April 27, 2009
Moving Mountains — The Proper Purge of Medical Records
By Annie Macios
For The Record
Vol. 21 No. 9 P. 20
Any conscientious healthcare organization will tell you that destroying patient files is a lot more complicated than simply turning on the shredder.
Who hasn’t walked into a healthcare facility and seen the voluminous number of medical records lining the walls and bursting from filing cabinets? How do these facilities manage when these stacks of paper are no longer in use or the time has come to purge certain files? Is there a proper method for destroying them, and how can facilities safeguard this protected information throughout the destruction process?
HIMSS indicates that hospitals, insurers, and other healthcare groups are becoming more focused on methods for managing protected medical records in compliance with HIPAA’s privacy and security guidelines, including aspects of storage and destruction, both of which are sometimes overlooked when it comes to safeguarding personal information.
Phil Bowden, national account manager at Shred-it, an international document destruction firm based in Canada, says medical record destruction presents healthcare facilities with a difficult challenge because of the nature of the business. “With hospitals and patient care, you end up with a situation where you have to ask, ‘When is the proper time to destroy these materials?’” he says.
Bowden notes that there are two fundamental questions that arise when considering medical record destruction: Is it proper legislative time to destroy the material? And, with research hospitals and genetic health treatment relying on historical patient information to determine the outcomes of studies and care, do you even destroy the records at all?
As far as guidelines for medical record destruction are concerned, Bowden says typical legislation generally states that “proper care must be taken to destroy the records, and materials must be destroyed in a secure process.” As such, facilities are given their choice of whether to destroy the records on site or off site and the methods of destruction, whether it includes shredding, pulverization, or other means.
To Destroy or Not to Destroy?
HIPAA’s privacy rule does not include medical record retention requirements, choosing instead to defer to state laws to generally govern how long medical records are to be retained. However, the rule does require that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records and other protected health information (PHI) for whatever period that such information is maintained by a covered entity, including through disposal.
State guidelines vary in specifics, as well as in the degree of detail, regarding medical record disposal. For example, in Kentucky, if a patient was aged 18 or older on his or her last date of service, the record must be kept for 10 years from the last date of service. Illinois guidelines simply state, “The agency must have policies in place regarding the retention and destruction of medical records. For advice on record destruction, agencies are to contact agency legal counsel, or in the case of public entities, the Illinois Secretary of State’s Illinois State Archives.” Other states, such as California, have no specific regulations on how long patient records should generally be kept.
Sandra Nunn, MA, RHIA, CHP, enterprise content and information manager at Presbyterian Healthcare Services in Albuquerque, N.M., stresses the importance of knowing state guidelines as far as record retention, as well as checking the Centers for Medicare & Medicaid Services and HIPAA protocols and recommendations. She adds that in a hybrid environment, where paper charts and electronic medical records (EMRs) are used, healthcare organizations must also make sure the state recognizes the electronic record as a legal medical record. As it stands, each state’s definition of a legal medical record may be different.
How facilities approach the destruction of dormant records again depends on each state and facility. Guidelines found in the HIMSS Privacy & Security Toolkit suggest destroying media that contains PHI by crosscut shredding, burning, pulping, or pulverizing. Conversely, HIPAA privacy and security rules do not require a particular disposal method. They simply suggest that covered entities review their own circumstances to determine what steps are reasonable to safeguard PHI through disposal and develop and implement policies and procedures to carry out those steps.
Nunn suggests the Department of Defense standards, which are generally considered the minimum standards that must be met for a records management system, as a good starting point for those establishing a medical record destruction program. She also points out that a facility must define what a medical record includes. For example, on the maternity ward, a mother’s wristband that matches her baby’s is often removed and becomes part of her medical record. In this case, the hospital must have a vendor who can destroy that record properly.
The process used at Presbyterian Healthcare Services involves sending out a destruction notice to the department head regarding the records to be destroyed, along with a copy of the forms and an agreement to destroy the records signed by the manager. Nunn recommends keeping the signed agreement as evidence that the department head was aware of the destruction.
At Presbyterian Healthcare Services, the largest healthcare provider in New Mexico, Nunn estimates that 80,000 boxes of medical records exist at a storage facility and are dealt with on a monthly basis. Her responsibilities include having the records picked up and destroyed. Upon completion of the task, she is given a signed certificate of destruction indicating exactly what was destroyed.
Typically, HIM directors are in charge of orchestrating the timely and proper destruction of medical records. “But, of course, if radiology films are being purged, the radiology director will be involved; if it’s glass slides from the laboratory, the lab director is involved,” says Nunn.
In addition to HIM directors, the health records department is usually involved in the decision making regarding if, when, and how to destroy the medical records. A privacy officer is also involved to establish due diligence to ensure the destruction is done in compliance with federal and state law, as well as the facility’s written retention schedule and destruction policy. “Once the decision is made, though, the destruction is easy,” says Bowden.
Shred-it, which enables facilities to have records destroyed on site, shreds documents according to the standards set forth by the client. “The records are destroyed on site with a witness, which maintains the chain of custody and no liability, as the healthcare professional can actually watch the material being shredded. There are just too many examples of medical records slated for destruction ending up where they shouldn’t be,” says Bowden.
The process can be completed quickly. For example, Shred-it can destroy approximately 5,000 pages in one to two minutes. “It can take one hour to a week to complete medical records destruction, depending on the size of the facility. By doing it on site, someone from the facility can accompany the materials at all times,” says Bowden.
The frequency of medical record destruction varies by facility. “Some clients perform destruction of the records at various, regularly scheduled intervals, while others do it when they reach a certain quantity, perhaps—for example, regularly shredding all records that are 10 years or older,” Bowden says.
He notes that it is important for healthcare organizations to perform due diligence when choosing a vendor, making sure the company can comply with the facility’s guidelines. “Some vendors sort the paper before shredding, but that just adds more eyes and hands handling this sensitive material,” Bowden says. “On-site shredding helps eliminate this issue as we release the certificate of destruction once the shred is complete.”
What About EMRs?
The destruction of electronic-based medical records is also a major issue facing facilities. IT staff must ensure that the records are completely destroyed, with no backups on tape. “They also have to ask how many generations of the material are available on laptops or how many versions of the EMR are out there,” says Bowden.
With an increasing number of healthcare facilities responding to the push to go digital, it is vital that these records follow protocols for future destruction. Eliminating electronic records, Nunn says, is a bit less of a physical hassle because the records are archived to tape. As such, Nunn simply doesn’t renew the archives and works with IT leadership to make sure proper procedures are taken to ensure that no layers of the electronic record exist.
The AHIMA suggests magnetic degaussing as the preferred method for destroying computerized data, a technique that alters the way data align in the magnetic storage field and renders the previous data unrecoverable and impossible to reconstruct. Overwriting can also be used to destroy computerized data, but, in theory, files that have been overwritten as many as six times can be still be recovered.
Bowden points out another major issue surrounding EMRs: the question of who owns the information contained in the record. Is it the patient? The institution? The physicians? According to Nunn, while patients have access to the information contained in their records and have the right to request a copy, following the established destruction protocols can protect a facility should a patient request their record after proper destruction occurs.
Keeping a Destruction Log
Bowden recommends that healthcare facilities document what was destroyed, the date of destruction, and the authorization and protocol used to track the process through its information management system.
The AHIMA recommends that medical record destruction documentation include the date and method of destruction, a description of the disposed records, inclusive dates covered, a statement that the records were destroyed in the normal course of business, and the signatures of the individuals supervising and witnessing the destruction. It also recommends that facilities maintain destruction documents permanently.
HIMSS suggests the destruction log contain the patient’s name, ID number, and other key identifiers (eg, dates of service); a description of records being destroyed; general record content; type of media (paper, fiche, CD, etc); the date the records were destroyed and method of destruction; and the name and signature of the person or the company destroying the records.
Facilities undertaking the destruction of paper records need to keep in mind the project’s financial ramifications, especially during this economic downturn. “It costs a lot to destroy paper records, especially if you are a large facility. It’s important to find a vendor that is cost-effective,” says Nunn, who also notes the importance of making sure the records are destroyed to the right level and that safeguards are followed for transporting the records to the destruction facility.
Patients who undergo secondary services, thereby creating a new file a few years after the initial file was created, pose another challenge to healthcare facilities. Moreover, because so many patients are interested in a holistic approach toward healthcare, often with various specialists adding to their medical records at various sites, it can dictate holding on to a medical record for a longer period. “HIM managers must manage what the facility has collectively in that file for that patient and act accordingly,” Bowden says. “The hospital must make sure it is a very regimented process that everyone follows.”
To keep current on the latest medical record destruction methods, the AHIMA recommends reassessing the process annually based on current technology, accepted practices, and availability of timely and cost-effective destruction services.
“People don’t think enough about this important aspect of healthcare,” says Nunn. “They tend to want to store the paper records,” which is why having protocols and guidelines in place is so important when the time comes for destruction.
— Annie Macios is a freelance writer based in Doylestown, Pa.