Ask the expert: How should healthcare providers secure archived patient records containing PHI?
HIM Connection, October 16, 2007
Want to receive articles like this one in your inbox? Subscribe to HIM Connection!
A: HIPAA requires facilities to retain patient records for a minimum of six years, and most states have longer retention periods. HIPAA requires that facilities securely store any archived records containing PHI. Storage methods will vary depending on the size of the organization and the physical layout of the facility. Consider the following:
- Store records in a secure room with limited access so that only designated staff members can access it. A secure room must be locked and have a sufficiently strong door or other barrier that cannot easily be breached.
- Maintain a log of retained records to assist in locating those that have reached the end of their legal life-the end of the retention period-so that facilities can easily locate and appropriately destroy them at that time.
- Implement a records retention policy and records retention schedule for all appropriate documents, not just patient files.
- Ensure that records are easily accessible in the event of an audit, or for provider needs. Pursuant to HIPAA and the Federal Rules of Civil Procedure, such records must be available as needed for regulatory or court purposes.
- Develop and implement policies and procedures related to the storage, especially concerning who has access to the records, who will manage the records, and lists of staff members prohibited from accessing archived records unless specifically authorized.
- Outline appropriate document destruction policies and procedures so that you can ensure that internal staff members or a contracted and trusted third party appropriately and securely destroy the archived documents at the end of their legal life.
- Ensure that your facility has processes in place to accommodate secure and private transfer of patient records from active to archived storage.
Editor's note: This Q&A was adapted from the October 2007 issue of Briefings on HIPAA. For more information, visit http://www.hcpro.com/content/76846.cfm.
Want to receive articles like this one in your inbox? Subscribe to HIM Connection!
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Topic: CMS, OESS post new security compliance review information, checklist
- What does case-mix index mean to you?
- Capturing all necessary codes for IUD insertion and removal can be challenging
- QA:Coding multiple initial infusions
- News and briefs: Oklahoma Osteopathic Association against residency bill change
- HIPAA Q&A: Level of encryption needed for email
- OB services: Coding inside and outside of the package
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- What does case-mix index mean to you?
- Q&A tackles coding questions about injections and infusions
- Joint Commission Center announces handoff communication solutions
- Inside best practice: Reduce patient falls with a stoplight
- Identify modifiable risk factors to prevent patient falls
- Searched