If you don’t want to end up in legal hot water, make sure you have solid record retention policies – and that you follow them.
California health system giant Sutter Health has learned this lesson the hard way. Several employers and labor unions sued Sutter in 2014 for charging inflated prices in violation of the antitrust laws. The lawsuit was recently designated a “class action” lawsuit, making the number of plaintiffs much larger.
Sutter has now been found guilty of inappropriately destroying 192 boxes of documents in 2015 that were to have been evidence in the lawsuit. The documents were subject to a “litigation hold,” which means that they couldn’t be destroyed during the dispute. According to Sutter’s own record retention policy, the boxes weren’t slated to be destroyed until 2035. The plaintiffs asked the court to impose sanctions on Sutter.
Sutter claims that the shredding was a mistake and routine, done on the spur of the moment. The judge didn’t buy it. He said that the shredding was intentional, that the individuals involved knew of the litigation hold, and that while sometimes it’s okay to destroy records early, there was “no good explanation for this specific and unusual destruction here.”
There was also an incriminating email written by a Sutter employee that said, “I’ve pushed the button…I’m running and hiding… fingers crossed that I haven’t authorized something the FTC [the federal agency charged with enforcing antitrust laws] would hunt me down for.” Sutter claimed that the FTC reference was a “joke.”
The judge was not amused. He ordered Sutter to produce back up tapes and may consider issuing an adverse jury instruction. Note that in many cases a court imposes money penalties on the offender; the plaintiffs in this situation didn’t request that.
So how long do I keep this document?
What Sutter did crossed the legal line. But the rules regarding record retention are confusing, particularly in the complicated world of health care.
For instance, the length of time a small business needs to keep a record for tax purposes depends on the action, expense or event which the document records. Some records need to be kept only three years; others indefinitely. And even once the deadline passes for IRS purposes, a business may still need to keep a document for other reasons, such as for insurance or creditor requirements.
Health care records are governed by additional laws. HIPAA’s security rule requires that records containing patient protected health information be held for six years from the date of creation or date when it was last in effect, whichever is later. Hospitals need to retain a cost report for at least five years after the closure of the cost report. State medical record retention laws vary widely by type of medical record. They also typically have different retention periods based on the age of the patient (usually records need to be held for a time after the child reaches the age of majority).
While it may be tempting to hold onto most or all records indefinitely, that’s not necessarily the best practice, either. For one, there’s the cost of storing them, particularly boxes of paper records. And there’s a risk. For example, if you hold onto medical records beyond the legally required time period and then suffer a breach, you have more records potentially compromised and more patients to notify.
Record retention gets even more dicey if the records become relevant in an investigation or lawsuit and then can’t be destroyed. Even an innocent disposal may have negative consequences.
This is a particularly confusing issue for providers. Make sure that you:
Have record retention policies that comply with federal and state law. You may need to confer with your medical association or obtain outside help.
Follow those policies; tread carefully if you’re going to change the rules midstream.
Remember that how you dispose records is also important. Lax disposal can subject you to HIPAA and other violations.