HIPAA Compliant Records Storage and Destruction
The Health Insurance Portability and Accountability Act (HIPAA) created standards for the storage and disposal of protected health information (PHI). Healthcare providers and businesses must comply with the HIPAA not only to obey the law and protect confidential patient information, but also to costly fines and lawsuits. Here, we review guidelines to follow to ensure your organization has HIPAA compliant records storage and destruction procedures in place.
Storing Protected Health Information
The HIPAA Security Rule dictates that PHI must be protected by administrative, technical, and physical safeguards. These include, but are not limited to:
- Annual risk assessments
- Employee training
- Assignment of a privacy officer
- Reviewing policies
- Unique user identification for accessing electronic PHI
- Encryption of ePHI
- Physical and electronic access control
- Secure workstations and devices
- Secure transmission of records
These, in connection with the standards set under the Privacy Rule, are intended to keep personal health information restricted only to those who have a right to access it. In addition to keeping it safe from unauthorized persons, PHI should be made available to patients and others who have a right to access it.
HIPAA doesn’t specify exactly what should be done to dispose of PHI, but it does set forth some basic guidelines. Put simply, it should not simply be abandoned where it’s accessible to unauthorized individuals, such as a dumpster or trash bin. Patient data must be destroyed in a way that minimizes the risks that its contents will be stolen. Common methods of HIPAA compliant document destruction include:
- Destruction through burning, shredding, or any other method that renders data irrecoverable;
- Clearing, overwriting, or purging electronic media; and
- Third party disposal through a vendor, such as Armstrong Archives
These methods ensure records will not be exposed to unauthorized eyes, or recoverable once destroyed.
When to Dispose of Records
HIPAA itself does not set forth any standards on how long medical records should be maintained. Instead, state laws govern when PHI may be destroyed. Under Texas law, physicians must keep patient records for 7 years after their last visit or until the patient reaches the age of 21 (if under 18), whichever is longer. This is why responsible healthcare providers in Texas must have HIPAA compliant records storage to maintain patient information for the required time periods in a secure and fully compliant way.