by Donna Knight, Princeton Insurance Healthcare Risk Consultant

Does your practice place the security of patient personal health information in jeopardy? Through policies & procedures your practice can protect health records against loss, defacement, tampering or use by unauthorized individuals. Essential to records storage & management are procedures and staff training that address storage, access, and security of records. Health records policies should identify who has keys and training on access, security, and the log-out process for records.

Secure storage can be a problem in some practices where the physical environment is an issue.  The storage system and space must be adequate to protect the physical integrity of the record and prevent loss, destruction, and unauthorized use. The storage method selected is dependent on the amount of storage required and the physical environment. According to the American Health Information Management Association (AHIMA), if the office is to be in an open environment, the shelves or file cabinets must be lockable and kept locked whenever staff is not in attendance.  If there is a storage room used for health record information, open shelf filing can be used as long as all doors or access to the room are locked.

Storage rooms should be kept organized with adequate shelving, lighting and security. Multiple use storage rooms in which multiple staff members have access or keys must have a separate area that is caged and locked to protect the security of confidential records and documents. The storage room environment should not cause damage to the records and documents (such as moisture or rodents).  

Storage areas outside of the main practice office, such as areas for inactive health records, should be locked with access limited to only those who need access.  When storage boxes are used, they should not be stacked on top of each other. Boxes should be placed on shelves to facilitate easy retrieval of records and documents. Boxes should be placed off the floor and 18 inches below sprinkler heads. It is acceptable to use storage boxes, but it would be optimal to use metal files or cabinets.

Using a storage company
If a storage company is utilized for inactive health records, the practice should review their written policies on the security and safety of confidential records and documents.  The written contract or agreement should outline the storage company’s responsibility in securing documents and protecting documents from loss or destruction.  It should also identify how the practice will access records, the time frame for obtaining records and the process to access records in an emergency situation.  The practice should maintain a list of all patient health records and other documents retained at the storage company.

Procedures should also be in place to protect against internal security breeches.  Whether paper or electronic health records are utilized, the greatest risk of sabotage comes from a practice’s own employees and former employees.  Other policies & procedures to have in place pertain to practices with satellite offices.  There should be procedures for transport, security, confidentiality, and tracking of records.  In addition, special procedures that address precautions and secure storage should also be taken with regard to health records and other relevant health materials involved in litigation or potential litigation.

Records storage & management also includes policies that address record retention.  It is in the best interest of your practice to retain health records in a safe and secure environment as long as possible.  The practice’s documented policies and procedures should outline when records can be destroyed, as well as when and where the destruction will take place. This can help avoid allegations that records were destroyed deliberately or maliciously. The policies and procedures should include:

• When the records will be destroyed (record type—length of retention)
• Where records should be stored (onsite or offsite)
• Who is responsible for deciding what to keep and when to purge
• How records will be destroyed—document the process with a log that lists which records have been destroyed, when and how (shredded, pulping or burning to preserve confidentiality).

How long should I retain health records?

State statute requires health records to be retained for seven years after the last patient contact, plus add two years for the statute of limitations to initiate a lawsuit. However, under some circumstances, it is possible that a lawsuit could be filed against a healthcare provider in accordance with the Federal False Claims Act up to 10 years after care is rendered and claim is submitted for payment. For this reason, it is recommended that physician offices dealing with Federal beneficiaries, such as Medicare and Medicaid, retain medical records for 10 years.  In the instance of minors that sustain injuries at birth, the new Medical Malpractice Tort Reform law indicates a statute of limitations to initiate a lawsuit prior to the minor’s 11^th birthday.  Otherwise, the records of minors should be retained for 23 years (until their 21st birthday plus the statute of limitations to initiate a lawsuit which is two years).

The storage environment

Maintaining records in a secure environment also pertains to provisions for emergency situations.  For example, records should be protected from fire through the utilization of sprinkler systems or use of noncombustible containers. Fire extinguishers and smoke detectors should be installed in all areas.  A plan should be in place to deal with water damage (flood, sewage back-up, sprinkler damage, etc), fire, power failures (electronic medical records and clinical information systems).  If a record is damaged by water from the sprinkler system or flooding, the records may need to be processed to restore and preserve the content of the record.

There are special considerations for those practices that utilize electronic health records. As of April 2005, the final HIPAA security standards for electronic health information went into effect.  The rule requires appropriate administrative, technical, and physical safeguards to protect the privacy of protected electronic health information. One of the procedures includes policies that outline authorized and unauthorized use and access, including disciplinary actions for misuse or promotion of misuse by others; and confidentiality of passwords.  Safeguards should also prevent alteration or tampering with previously entered data. 

Maintaining records at home

A note of caution to physicians that utilize home computers to access patient’s health information:  security safeguards should be implemented on home computers as well.  Instances of breaches in health information security have occurred through vulnerabilities in unsecured electronic health information systems on physician’s home computers utilized by family members.

Whether the practice utilizes paper or electronic health records, when a practitioner retires or a group practice dissolves the healthcare provider remains liable for the security of health records. Therefore, the provider must make appropriate plans to protect the security of the information the health records contain. 

For more information

Visit the Princeton Insurance Web site at www.pinsco.com and look for “Considerations for Ceasing to Practice.”

For information on the HIPAA security rules go to the following links:

Center for Medicare & Medicaid Services

American Health Information Management Association

American Medical Association