Medical file storage guidelines

Instead, state laws govern when PHI may be destroyed. Under Texas law, physicians must keep patient records for 7 years after their last visit or until the patient reaches the age of 21 if under 18 , whichever is longer. This is why responsible healthcare providers in Texas must have HIPAA compliant records storage to maintain patient information for the required time periods in a secure and fully compliant way.

To learn more about our records management services, contact us today. Medical records containing PHI may be stored in a storage unit if properly protected from data breach. Patient privacy must be protected. To comply with the Security Rule, an organization must. We have years of experience in medical records shredding and are proud to provide trusted document shredding services to healthcare practitioners throughout the state of Texas.

HIPAA forbids the unauthorized disclosure of PHI and establishes safeguards to protect the privacy of records, in any form, that contain this information. To clarify, this does include protected health information that patients may find sensitive in nature, including patient medical records that would broach patient privacy. The retention period of medical records is a matter determined by state law.

Instead, the rule states that covered entities undertake measures necessary to protect the privacy of medical records and PHI until secure record destruction takes place. Email: info aarchives. Since the medical file contains sensitive and confidential information, it must reside in a safe, locked, inaccessible location. The file cabinet that houses employee medical files should also lock and HR staff should have the only keys.

Access to employee medical files is restricted to Human Resources staff only. The Health Insurance Portability and Accountability Act of HIPAA requires employers to protect employee medical records as confidential; medical records should be stored separately and apart from other business records.

Because of the confidentiality of the information, records must be isolated from files that employees such as supervisors or managers may access. Actually, this is also recommended for personnel files in general—give only HR staff access. If in doubt, err on the side of protecting the medically related information of your employees. If you keep these files confidential, your employees will trust you and you will uphold the spirit and significance of the law.

Please note that the information provided, while authoritative, is not guaranteed for accuracy and legality. HIPAA is essentially about trust. Patients trust you with their confidential health data. You earn that trust by keeping your environment HIPAA compliant , and lose some of it if you experience a breach or are exposed for a violation.

Jobs in healthcare. Your email address will not be published. Please add me to your Email Newsletter! Look to the Security Rule for guidance Your primary consideration when you are considering HIPAA storage is the Security Rule , which includes physical , administrative and technical protections that should be used to prevent unauthorized access. Following the Security Rule requires organizations to do the following: Verify that the electronic health records they produce, receive, store, or send are all strongly available, with their integrity and privacy maintained.

Determine and set up defenses against threats to the data that are reasonably anticipated. Set up protections to prevent use or disclosure that is not allowed and is reasonably foreseen.

Be certain that your employees are following compliance guidelines. Essential HIPAA-compliant storage safeguards Here are the specific ePHI safeguards you need, whether internally or through an organization you contract, across the three Security Rule categories: Technical safeguards Transmission security — A HIPAA-compliant organization needs to deploy technical security mechanisms that keep nefarious parties from being able to unlawfully access health records that are being sent through the network.

However, when maintaining information, various issues may arise. Lack of file space and volumes of information are just a couple of issues that create labor-intensive maintenance processes for retrieval of health records. These issues necessitate a record retention schedule. Historical health record maintenance processes include various methods such as scanning to optical disk, use of microfilm or microfiche, and off-site storage of records.

As new technology and media are developed and implemented, many organizations do not have the capability to go backward and scan records to free up storage space. As a result, health information resides in multiple storage media and locations creating the need for a clearly defined record retention plan. There is no single standardized record retention schedule that organizations and providers must follow.

Instead, a variety of retention requirements must be reviewed to create a compliant retention program. The challenge is to ensure that these requirements are compared with state-specific requirements and that all records are maintained to the more restrictive timeline. See appendix A for a list of federal record retention requirements.

Individual states have specific retention requirements that should be used to establish the organization's retention policy. Refer to your state laws for state-specific record retention requirements. In the absence of specific state requirements, providers should keep health information for at least the period specified by the state's statute of limitations or for a sufficient length of time for compliance with laws and regulations.

If the patient is a minor, the provider should retain health information until the patient reaches the age of majority as defined by state law plus the period of the statute of limitations. A longer retention period is prudent, since the statute may not begin until the potential plaintiff learns of the causal relationship between an injury and the care received.

In addition, under the False Claims Act 31 USC , claims may be brought up to seven years after the incident; however, on occasion, the time has been extended to 10 years.

Organizations and providers should compare state retention requirements and statute of limitations with legal counsel when developing a record retention schedule.

Another mechanism that provides record retention guidelines is accreditation agency standards. Agencies such as the Commission on Accreditation of Rehabilitation Facilities, Det Norske Veritas, Medicare Conditions of Participation, and the Joint Commission have incorporated record retention schedules into their accreditation survey processes.

See appendix B for a sample list of accreditation agency retention standards. Appendix C outlines AHIMA's recommendations for minimum record retention time periods in the absence of any federal, state, or accreditation requirements.

In addition, organizations with special patient populations need to go one step further in developing a records retention schedule. Special populations such as minors, behavioral health, or research patients may be governed by other regulations. The Food and Drug Administration, for example, requires research records pertaining to cancer patients be maintained for 30 years.

Because no clear-cut standard has been established for record retention, comparing the variety of record retention requirements is often time-consuming and labor-intensive. Every organization should review and compare the varying retention schedules to follow the more restrictive requirement. An example comparison among federal, state, and accreditation requirements and AHIMA recommendations is shown below; the more restrictive requirement is shaded.

Once the retention schedule has been determined, the next step is to identify active and inactive records. Routine functions may include activities such as release of information requests, revenue integrity audits, or quality reviews.

Inactive records usually involve a patient who has not sought treatment for a period of time or one who completed his or her course of treatment. Defining active and inactive records also may depend on other issues such as physical file space, the amount of research done, and availability of off-site storage. For example, because of limited file space, an organization may determine that records are active for a period of one year from the discharge date. After one year, the record is moved to off-site storage or scanned to a DVD and considered inactive.

In this instance, inactive does not mean that the record can be destroyed because the record has not yet met its full retention requirement. Each organization should determine a cutoff point usually a discharge date that signals the time at which a record becomes inactive.

In determining the appropriate cutoff, consider the following:. Identifying and maintaining active and inactive records is an important step in the successful maintenance of a filing system.

Once the organization defines active and inactive records, the purge process can begin. Purging is the act of separating active from inactive records in a filing system or database according to the retention schedule. Without a clear-cut purging method, the task can be daunting. If the organization uses the discharge date as the cutoff date for inactive records, an additional consideration regarding the unit records is needed. A unit record is one in which the patient is assigned one medical record number.

That medical record number remains the same for every visit the patient has, and individual visits are assigned unique account numbers that change with each new visit. Subsequently, when the record is filed, the patient may have one folder based on the single medical record number with multiple visits account numbers inside. Maintaining the entire folder, with multiple discharge dates, on the shelf may not yield the purge results expected.

Instead, organizations may choose to purge from the unit file all discharge dates identified as inactive.