Not long ago, managing medical records was relatively straight-forward. Patient information was recorded on paper charts, which were stored in office filing cabinets.

As technology and medicine practices have rapidly changed, so have medical records and its management. 

Today, more than 85% of physicians use electronic medical records (EMR) systems to manage physical records in a digital environment.  With advances in diagnostics and analytical tools, there’s more patient information than ever. And, after the passing of the Health Insurance Portability and Accountability Act (HIPAA), medical providers must adhere to strict federal guidelines to protect patient privacy.

Medical professionals have a legal and ethical obligation to protect patient information and properly manage records. Failure to do so can result in medical errors and data breaches, which can lead to costly fines.

Understanding the principles and policies regarding medical records management can help organizations maintain compliance and protect their patients.  

What is Medical Records Management?

Medical records management refers to a system of procedures and protocols responsible for governing patient information throughout the entirety of the data lifecycle. From the moment a patient record is created, it must be appropriately stored, secured, and maintained.  After it has been retained for the necessary amount of time (its retention period), the record must be properly destroyed. There is a complex set of rules and regulations regarding medical records management, and for good reason. When health records are mismanaged, patients are put at risk.

Medical errors are the third leading cause of death in the United States, after heart disease and cancer, according to a study by Johns Hopkins. While studies show that patient safety improves when hospitals adopt electronic health records, poor management can lead to medication errors, missed diagnoses, treatment lapses and other potentially life threatening events.

Patient privacy is also at risk.  Medical records contain highly sensitive personal information, and when oversights occur, privacy is compromised. With healthcare data breaches increasing, patients are losing confidence. According to a recent consumer survey, 87% of patients are unwilling to share their full medical histories, citing concerns about privacy protections. 

Poor records management also leaves hospitals, medical practices and other providers vulnerable to costly fines and lawsuits, as well as criminal charges. 

In 2016, healthcare benefits company Anthem agreed to pay $16 million to the U.S. Department of Health and Human Services after a series of cyberattacks exposed the health information of almost 79 million people. Government investigators discovered that Anthem didn’t take proper steps to secure patient records and was in violation of HIPAA.

Medical Records Policy and Procedures

Enacted in 1996, HIPAA was created to modernize medical records management and protect patients’ personal information. It outlines policies for a number of records management procedures, including the following.

Medical Records Security & Medical Records Storage

Before HIPAA, there were no standards for securing or storing patient medical records. Organizations are granted a certain amount of autonomy in creating systems that serve their sizes and needs, but HIPAA does require certain universal security measures. To maintain compliance, organizations must:

  • Identify and proactively protect against anticipated security threats
  • Train all workforce members in medical records security procedures 
  • Limit access to facilities where records are stored or accessible
  • Implement hardware, software and procedures to monitor access

In 2009, Congress passed the Health Information Technology for Economic and Clinical Health (HITECH) Act. HITECH essentially strengthened HIPAA, increasing both security protocols and penalties for violations.

Medical Records Access & Release

Under HIPAA, a patient or the patient’s designated representative has the right to access records. A provider or insurer may only send patient records with permission.

Passed in 2003, the Fair and Accurate Credit Transaction Act (FACTA) provides an additional layer of consumer protection surrounding the release of medical records. Designed to reduce the risk of consumer fraud and identity theft, FACTA severely restricts providers and insurance companies from sharing medical records with affiliates. 

Retention Timelines

In most cases, HIPAA supersedes any state laws that may apply to medical records. However, HIPAA generally defers to states in matters of records retention. Requirements are complex and vary widely depending on the individual state, record and institution. For example, in Florida, physicians are required to retain patient records for five years, while hospitals must keep them for seven. In Nevada, providers must maintain records for five years, or until minor patients reach 23 years old. 

Data Destruction

Data destruction is the process of destroying information so it can’t be used for illegal and unauthorized purposes. Both HIPAA and FACTA have stringent data destruction protocols. Paper records must be shredded, pulverized, burned or pulped until patient information is rendered unreadable and cannot be reconstructed. Electronic information must be cleared using overwriting software or magnetic methods of destroying computer hard drives.

Keys to Successful Medical Records Management

In today’s rapidly changing healthcare field, medical records management can be demanding. However, there are steps that organizations can take to protect patient privacy and maintain compliance. 

Establish Medical Records Management Procedures

To successfully manage medical records, an organization must first clearly define their policies and procedures for maintaining security. HIPAA requires that policies are written, and that these written documents are retained for six years. Updates are required in response to organizational changes that could affect the handling or security of patient health information.

Successful medical records management programs engage the entire organization. Senior-level executives should obtain input from every department that generates or handles records, ensuring that every base is covered when drafting procedures.   

Develop Comprehensive Employee Trainings

While some breaches are the result of sophisticated hacking, others are the result of untrained employees mismanaging sensitive health records. In fact, a recent study found that careless employees were at the root of more than 50% of cybersecurity incidents at small and medium-sized businesses. Per HIPAA’s guidelines, companies must train every employee who interacts with health records during any stage of the data lifecycle. 

Label Records Effectively

In order to efficiently monitor patient records from creation through destruction, organizations need a comprehensive taxonomy and indexing system that covers every type of record handled. This assures adherence to retention schedules and makes searching more efficient, saving time and money.

Automate Processes

Maintaining compliance with complex state and federal laws is a complex task, and there’s little room for human error in the medical field. By automating essential and time consuming processes, a centralized medical records management program can improve accuracy, assure consistency and protect patients.

Improve Data Security

From creation through destruction, patient records must be secure. While in use, electronic records should have a detailed audit trail, and paper records should be securely locked in a room with restricted access. Records stored offsite should be held in certified, climate-controlled facilities. At the end of their life cycle, paper and electronic records should be securely destroyed using NAID-certified methods. 

Perform Self Audits

HIPAA conducts regular and thorough audits to ensure that appropriate measures are in place to protect patient privacy. To ensure compliance and avoid fines, organizations should institute performance and compliance monitoring, as well as periodic self audits.

The Future of Medical Records Management

Advances in the technology and healthcare fields have led to the need for a more sophisticated approach to medical records management. When health records aren’t secured, both patients and providers are at risk. 

As data breaches increase, so have penalties for non-compliant organizations. In 2018, the Office for Civil Rights issued a record amount of HIPAA settlements, totaling $28.7 million in fines, a 22% increase over the previous record. 

Fortunately, there are many steps that organizations can take to protect themselves and consumers. By taking a proactive approach to document security and investing in a centralized, comprehensive medical records management program, providers can remain compliant and avoid costly penalties and litigation.


Rob Heyd has been leading complex records and information management client engagements since 2005. With an emphasis on Program Quality and Risk Mitigation, he leads a team who works closely with key accounts in the Healthcare, Legal, Education and Financial sectors throughout the Midwest. Rob is an active member in the AHIMA community, as well as in other industry organizations such as ARMA and ALA.