It should be noted that these expectations relate only to board investigations and are without prejudice to other legal or ethical retention obligations. Licensees are encouraged to seek advice from private legal counsel and/or their malpractice insurance provider. Under the HIPAA Privacy Rule (45 CFR Parts 160 and 164), where destruction services are outsourced to a business partner, the contract must provide that the business partner determines which uses and disclosures are permitted and necessary and includes the following: To protect against unauthorized access and sharing, Your practice`s medical records management policies should take into account the physical security of paper documents. security measures for electronic registration systems and staff access to electronic and paper records. Contact your firm`s legal counsel to determine if your policies comply with state and federal laws regarding the storage and release of PHI. In doing so, make sure you and your attorney talk about the following topics: “HIPAA itself says that if a state`s law is more restrictive, that state law applies. This includes things like medical record retention requirements,” says Ustin. Lack of disk space and amounts of information are just some of the issues that result in labor-intensive maintenance processes to recover medical records. These issues require a record retention schedule. Historical health record keeping processes include various methods such as optical scanning, the use of microfilm or microfiche, and off-site storage of records.
As new technologies and media are developed and implemented, many organizations are unable to go back and digitize recordings to free up space. As a result, health information resides on multiple storage media and locations, requiring a well-defined record retention schedule. In the absence of a state law to the contrary, organizations must ensure that paper and electronic records are destroyed using a method that does not provide for the possibility of reconstructing the information. “It`s important to understand the difference between medical records and non-medical records related to HIPAA. The rule of thumb here is this: states establish the law on medical records, while non-medical documents related to HIPAA require a minimum retention period of six years,” Garrubba explains. Also, trying to go through these channels can be very risky, so be sure to work with your legal counsel and privacy to get additional advice. For example, Hospital A identified inactive files as files with a discharge date prior to December 31, 2008. For cleaning, social workers open each unit file and separate all discharges (inpatients and outpatients) before that date. Older files are sent to external storage. The following is an example of unit file cleanup where records prior to December 31, 2008 are considered inactive.
Shaded records are those that are sent to external storage for the remainder of the retention schedule. If it is licensee`s policy to purchase insurance or other forms for established patients, the Board is of the opinion that the licensee must complete these forms in a timely manner. If a form is simple, the licensee must perform this task free of charge. If a form is complex, the licensee may charge a reasonable fee. Since many legal and ethical considerations must be considered before medical records are destroyed or discarded, it is strongly recommended that a record retention policy be implemented before records are destroyed or discarded. This policy should establish a detailed procedure (taking into account all legal and ethical considerations) for assessing the retention period of each medical record. A checklist and decision matrix can be developed to determine how long a file should be kept. Once adopted, the Directive should be reviewed at least once a year to ensure that it continues to comply with all relevant laws and ethical considerations. “Inactive” means that records are rarely used, but must be retained for reference purposes or to meet the requirement for full retention. Inactive records generally involve a patient who has not sought treatment for some time or who has completed treatment. For non-medical records, affected organizations should review HIPAA requirements regarding the retention period of HIPAA-related non-medical records, says Tom Garrubba, vice president of Shared Assessments, a group based in Santa Fe, New Mexico, that helps organizations develop best practices, training, and tools to advance third-party risk protection.
“Make sure you`ve backed up the policies and incorporate them into the broader mandatory HIPAA training you take each year to make sure your employees have a full understanding of what you`ve done as a policy,” says Ustin. “It`s very easy to get it wrong because you might instinctively think that great organizations will be better, but that`s not always true. The larger an organization is, the more complicated it is, the more likely it is that something will fall through the cracks. The destruction of patient health information by an organization or provider shall be carried out in accordance with federal and state laws, in accordance with an appropriate written retention schedule and a destruction policy approved by the appropriate organizational parties.