Confidentiality of patients is the top priority of HIPAA (also known as the Health Insurance Portability and Accountability Act). Part of this includes destroying patient health records after a certain period of time.
Why do I Need to Destroy Patient Records?
Safeguarding patient health records from breaches keeps your practice HIPAA compliant. HIPAA requires patient records be destroyed after a certain period to maintain confidentiality.
Personal health information (PHI) must be destroyed six years after creation or six years from their last use. Some states have their own data retention laws. If HIPAA’s retention is longer than the state’s, your practice must follow HIPAA. If your state’s retention is longer than HIPAA’s, you must follow your state’s laws.
Destroying Electronic Records
Thanks to technology, the majority of your patients’ information is in the online space. However, this also makes them susceptible to security breaches. We recommend all PHI is encrypted, which provides an extra layer of protection.
When it comes to destroying electronic health records (EHRs), HIPAA isn’t very clear. HIPAA states that:
Covered entities must review their own circumstances to determine what steps are reasonable to safeguard PHI through disposal and develop and implement policies and procedures to carry out those steps.
For electronic records, there are a few different methods of destruction:
- Overwrite old files
- Degauss or expose the media to a magnetic field
- Destroyed by disintegration, pulverization, melting, incinerating or shredding
If your practice uses a CRM software, your best chance at remaining HIPAA-compliant is to overwrite the files. If your practice uses a hard or external drive, your best chance is to destroy the health records hard drive or expose it to a magnetic field.
EHRs should be treated the same as a paper health record. Both have confidential patient information that needs to remain safeguarded.