• E-mail
• Print
• RSS

Q: How should provider offices secure archived patient records containing PHI? Provider offices must implement specific measures to protect the records. What are those measures? Do the regulations differ for off-site and on-site records?

HIPAA Weekly Advisor, October 8, 2007

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

A: HIPAA requires patient record retention for a minimum of six years, and most states have longer retention periods. HIPAA requires that any archived records that contain PHI be stored securely. Storage methods vary depending on the size of the organization and the physical layout of the facility. Consider the following tips for storing archived records:

• Store records in a secure room with limited access so that only designated staff members can access it. A secure room must be locked and have a sufficiently strong door or other barrier that cannot be easily breached.
• Maintain a log of retained records to assist in locating those that have reached the end of their legal life-the end of the retention period-so they can be easily located and appropriately destroyed.
• Implement a records retention policy and records retention schedule for all appropriate documents, not just patient files.
• Ensure that records are easily accessible in the event of an audit or for provider needs. Pursuant to HIPAA and the Federal Rules of Civil Procedure, healthcare providers must make such records available as needed for regulatory or court purposes.
• Develop and implement policies and procedures related to storage, especially concerning who has access to the records, who will manage the records, and lists of work force members prohibited from accessing archived records unless specifically authorized. Remember to train staff members on any implemented policies and procedures to which they must adhere.
• Outline appropriate document destruction policies and procedures to ensure that internal staff members or a contracted and trusted third party appropriately and securely destroy the archived documents at the end of their legal life.
• Do not store documents waiting to be archived in a nonsecure location while they are waiting to be catalogued and stored in the secure location with other archived patient records. Ensure that your facility has processes in place to accommodate the secure and private transfer of patient records from active to archived storage.
• Remember that you must maintain the security of the records that you target for archiving, while you prepare them for archiving, while they are archived, and during the final destruction process.

If a provider uses an external party to store and later destroy archived records, the provider must be reasonably certain that the third party is bonded, has implemented the appropriate privacy and security practices, has a secure location to store archived documents, and has a method of securely transporting documents to be archived at their location. Also, a business associate contract is necessary when using the services of a third party that will have access to PHI in a physician's office.

Editor's note: Chris Apgar, president of Portland, OR-based Apgar & Associates, LLC, answered this question. This is not legal advice. Consult your attorney for legal matters.

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

• E-mail to a Colleague
• Print
• RSS
• Archive