While supplies last! Free 2022 Coding Essentials for Infusion & Injection Therapy Services book with every RACmonitor webcast order. No code required. Order now >



The Centers for Medicare and Medicaid Services (CMS) on Aug. 10 issued an informational MLN Matters article on addressing medical record retention considerations.

While the article did not change or revise current record retention policies, it did highlight key requirements of which all providers should be aware. The Health Insurance Portability and Accountability Act (HIPAA) requires a covered entity, such as a provider billing Medicare, to maintain medical records for at least six (6) years from the date of their creation or when they last were in effect.  The HIPAA retention requirement preempts state laws that require shorter lengths of time. But providers also should keep in mind that some states may require the records to be held for longer than the HIPAA-mandated six years. If this is the case, the provider should abide by the state requirements so as to be in compliance with both federal and state regulations.

Beware of State Requirements

It is important for providers to determine their particular states’ requirements so as to ensure compliance with all applicable record retention regulations, and to consider additional concerns such as the ability to defend potential medical malpractice actions.

The MLN Matters article also reminds providers that patient medical records must be accurately written, promptly completed, accessible, and properly filed and retained in accordance with the HIPAA Privacy Rule requirements.

Retaining Documentation

In the context of Medicare audits, documentation retention is crucial to a provider’s ability to challenge claim denials successfully. Identifying lack of documentation for services provided is an easy method for auditors to deny otherwise covered claims. Providers are required to provide all necessary documentation to substantiate the medical necessity of items and services. Failing to maintain appropriate documentation almost certainly will result in claim denials due to lack of documentation.

A very difficult issue arises when another entity, such as a hospital or skilled nursing facility (SNF), is the custodian of medical records supporting physician services – especially when the hospital or SNF does not produce the records when they are requested by the Medicare carrier. For example, a physician may see hospitalized or institutionalized patients and document the visit in the institution’s progress notes.

When auditing the physician’s visits, a contractor may request the medical records from both the physician and the hospital. However, the Program Integrity Manual states that it is the physician’s ultimate responsibility to obtain signed copies of such medical records. Thus, physicians proactively should consider obtaining contractual assurances from hospitals or other institutions that supporting medical records will be maintained sufficiently and produced within a certain timeframe when requested for audit purposes.

Custodial Responsibility

The recently passed “healthcare reform” legislation addressed the issue of custodial responsibility for certain programs susceptible to high rates of waste and abuse, such as durable medical equipment prosthetics, orthotics and supplies (DMEPOS) and home health services. These new regulations, which went into effect July 5, require among other things that both the provider or supplier who furnishes the ordered services as well as the physician who ordered or referred the items or services to maintain documentation for seven (7) years from the date of service and provide access to the documentation at the request of CMS or its Medicare contractors.

For example, physicians referring patients to home health agencies will be required to provide those agencies with access to the patients’ medical records in order to defend an audit, and the agencies in turn will be required to obtain such medical records upon request of a CMS contractor.

For those healthcare providers servicing Medicare beneficiaries, increased audit activity is a reality. Failure to maintain or have access to the required documentation can result in audit denials and overpayment demands for services that otherwise are medically necessary, having met the criteria for coverage.


Providers should implement data storage and management systems that allow for the safe and secure storage of patient medical records, but also allow for quick access in the event of a medical records request by a reviewing contractor. Electronic health records may provide solutions to storage and access concerns in addition to qualifying providers for CMS incentives to the extent they can demonstrate the meaningful use of such systems.

About the Authors

Amy K. Fehnis a partner at Wachler & Associates, P.C.  Ms. Fehn is a former registered nurse who has been counseling healthcare providers for the past eleven years on regulatory and compliance matters and frequently defends providers in RAC and other Medicare audits.

Jennifer Colagiovanni is an attorney at Wachler & Associates, P.C.  Ms. Colagiovanni graduated with Distinction from the University of Michigan and Cum Laude from Wayne State University Law School.  Upon graduation, Ms. Colagiovanni was nominated to the Order of the Coif.  She is a member of the State Bar of Michigan Health Care Law Section.

Contact the Authors



To view Internal or External, Audit, Audit, Audit,” article please click here


Jennifer Colagiovanni

Jennifer Colagiovanni is an attorney at Wachler & Associates, P.C. Ms. Colagiovanni graduated with Distinction from the University of Michigan and Cum Laude from Wayne State University Law School. Upon graduation, Ms. Colagiovanni was nominated to the Order of the Coif. Ms. Colagiovanni devotes a substantial portion of her practice to defending Medicare and other third party payer audits on behalf of providers and suppliers. She is a member of the State Bar of Michigan Health Care Law Section.

You May Also Like

Leave a Reply

Your Name(Required)
Your Email(Required)