All types of sensitive documentation requires secure destruction at the end of its lifecycle. But medical records require extra attention because they contain such a high volume of personally identifiable information and are highly targeted by criminals and hackers.
The best way to protect patient health records is to shred expired records on time. Keeping a strict shredding schedule for medical records not only helps keep offices organized, it keeps them in compliance with strict laws that apply specifically to the medical industry, including HIPAA.
The video below goes over medical recording shredding processes and guidelines.
Medical Records Destruction: Stricter Than Most Shredding
With any type of sensitive information secure document destruction is a priority. There are data breaches to prevent, laws that require information protection, and other factors to consider when disposing records.
HIPAA requires even more attention to security when disposing of medical records. It’s designed to protect patient information, and its strict requirements dictate how it should be handled and destroyed.
HIPAA Privacy Rule
The HIPAA Privacy Rule requires covered entities (health care providers, health plans, and health care clearinghouses) to implement reasonable safeguards to limit incidental and avoid prohibited uses and disclosures of Protected Health Information (PHI), including during disposal.
This includes protecting certain types of PHI which require more security like an individual’s name, social security number, driver’s license number, treatment information, or other identifying information.
The privacy rule also includes a financial incentive for compliance. For unknowing HIPAA violations, there are civil penalties of $100 for each failure up to $25,000 per year. For intentional violations, criminal penalties range from $50,000 to $250,000 along with 1-10 years in prison.
Medical Records Storage and Retention
HIPAA requires medical practices, facilities, and hospitals to have procedures in place to safeguard medical records during their lifecycle.
An example of common storage methods is using offsite storage facilities as they include multiple safeguards.
Storage and Retention
While medical records are stored, covered entities are also required to retain the medical documentation outlined by HIPAA until 6 years after the date of the record’s creation or its last effective date.
If state laws require shorter retention periods, they are preempted by HIPAA’s retention requirements before they can be legally disposed.
When medical records are stored at offsite facilities during their retention period, safeguards for records include protection methods like fire suppression and climate-control systems, on-premise video surveillance, and locked facilities to prevent unauthorized access or environmental damage.
Records Shredding and Certificates of Destruction
HIPAA’s privacy rule extends to include medical records disposal.
Like storage and retention requirements, disposing medical records needs the same safeguards to prevent accidental and intentional PHI disclosures.
Common disposal methods for records with PHI include shredding, pulverizing, or pulping the records so that information is unreadable, indecipherable, and cannot be reconstructed.
A Certificate of Destruction Proves Compliance
Besides following HIPAA’s rules, physical proof of compliance is also required.
When shredding medical records, one of the most valuable aspects of using shredding services is the formal Certificate of Destruction that’s provided after shredding is completed.
This document includes security details including the medical records’ chain of custody, the date and time of shredding, location, witnesses, and most importantly a unique serialized transaction number to be used in compliance audits.
Have Medical Records to Shred?
Call us at (800) 747-3365 or fill out the form on the right for free quotes on fast, reliable, custom designed shredding services in your area.