• E-mail
• Print
• RSS

Dispose of patient records properly

Ambulatory Safety Monitor, February 4, 2004

Want to receive articles like this one in your inbox? Subscribe to Ambulatory Safety Monitor!

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) shouldn't be the only regulation you refer to when developing the appropriate policies and procedures for record retention, says Rebecca Williams, Esq, RN, counsel and co-chair of the HIPAA group at Davis Wright Tremaine LLP in Seattle and chair of the preemption sub-workgroup for the Workgroup for Electronic Data Interchange.

The following are some tips for coming up with your facility's policies and procedures for record disposal:

1. Refer to state laws. The privacy rule says you have to keep records for six years after you start them. But despite this minimum retention period, in the vast majority of cases, that won't be nearly long enough because your state law will specify a longer period. If your state statutes don't specify a retention period, rely on your state's statute of limitations on filing malpractice lawsuits.

2. Set policies before you start destroying records. The privacy officer, compliance officer, legal counsel, medical records staff, and quality assurance or risk management staff should collaborate on the policy and legal counsel should approve any retention time period you establish, says Williams.

3. Separate active from inactive records. A health information management (HIM) professional should help sort through patients' records to determine whether they are eligible for destruction, says Williams. For example, a physician treating a cancer patient may not need to know about the patient's broken leg from 15 years ago. Still, the doctor may prefer to keep all the information.

Consider leaving those types of decisions to the actual health care providers, she says. Consult with the physicians and other providers on the frontline and keep them in the loop. Ask the physician whether he or she needs the record.

4. Expect the unexpected. Shredding is the best way to dispose of paper records, says Williams. It's not particularly expensive or time-consuming. Placing records in a locked box and sending them to a landfill still leaves those records intact.

5. Work closely with your facility's waste disposal service. Know exactly what your waste contractor is doing with the waste and make sure its employees know how important HIPAA is, says Williams. Train them to make sure they're sensitized to privacy issues. If the company is shredding the records for you, you'll need a business associate contract with the company, she says. If it's just disposing of material you've already destroyed, you probably don't need one.

Identification bands, lab slips, slides, and specimens also require special disposal, adds Williams.

6. Pay special attention to electronic records. Destroying electronic records can be more difficult. "The security rules says that the information needs to be purged or deleted, but we all know that hitting the delete key is really hitting the hide key," says Williams.

Make sure you're really eliminating all information from your computer equipment before getting rid of it. That may require that you actually destroy the machinery.

Want to receive articles like this one in your inbox? Subscribe to Ambulatory Safety Monitor!

• E-mail to a Colleague
• Print
• RSS
• Archive