Health Information Management

Ask the expert: How should healthcare providers secure archived patient records containing PHI?

HIM-HIPAA Insider, October 16, 2007

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

A: HIPAA requires facilities to retain patient records for a minimum of six years, and most states have longer retention periods. HIPAA requires that facilities securely store any archived records containing PHI. Storage methods will vary depending on the size of the organization and the physical layout of the facility. Consider the following:

  • Store records in a secure room with limited access so that only designated staff members can access it. A secure room must be locked and have a sufficiently strong door or other barrier that cannot easily be breached.
  • Maintain a log of retained records to assist in locating those that have reached the end of their legal life-the end of the retention period-so that facilities can easily locate and appropriately destroy them at that time.
  • Implement a records retention policy and records retention schedule for all appropriate documents, not just patient files.
  • Ensure that records are easily accessible in the event of an audit, or for provider needs. Pursuant to HIPAA and the Federal Rules of Civil Procedure, such records must be available as needed for regulatory or court purposes.
  • Develop and implement policies and procedures related to the storage, especially concerning who has access to the records, who will manage the records, and lists of staff members prohibited from accessing archived records unless specifically authorized.
  • Outline appropriate document destruction policies and procedures so that you can ensure that internal staff members or a contracted and trusted third party appropriately and securely destroy the archived documents at the end of their legal life.
  • Ensure that your facility has processes in place to accommodate secure and private transfer of patient records from active to archived storage.

Editor's note: This Q&A was adapted from the October 2007 issue of Briefings on HIPAA. For more information, visit

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

    Briefings on APCs
  • Briefings on APCs

    Worried about the complexities of the new rules under OPPS and APCs? Briefings on APCs helps you understand the new rules...

  • HIM Briefings

    Guiding Health Information Management professionals through the continuously changing field of medical records and toward a...

  • Briefings on Coding Compliance Strategies

    Submitting improper Medicare documentation can lead to denial of fees, payback, fines, and increased diligence from payers...

  • Briefings on HIPAA

    How can you minimize the impact of HIPAA? Subscribe to Briefings on HIPAA, your health information management resource for...

  • APCs Insider

    This HTML-based e-mail newsletter provides weekly tips and advice on the new ambulatory payment classifications regulations...

Most Popular