HIPAA Compliant Records Storage and Destruction
The Health Insurance Portability and Accountability Act (HIPAA) created standards for the storage and disposal of protected health information (PHI). Healthcare providers and businesses must comply with the HIPAA not only to obey the law and protect confidential patient information, but also to costly fines and lawsuits. Here, we review guidelines to follow to ensure your organization has HIPAA compliant records storage and destruction procedures in place.
Storing Protected Health Information
The HIPAA Security Rule dictates that PHI must be protected by administrative, technical, and physical safeguards. These include, but are not limited to:
- Annual risk assessments
- Employee training
- Assignment of a privacy officer
- Reviewing policies
- Unique user identification for accessing electronic PHI
- Encryption of ePHI
- Physical and electronic access control
- Secure workstations and devices
- Secure transmission of records
These, in connection with the standards set under the Privacy Rule, are intended to keep personal health information restricted only to those who have a right to access it. In addition to keeping it safe from unauthorized persons, HIPPA medical records storage requirements state that PHI should be made available to patients and others who have a right to access it.
Struggling with HIPPA Compliant Storage or Destruction?
The team at Armstrong Archives is here to help! We specialize in short and long term storage of medical records as well as secure document destruction for medical offices, legal practices and other businesses that require HIPPA compliance. To learn more contact our team.
Secure Disposal of HIPPA Documents
HIPAA doesn’t specify exactly what should be done to dispose of PHI, but it does set forth some basic guidelines. Put simply, paper records should not simply be abandoned where it’s accessible to unauthorized individuals, such as a dumpster or trash bin. Patient data must be destroyed in a way that minimizes the risks that its contents will be stolen. Common methods of HIPAA compliant document destruction include:
- Destruction through burning, shredding, or any other method that renders data irrecoverable;
- Clearing, overwriting, or purging electronic media; and
- Third party disposal through a vendor, such as Armstrong Archives
There are few laws and specifics about shredding medical records, the keys to remember are these methods ensure records will not be exposed to unauthorized eyes, or recoverable once destroyed.
When to Dispose of Records
HIPAA itself does not set forth any standards on how long medical records should be maintained. Instead, state laws govern when PHI may be destroyed. Under Texas law, physicians must keep patient records for 7 years after their last visit or until the patient reaches the age of 21 (if under 18), whichever is longer. This is why responsible healthcare providers in Texas must have HIPAA compliant records storage to maintain patient information for the required time periods in a secure and fully compliant way.
Frequently Asked Questions
Can medical records be stored in a storage unit?
The Health Insurance Portability and Accountability Act (HIPAA) sets out standards for the protection and privacy of individuals’ personal health information (PHI). HIPAA regulations for the protection of PHI apply to covered entities (e.g. doctors, clinics, insurance companies) and their authorized associates (e.g. 3rd party administrators, attorneys, CPAs, etc.) The HIPAA Privacy Rule forbids the unauthorized disclosure of PHI and establishes safeguards to protect the privacy of this information. Medical records containing PHI may be stored in a storage unit if they are properly protected from breach.
In order to be HIPAA compliant, electronic health records (EHR) must be stored in accordance with the HIPAA Security Rule which contains requirements for physical, administrative, and technical protections to prevent unauthorized access. To comply with the Security Rule, an organization must
- Ensure the electronic health records they handle remain available, yet private and secure;
- Engineer and execute defense strategies to thwart any reasonable potential threats to the data’s security;
- Create protection systems to prevent any reasonably foreseen unauthorized use or prohibited release of data; and
- Ensure that all employees are adhering to rules and protocols to ensure data safety and privacy.
Does HIPAA apply to paper records?
Yes. HIPAA’s Privacy Rule forbids the unauthorized disclosure of PHI and establishes safeguards to protect the privacy of records, in any form, that contain this information.
How long are medical records protected by HIPAA?
HIPAA’s Privacy Rule does not specify a length of time that PHI must be maintained. Retention period of medical records is a matter determined by state law. Instead, the rule states that covered entities undertake measures necessary to protect the privacy of medical records and PHI until the records are securely destroyed.