E-News Exclusive

Properly Storing HIPAA Documents

By Raymond Rangel

HIPAA applies to two types of organizations: covered entities and business associates. Covered entities include treatment, operations, and health care payment organizations. Business associates include institutions that process patient data in the course of performing services for covered entities. Organizations within these categories are required to have HIPAA-compliant storage.

The main consideration with HIPAA storage is the Security Rule, which includes administrative, technical, and physical protections that should be used to prevent unauthorized access. Compliance with the Security Rule requires organizations to take the following steps:

• Verify that the health records they produce, receive, store, or send are all strongly available, with their integrity and privacy maintained.
• Establish defenses against threats to the documents that are reasonably anticipated such as security issues and fire and water damage.
• Establish protections to prevent use or disclosure that is forbidden and reasonably foreseen.
• Ensure employees are following compliance guidelines.

HIPAA and Paper Records
The HIPAA Privacy Rule prohibits the unauthorized disclosure of a patient’s health information in any format, including paper records. The rule’s goal is to protect an individual’s private health information while allowing the flow of health information when needed to provide quality health care. The rule is designed to protect patient rights while permitting the use of important information by medical professionals.

Permitted uses and disclosures of medical information without a patient’s consent includes public health activities, health oversight activities, law enforcement, organ donation, when required by law, essential government functions, research, identification of deceased persons, victims of abuse, judicial and administrative proceedings, to prevent a serious threat to health, and workers’ compensation.

Safeguarding Records On-Site
State laws typically dictate how long medical records are to be kept. HIPAA administrative rules require entities such as Medicare to keep adult medical records for six years and pediatric medical records for 10 years. The timeframe starts from the date of the document’s creation or the date when it was last in effect, whichever is later. HIPAA requirements overwrite state laws if they require shorter periods. Therefore, it’s recommended health care organizations be well versed in their state’s retention periods.

The Privacy Rule does not have medical record retention requirements, but it does require entities to apply appropriate technical, administrative, and physical safeguards to protect the privacy of a patient’s medical records for however long the entity maintains the information through the document’s disposal.

Storage Tips
Whether you are using a paper filing system or an EHR and only occasionally printing documents, reducing access and implementing security procedures are key.

Control access to a patient’s paper records by storing them in locked filing cabinets with only authorized personnel having access. Patients’ records should never be left unattended on desks or open shelving. Offices, storage rooms, and anywhere else patient records could be compromised need to be locked with keys, ID cards, or alarm keypads.

It is also a good idea to create a tracking process for the location of patient records along with a check-in system at storage facilities. This can be as simple as a sign-in sheet with the name of the person checking out the records with the time and date noted. Electronic systems requiring the swiping of ID cards are a more technical and secure way to track record movement.

Keep all of a patient’s records together; do not separate documents from the file. Staff reviewing patient records should shield them when colleagues enter their office. When disposing of documents, always shred them—never throw away patient records. Throwing away intact documents can lead to identity theft, so any documents containing personal information must be shredded; cross-cut shredding is the preferred method.

Adhering to these HIPAA document storage guidelines will help prevent the exposure of sensitive patient information. Patient information found to be released without proper authorization is subject to legal implications.

— Raymond Rangel is the sales manager of Data Storage Centers in Phoenix. Data Storage Centers are experts in the storage and organization of physical media and sensitive records for commercial enterprises.