 18th birthday and
    after the last "encounter".

    Then comes the California Medical Association, stating
    "a retention period of at least 10 years may be sufficient, all medical records should be retained indefinitely or, in the alternative, for 25 years."

    OCR does not have time frame for retention or destruction.

    Medicare Managed Care requires 10 years retention.

    My gut is to follow the state regs, the problem is storage of current records and cost associated.  The pharmacy will out of business
    by next week.

    Any thoughts from my fellow Compliance and HIPAA Officers?

    Mary Blahut RN CHC
    VP Compliance
    Diamond Bar, CA
    2020 HCCA Compliance Institute

  • 2.  RE: Patient files for pharmacy closing

    Posted 04-28-2020 12:26 PM
    Hi Mary;

    I would love to follow this thread as I am currently dealing with record retention issues for health plans in multiple states. As I've come to learn there is a huge difference between paper record retention and data record retention. We maintain a retention schedule by type of document. Some financial and HR records types are in the 7 year range while most other records are 10 years (paper or data). We even have an 11 year retention for managed care records to preclude the ambiguity of "at least 10 years" thing - does that mean "until" 10 years or "through" 10 years? My feeling is if you have managed care contracts - you'll need to go with the longer of the required periods - 10 years.

    Just to give you a heads up, even after closure, requests for records becomes the leaky faucet that won't shut off! You likely have contracts which require you must maintain the records, but what does this mean to how much longer you will continue to respond to requests for records from patients, attorneys, subrogation entities, vs court orders, subpoenas, etc., who will be responsible for those requests, does a release authorization need to be attached, and how can the responsible person access the paper/data records.  And, then if you do provide records, will you charge and how much is allowable, and what will be the process for obtaining and posting payment?

    I'm currently working with legal to get my arms around the whole HIPAA access thing as it relates to an individual request for records vs. what I believe was called a "permissive request" which may not fall under a HIPAA 524 access request.

    At least we can honestly say we never get bored! :)

    Lisa Crutchfield
    Compliance Officer, Managed Care

    2020 HCCA Compliance Institute