HIPAA Compliant Records Storage and Destruction
The Health Insurance Portability and Accountability Act (HIPAA) created standards for the storage and disposal of protected health information (PHI) such as the information found on medical records. Healthcare providers and businesses must comply with HIPAA, not only to obey privacy laws created to protect confidential patient information but also to avoid costly fines and lawsuits. Here, we review guidelines to follow to ensure your organization has HIPAA compliant records storage and destruction procedures in place.
Storing Protected Health Information
The HIPAA Security Rule broadly shields protected health information by stipulating certain requirements for records management of medical records and other types of files that might contain this information. The rule dictates that PHI must be protected by administrative, technical, and physical safeguards. These include, but are not limited to:
- Annual risk assessments
- Employee training
- Assignment of a privacy officer
- Reviewing policies
- Unique user identification for accessing electronic PHI
- Encryption of ePHI
- Physical and electronic access control
- Secure workstations and devices
- Secure transmission of records
These, in connection with the standards set under the Privacy Rule, are intended to keep personal health information restricted only to those who have a right to access it. In addition to keeping medical records safe from unauthorized persons, HIPPA medical records storage requirements state that PHI should be made available to patients and others who have a right to access it.
Struggling with HIPPA Compliant Storage or Destruction?
The team at Armstrong Archives is here to help! We specialize in short and long term storage of medical records as well as secure document destruction for medical offices, legal practices and other businesses that require HIPPA compliance. To learn more contact our team.
Secure Disposal of HIPPA Documents
HIPAA doesn’t specify required methods of document destruction for files that contain PHI, but it does set forth some basic guidelines that can be applied to the destruction of medical records. Put simply, paper medical records should not simply be abandoned where they are accessible to unauthorized individuals, such as a dumpster or trash bin. Organizations handling PHI must ensure patient medical records are destroyed in a way that minimizes the risks that their contents will be stolen. Common methods of HIPAA compliant document destruction include:
- Document destruction through burning, shredding, or any other method that renders data irrecoverable;
- Clearing, overwriting, or purging electronic media; and
- Third-party disposal or destruction services through a vendor, such as Armstrong Archives
The requirements for storing the confidential information found in medical records are more specific than those provided for the destruction of health and medical records. The destruction process is relatively vague: there are few laws and specifics about shredding medical records. The most important factor in medical record destruction is that whatever method is used must ensure the records will not be exposed to unauthorized eyes, or recoverable once destroyed. When you use a third party for destruction services, many will provide a certificate of destruction. This certifies that your paper or electronic medical records went through the destruction process. Be sure to ask for a certificate of destruction and maintain it as part of your medical records management documentation.
When to Dispose of Records
HIPAA itself does not set forth any standards on how long medical records should be maintained. Instead, state laws govern when PHI may be destroyed. Under Texas law, physicians must keep patient records for 7 years after their last visit or until the patient reaches the age of 21 (if under 18), whichever is longer. This is why responsible healthcare providers in Texas must have HIPAA compliant records storage to maintain patient information for the required time periods in a secure and fully compliant way.
Frequently Asked Questions
Can medical records be stored in a storage unit?
The Health Insurance Portability and Accountability Act (HIPAA) sets out standards for the protection and privacy of individuals’ personal health information (PHI). HIPAA regulations for the protection of PHI apply to covered entities (e.g. doctors, clinics, insurance companies) and their authorized associates (e.g. 3rd party administrators, attorneys, CPAs, etc.) The HIPAA Privacy Rule forbids the unauthorized disclosure of PHI and establishes safeguards to protect the privacy of this information. Medical records containing PHI may be stored in a storage unit if they are properly protected from breach.
In order to be HIPAA compliant, electronic health records (EHR) must be stored in accordance with the HIPAA Security Rule which contains requirements for physical, administrative, and technical protections to prevent unauthorized access. To comply with the Security Rule, an organization must
- Ensure the electronic health records they handle remain available, yet private and secure;
- Engineer and execute defense strategies to thwart any reasonable potential threats to the data’s security;
- Create protection systems to prevent any reasonably foreseen unauthorized use or prohibited release of data; and
- Ensure that all employees are adhering to rules and protocols to ensure data safety and privacy.
Does HIPAA apply to paper records?
Yes. HIPAA forbids the unauthorized disclosure of PHI and establishes safeguards to protect the privacy of records, in any form, that contain this information.
How long are medical records protected by HIPAA?
HIPAA does not specify a length of time that PHI must be maintained. The retention period of medical records is a matter determined by state law. Instead, the rule states that covered entities undertake measures necessary to protect the privacy of medical records and PHI until secure record destruction takes place.
Posted By: Sherri Taylor – President/Managing Partner
Sherri Taylor is the Managing Partner and President of Armstrong Archives, one of the largest independent records and information management companies in the Dallas/Ft Worth area.