Employees and clients may come and go throughout the lifetime of a business, but that doesn’t mean their data leaves with them. Billing documents, personal health information, and other records need to be kept electronically and digitally to comply with local, state and federal laws. While keeping data is necessary to prevent any legal issues, keeping data too long may have liability ramifications and cause a disruption to your business. Unprotected files and stacks of paperwork could be an enticing offer for someone who’s looking to steal a patient’s health information.
To mitigate this risk, it’s recommended that your company sticks to a strict retention schedule. When it comes to record retention for businesses in the medical field, policies are regulated at a state level. The New York State Department of Health’s website has a guide for all Emergency Medical Service (EMS) agencies to help assist them with developing a retention policy. Some of the general suggestions for a retention schedule is as follows:
- Patient Care Reports (electronic or hardcopy), must be retained for 6 years or 3 years past the patients eighteenth birthday, whichever is longer.
- Patient care data files containing medical treatment and/or billing information must be retained for 6 years or 3 years past the patients eighteenth birthday, whichever is longer.
- Summary record of all patients treated and/or transported must be retained for 3 years.
The website also mentions a retention schedule for HIPAA records, which is as follows:
- All written policies and procedures as required by the Health Insurance Portability and Accountability Act of 1996/HITECH Act are required to be maintained in writing for at least six years from the date of its creation, or the date when the document was last in effect, whichever is later.
- Section § 164.530(j), states that “written” includes electronic storage. Paper records are not required.
It’s recommended that each provider’s policy mentions where the documents will be stored, how they will be protected, and proper procedures for obtaining a stored record. While these documents only pertain to EMS policies, providers need to take into account the various policies from other regulatory agencies (such as the IRS or OSHA) which have their own guidelines for document retention. For example, OSHA’s document requirements state that employers must retain safety data sheets for the duration of employment, plus 30 years for all employees exposed to the chemical in question. It’s a good idea to research all relevant agencies to your company when creating policies.
Another thing to take into consideration when setting a retention and disposal schedule is the New York “Stop Hacks and Improve Electronic Data Security” (SHIELD) Act. The NY SHIELD Act requires businesses to implement safeguards for the “private information” of residents, and comply with security breach notification requirements. Every employer with employees in New York must comply with the SHIELD Act.
Not complying with regulations, including HIPAA and SHIELD laws, can have even greater ramifications for a company’s legal department. For example: your company is facing an upcoming court case, and a judge orders you to provide all records that you have on a specific person. Even if you have an old floppy disk with no drive, you would need older technology or hardware that may not be in use anymore to extract that information. In this instance, you are legally required to get the data off of that disk if it includes private information: that person’s name, SSN, driver ID, credit or debit information, username or e-mail, etc. The cost of this endeavor could potentially skyrocket, depending on the age and price of equipment you’d need for the job.
While the Department of Health’s guide goes over the ideal schedule for retaining records, there’s no information listed on when to dispose of them. Oftentimes, once records hit their retention minimum, the files or paperwork are moved to a specific file or folder to be stored for destruction at a later date.
HIPAA laws require that providers regularly shred any documents that contain a patient’s medical history in order to prevent identity theft. Any document that contains the following should be destroyed:
- Social Security Numbers
- Name and Addresses
- Medical History
- Medical Test Details
- Vaccination Records
In accordance, HIPAA laws also dictate that files must be:
- Shredded such that the paper cannot be pieced together
- Any hard drive that ever contained an encrypted file must be shredded
By following proper retention and disposal policies, providers can ensure their business is adequately protecting patient’s ePHI and medical records from online hackers and other methods of identity theft. Company’s can also rest easy knowing that in the case of any legal request for information, old records have been successfully purged. Following these guidelines is crucial in order to minimize the ramifications of a potential data breach or other lapse in HIPAA compliance.
For a PDF version of this article, click below.