HIPAA Compliant Records Storage and Destruction

The Health Insurance Portability and Accountability Act (HIPAA) created standards for the storage and disposal of protected health information (PHI) such as the information found on medical records. Healthcare providers and businesses must comply with HIPAA, not only to obey privacy laws created to protect confidential patient information but also to avoid costly fines and lawsuits. Here, we review guidelines to follow to ensure your organization has HIPAA compliant records storage and destruction procedures in place.

Storing Medical Records

Medical records must be stored securely in order to comply with HIPAA regulations. All paper and electronic records must be organized and kept in a secure environment that is locked, password protected and off-limits to unauthorized individuals.

Additionally, the records should only be accessed by authorized personnel who need access to perform their job duties. Storing electronic medical records also requires additional security measures, such as encryption, to protect the data from unauthorized access.

Storing Protected Health Information

The HIPAA Security Rule broadly shields protected health information by stipulating certain requirements for records management of medical records and other types of files that might contain this information. The rule dictates that PHI must be protected by administrative, technical, and physical safeguards. These include, but are not limited to:

  • Annual risk assessments
  • Employee training
  • Assignment of a privacy officer
  • Reviewing policies
  • Unique user identification for accessing electronic PHI
  • Encryption of ePHI
  • Physical and electronic access control
  • Secure workstations and devices
  • Secure transmission of records

These, in connection with the standards set under the Privacy Rule, are intended to keep personal health information restricted only to those who have a right to access it. In addition to keeping medical records safe from unauthorized persons, HIPAA medical records storage requirements state that PHI should be made available to patients and others who have a right to access it.

Struggling with HIPAA-Compliant Storage or Destruction?

The team at Armstrong Archives is here to help! We specialize in short and long term storage of medical records as well as secure document destruction for medical offices, legal practices and other businesses that require HIPAA compliance. To learn more contact our team.

Secure Disposal of HIPAA Documents

HIPAA doesn’t specify required methods of document destruction for files that contain PHI, but it does set forth some basic guidelines that can be applied to the destruction of medical records. Put simply, paper medical records should not simply be abandoned where they are accessible to unauthorized individuals, such as a dumpster or trash bin. Organizations handling PHI must ensure patient medical records are destroyed in a way that minimizes the risks that their contents will be stolen. Common methods of HIPAA compliant document destruction include:

  • Document destruction through burning, shredding, or any other method that renders data irrecoverable to protect against the threat of a data breach;
  • Clearing, overwriting, or purging electronic media; and
  • Third-party disposal or destruction services through a vendor, such as Armstrong Archives

The requirements for storing the confidential information found in medical records are more specific than those provided for the destruction of health and medical records.  The destruction process is relatively vague: there are few laws and specifics about shredding medical records. The most important factor in medical record destruction is that whatever method is used must ensure the records will not be exposed to unauthorized eyes, or recoverable once destroyed.

Medical shredding, and any kind of handling of protected medical information, requires the highest level of service from a records management provider. You must be sure to select a document shredding service that you can trust to handle confidential documents with appropriate safeguards and with the utmost care.  Be sure to ask about the destruction strategies your medical shredding service uses to ensure all patient data is properly destroyed.

How will the medical records shredding company transport sensitive health care records to the location where they will be destroyed?  This is also part of the provider’s responsibility for proper disposal.  Armstrong Archives can provide your medical practice with locked consoles for the collection of medical files that are ready for medical records shredding.  Contact us to learn more about our document shredding services.

When you use a third party for destruction services, many will provide a certificate of destruction. This certifies that your paper or electronic medical records went through the destruction process.  Be sure to ask for a certificate of destruction and maintain it as part of your medical records management documentation.

When to Dispose of Records

HIPAA itself does not set forth any standards on how long medical records should be maintained. Instead, state laws govern when PHI may be destroyed. Under Texas law, physicians must keep patient records for 7 years after their last visit or until the patient reaches the age of 21 (if under 18), whichever is longer. This is why responsible healthcare providers in Texas must have HIPAA compliant records storage to maintain patient information for the required time periods in a secure and fully compliant way.

Armstrong Archives LLC guarantees HIPAA compliant records storage and secure document destruction. To learn more about our records management services, contact us today.

Frequently Asked Questions

The Health Insurance Portability and Accountability Act (HIPAA) sets out standards for the protection and privacy of individuals’ personal health information (PHI). HIPAA regulations for the protection of PHI apply to covered entities (e.g. doctors, clinics, insurance companies) and their authorized associates (e.g. 3rd party administrators, attorneys, CPAs, etc.) The HIPAA Privacy Rule forbids the unauthorized disclosure of PHI and establishes safeguards to protect the privacy of this information. Medical records containing PHI may be stored in a storage unit if properly protected from data breach. Patient privacy must be protected.

In order to be HIPAA compliant, electronic health records (EHR) must be stored in accordance with the HIPAA Security Rule which contains requirements for physical, administrative, and technical protections to prevent unauthorized access. To comply with the Security Rule, an organization must

  • Ensure the electronic health records they handle remain available, yet private and secure;
  • Engineer and execute defense strategies to thwart any reasonable potential threats to the data’s security;
  • Create protection systems to prevent any reasonably foreseen unauthorized use or prohibited release of data; and
  • Ensure that all employees are adhering to rules and protocols to ensure data safety and privacy.

When it comes to the safekeeping of medical records from any medical practice, Armstrong Archives takes HIPAA regulations and standards seriously to help protect our customers’ protected medical information without fail.  We have years of experience in medical records shredding and are proud to provide trusted document shredding services to healthcare practitioners throughout the state of Texas.

Yes. HIPAA forbids the unauthorized disclosure of PHI and establishes safeguards to protect the privacy of records, in any form, that contain this information. To clarify, this does include protected health information that patients may find sensitive in nature, including patient medical records that would broach patient privacy.

HIPAA does not specify a length of time that PHI must be maintained. The retention period of medical records is a matter determined by state law. Instead, the rule states that covered entities undertake measures necessary to protect the privacy of medical records and PHI until secure record destruction takes place.