It is highly recommended that healthcare organizations rely on third-party companies to manage the retention and destruction of health information. If you destroy HIPAA records using this template, your contract with the third-party provider must include the following: HIPAA record retention policies apply when a HIPAA-covered company collects health services or payments for health services information. Examples of companies covered by HIPAA include healthcare providers, health plans, healthcare information clearinghouses, and various other companies that use health information. Purpose of RC.01.05.01 Medical records are retained for the period required by state law, or five years from the date of release if not required by state law. For a minor, the medical record is retained for the period established by law or at least three years after a resident reaches the age of majority in accordance with state law. Under HIPAA, every vendor and company that handles protected information must develop a policy for retaining and destroying medical records. Companies that do not create and enforce a robust policy to preserve and destroy medical records are at risk of compliance violations. HIPAA protects a variety of medical records and PHI and determines their defined retention period. HIPAA requires organizations to retain protected health information for six years after the date of creation or last effective date, whichever is later.

HIPAA rules for medical record retention exist to ensure that healthcare providers have full responsibility for protecting sensitive patient data. HIPAA determines how long healthcare organizations should retain PHI, how to store it safely, and when to destroy it. As with record keeping, there is no single standard shredding requirement. Some states require organizations to create a summary of destroyed patient information, notify patients when patient information is destroyed, or specify the method of destruction used to render the information unreadable. Organizations should re-evaluate the destruction method annually based on current technology, accepted practices, and the availability of timely and cost-effective destruction services. While HIPAA regulations are very clear about which records must be retained and destroyed, they do not go into the details of the methods to be used to destroy the records. However, there are some general guidelines that say: There is no standardized uniform record retention schedule that organizations and providers must follow. Instead, various retention requirements must be examined to create a compliant retention program. California law under 22 CCR § 72543 states that records are retained of all patients admitted or accepted for treatment. “All medical records of released patients must be completed and archived within 30 days of the date of discharge, and these records must be kept for at least 7 years, except for minors whose records are kept for at least 1 year after the minor has reached the age of 18, but in no case less than 7 years. Gilmore Services is a NAID certified provider that is also provided by downstream data coverage to provide our customers with complete confidence and security in our services.

This means we are experts in storing and managing medical records in compliance with HIPAA regulations. We understand what you (and we) need to do to protect your patients` privacy and avoid HIPAA violations. They also assert that it is the responsibility of providers to protect the privacy of their patients and to take special precautions in destroying data that could lead to identity theft. Prophet, Sue. Compliance in Health Information Management: Model program for healthcare organizations. Chicago, IL: AHIMA, 1998. Recently, there have been numerous data breaches and attacks against healthcare providers and insurers. These attacks are the reasons why law enforcement is more important than ever. Organizations must permanently document the destruction of medical records and include the following (see Appendix D for a sample form): For more information on retention periods for medical records, providers may contact the American Health Information Management Association.

The key is that any medical records you get rid of must be destroyed in such a way that they cannot be rebuilt or recovered in any other way. Once the retention schedule is defined, the next step is to identify active and inactive records. “Active” means that records are regularly accessed or used. Routine functions can include activities such as approving requests for information, sales integrity audits, or quality checks. The definition of active and inactive records can also depend on other considerations, .dem such as physical file space, the amount of searches performed, and the availability of external storage. For example, due to limited file space, an organization might specify that records are active for a period of one year from the date of termination. After one year, the recording is moved to external storage or digitized to a DVD and considered inactive. In this case, inactive does not mean that the record can be deleted because it has not yet responded to its request for complete retention. The records management lifecycle begins when information is created and ends when information is destroyed. The image below provides a simple representation of the entire record retention process.

The goal of organizations is to manage every stage of the records lifecycle to ensure records are available. Creating information is easy to set up and most organizations don`t care about creating or using information. However, various problems can arise when retaining information. Since the majority of private health information is still in paper form, external destruction via third parties such as Armstrong Archives is ideal. The third party can transport the documents via a sealed container before they are shredded with industrial-grade shredders. For example, Hospital A identified inactive files as files with a discharge date prior to December 31, 2008. For cleaning, social workers open each unit file and separate all discharges (inpatients and outpatients) before that date. Older files are sent to external storage. The following is an example of unit file cleanup where records prior to December 31, 2008 are considered inactive.