HIPAA Compliant Records Storage and Destruction
The Health Insurance Portability and Accountability Act (HIPAA) created standards for the storage and disposal of protected health information (PHI) such as the information found on medical records. Healthcare providers and businesses must comply with HIPAA, not only to obey privacy laws created to protect confidential patient information but also to avoid costly fines and lawsuits. Here, we review guidelines to follow to ensure your organization has HIPAA compliant records storage and destruction procedures in place.
Storing Medical Records
Medical records must be stored securely in order to comply with HIPAA regulations. All paper and electronic records must be organized and kept in a secure environment that is locked, password protected and off-limits to unauthorized individuals.
Additionally, the records should only be accessed by authorized personnel who need access to perform their job duties. Storing electronic medical records also requires additional security measures, such as encryption, to protect the data from unauthorized access.
Storing Protected Health Information
The HIPAA Security Rule broadly shields protected health information by stipulating certain requirements for records management of medical records and other types of files that might contain this information. The rule dictates that PHI must be protected by administrative, technical, and physical safeguards. These include, but are not limited to:
- Annual risk assessments
- Employee training
- Assignment of a privacy officer
- Reviewing policies
- Unique user identification for accessing electronic PHI
- Encryption of ePHI
- Physical and electronic access control
- Secure workstations and devices
- Secure transmission of records
These, in connection with the standards set under the Privacy Rule, are intended to keep personal health information restricted only to those who have a right to access it. In addition to keeping medical records safe from unauthorized persons, HIPAA medical records storage requirements state that PHI should be made available to patients and others who have a right to access it.
Secure Disposal of HIPAA Documents
HIPAA doesn’t specify required methods of document destruction for files that contain PHI, but it does set forth some basic guidelines that can be applied to the destruction of medical records. Put simply, paper medical records should not simply be abandoned where they are accessible to unauthorized individuals, such as a dumpster or trash bin. Organizations handling PHI must ensure patient medical records are destroyed in a way that minimizes the risks that their contents will be stolen. Common methods of HIPAA compliant document destruction include:
- Document destruction through burning, shredding, or any other method that renders data irrecoverable to protect against the threat of a data breach;
- Clearing, overwriting, or purging electronic media; and
- Third-party disposal or destruction services through a vendor, such as Armstrong Archives
The requirements for storing the confidential information found in medical records are more specific than those provided for the destruction of health and medical records. The destruction process is relatively vague: there are few laws and specifics about shredding medical records. The most important factor in medical record destruction is that whatever method is used must ensure the records will not be exposed to unauthorized eyes, or recoverable once destroyed.
Medical shredding, and any kind of handling of protected medical information, requires the highest level of service from a records management provider. You must be sure to select a document shredding service that you can trust to handle confidential documents with appropriate safeguards and with the utmost care. Be sure to ask about the destruction strategies your medical shredding service uses to ensure all patient data is properly destroyed.
How will the medical records shredding company transport sensitive health care records to the location where they will be destroyed? This is also part of the provider’s responsibility for proper disposal. Armstrong Archives can provide your medical practice with locked consoles for the collection of medical files that are ready for medical records shredding. Contact us to learn more about our document shredding services.
When you use a third party for destruction services, many will provide a certificate of destruction. This certifies that your paper or electronic medical records went through the destruction process. Be sure to ask for a certificate of destruction and maintain it as part of your medical records management documentation.
HIPAA itself does not set forth any standards on how long medical records should be maintained. Instead, state laws govern when PHI may be destroyed. Under Texas law, physicians must keep patient records for 7 years after their last visit or until the patient reaches the age of 21 (if under 18), whichever is longer. This is why responsible healthcare providers in Texas must have HIPAA compliant records storage to maintain patient information for the required time periods in a secure and fully compliant way.