Medical Records Destruction: A Guide to HIPAA Compliance [Video]

medical record shredding

Medical records are one of the most highly-regulated types of files due to the amount of personal information that they contain. In this video, you will learn which types of files need to be securely destroyed, when to do so, and the different options for destruction.

Video Transcription

Medical Records Destruction: The Guide to HIPAA-Compliant Shredding

1. What Do Medical Records Contain? What Goes Into a Medical Record?

Protected Health Information (PHI)

Medical records contain sensitive, protected health information (PHI) about a person’s health and history.

Disposing of PHI with the proper destruction processes for medical records is critical to protecting the patient privacy from hefty penalties form HIPAA.

2.  Different Types of Medical Records & PHI: Common Medical Information to Destroy

There are eighteen types of information defined as PHI and protected under HIPAA:

      • Account numbers
      • Biometric identifiers (fingerprints, retinal scan, etc.)
      • Certificate / license numbers
      • Device identifiers and serial numbers
      • Dates
      • Email addresses
      • Fax numbers
      • Full face photos and comparable images
      • Geographic data
      • Internet protocol addresses
      • Health plan beneficiary numbers
      • Medical record numbers
      • Names
      • Social security numbers
      • Telephone numbers
      • Vehicle identifiers and serial numbers
      • Web URLs
      • Unique identifying numbers, characteristics, and codes

Common types of medical records healthcare providers need storage and destruction for include:

      • Surgical history
      • Obstetric history
      • Medications and medical allergies
      • Family history
      • Health habits
      • Immunization history
      • Growth chart and developmental history
      • Physical examinations
      • Chief complaints
      • Orders and prescriptions
      • Test results

3. Factoring in HIPAA: Where Does HIPAA Fit in With Medical Records Destruction?

What Is HIPAA?

Passed in 1996, the Health Insurance Portability and Accountability Act (HIPAA) helps to protect PHI. HIPAA requires implementing safeguards to prevent prohibited uses and disclosures of PHI, including during its disposal.

According to the HIPAA Privacy Rule, medical records are required to be stored and maintained for at least 6 years after the date of their creation or date of last use—whichever comes first.

HIPAA Rules Violations: The Cost of Noncompliance

Violations Prior to 2/18/2009 Violations After 2/18/2009
Penalty Amount Up to $100 per violation $100 – $50,000 (or more) per violation
Calendar Year Cap $25,000 $1,500,000

Medical Record Retention: How Long HIPAA Says to Hang On

Medical Record Type Retention Period
Diagnostic Images 5 years (after age of majority)
Disease Index 10 years
Fetal Heart Monitor Records 10 years (after age of majority)
Master Patient / Person Index Permanently
Operative Index 10 years
Patient Health Records 10 years after last use
Physician Index 10 years
Register of Births / Deaths Permanently
Register of Surgical Procedures Permanently

4. Medical Records Destruction & Disposal: When Medical Records Should Be Shredded

Medical Records Destruction According to HIPAA

HIPAA leaves it up to providers to decide on destruction methods, but does not permit medical records to be discarded without proper disposal methods like shredding or electronics destruction.

When Medical Records Should Be Destroyed

After Retention Periods Pass Transition to Paperless Administrative Mistakes
Your medical records and other files containing PHI have passed their required retention times You’ve just transitioned to using electronic health records (EHR) and your paper records are scanned Clerical errors were made while handling medical records and a new copy needs to be created or filed

Steps to Take Before You Shred Medical Records

  1. Research state medical records retention laws
  2. Create a plan to store and track medical records for retention
  3. Establish a destruction plan for when retention times are up

Once your medical records are prepared for shredding, the only step left is deciding on your method of destruction.

Common Medical Records Destruction Methods

Mobile Shredding Off Site Shredding
Mobile shred trucks come to your location, destroying medical records on-site while you watch.  Since many need to document record destruction jobs, certificates of destruction are also typically provided to detail the project specifics. Trucks come to your location to pick up medical records, but instead of shredding on-site, the records are taken in locked bins to an off site facility. Since trucks don’t need to stay for shredding, off site becomes more cost-efficient the more records you dispose at one time.

Searching for Medical Records Shredding?

Shred Nations works with a nationwide network of local shredding experts. We find the right shredder that can handle your destruction project, when and where you need them.

To get free, no-obligation quotes in just minutes, fill out the form on the right or give us a call at (800) 747-3365.