Things to Know About HIPAA Medical Records Destruction Rules

One of the biggest penalties involving HIPAA violations is the failure to comply with the rules on medical records destruction. Therefore, it is important for Covered Entities and Business Associates to know how to destruct medical records properly.

Every state has its own rules for keeping medical records; and, in certain instances, particular types of medical records need to be kept longer than others. Federal regulations can likewise stipulate how long particular records must be kept (i.e., OSHA 1910.1200(g), and when these records are kept in a specified record set, they’re regarded as PHI and Covered Entities need to keep them up to the expiry of the retention period.

Though HIPAA has requirements for document retention, medical records have no minimum retention times. Nevertheless, the Privacy Rule demand that Covered Entities use proper technical, administrative, and physical safety measures to secure the privacy of health records for the period of maintaining the records by the Covered Entity. This requirement also applies to the destruction of medical records.

The HIPAA Rules on Medical Records Destruction

Though there is no particular HIPAA medical records destruction rule, it is required by the Privacy Rule for Covered Entities to know the reasonable steps to secure medical records during the destruction process and create and enforce policies and processes to execute those steps. In identifying what is reasonable, possible risks to patient privacy must be assessed taking into consideration the form of data and how it is destroyed.

Furthermore, the Security Rule calls for Covered Entities and Business Associates to create and enforce policies and processes to destroy electronic PHI and/or media where it is stored compliantly. Any employee engaged in the destruction procedure, or who watches over the employees in charge of destroying medical records should get training about the policies and procedures on PHI destruction.

Not implementing reasonable safety measures to secure PHI connected with its destruction can cause impermissible PHI disclosures. A number of Covered Entities have been fined for not complying with the HIPAA rules on medical records destruction.

  • CVS Pharmacy Inc. paid a $2.25 million settlement in 2009
  • The pharmacy chain Rite Aid  paid a $1 million settlement in 2010
  • Medical billing practice in 2013 paid $140,000 in settlement
  • The New England Dermatology and Laser Center paid $300,640 in settlement and implemented a Corrective Action Plan for 2 years

How to Destroy Health Records as Per HIPAA

HHS´ Office for Civil Rights has provided guidance before about destroying health records in accordance with HIPAA. The agency suggests shredding paper records or destroying PHI so that it becomes basically unreadable, indecipherable, and can’t be reconstructed before placing it in a dumpster.

If bulk destroying PHI, The agency advises putting PHI in secured dumpsters that only authorized persons can access or keeping PHI in a protected place until a disposal company takes it to destroy professionally. In such instances, it will be required to sign a Business Associate Agreement with the entity in charge of destroying the data.

When destroying stored ePHI, HHS´ Office for Civil Rights recommends clearing and destroying electronic media by disintegration, pulverization, incinerating, melting, or shredding. It is essential to take note that certain clearing and purging procedures aren’t 100% efficient on contemporary hard drives, and it’s possible to retrieve erased data in certain instances.

It is additionally essential to take note that a number of states have stricter medical records destruction regulations compared to HIPAA; and, in a few states, any company that creates, retains, or sends personal health information may be governed by medical records destruction regulations – not only HIPAA Covered Entities and Business Associates. When you are not sure which medical records destruction rules are applicable to your company, it is advisable to get expert compliance advice.