To ensure your practice is following the HIPAA laws, you must protect patients’ PHI by ensuring that the destruction of medical records occurs in a compliant way. And while the government doesn’t come out and dictate one particular best practice on how you must destroy these records, it does require you to create a policy to keep PHI safe while you’re doing it.

Read on to discover five facts you may not know about the destruction of medical records at your practice, and take them to heart so you can avoid violating the HIPAA rules.

1. Your Policy on Destruction of Medical Records Must Identify Where PHI Is

When you create your practice’s policy on medical record destruction, it must outline where PHI can be found in your practice. This may include paper records, printers, fax machines, computers, cloud-based drives, flash drives, offsite servers, iPads, phones, and many more.

Once you have the list of where all PHI can be found at your practice, you can begin to identify how each type will be destroyed when necessary.

2. You Must Decide on Destruction Methods

You should be clear in your practice’s medical records destruction policy exactly how you’ll be destroying these documents. For instance, you might list the deletion or purging strategies you plan to use for digital media, or share the shredding, pulverizing or burning techniques you’ll employ for paper records.

If you plan to use a third party source, list the organizations you plan to use, how you vetted them, and include a copy of the business associate agreement (BAA) that you had them sign.

3. Six Years May Not Be the Retention Timeline in Your State

Many practices retain medical records for six years as the federal government requires, but in some jurisdictions, that’s not good enough. Every state has its own requirements, and these typically supersede the federal rules. Some legal experts say that every practice should hang on to medical records for at least 10 years to ensure they don’t run afoul of any local or state rules. Check with your practice’s attorney to get their guidance on how long you should retain these records before destroying them.

4. You Should Keep a Log of Destroyed Medical Records

To ensure you remain compliant with the HIPAA logs, you should keep a log showing what you destroyed, when, and how you did it. You can keep this log on paper, on a spreadsheet, or using another means. For instance, it might say:

12/24/24: Office Manager Tanya White destroyed John Smith’s medical records, which spanned from January 1988 through December 2011. Mr. Smith passed away in 2012. The records were all shredded using the paper shredder and then placed in a locked dumpster before being picked up by our contracted destruction firm, with whom we have a BAA on file.

5. Ensure All Staffers Are Trained

Everyone in your practice who participates in medical records destruction must be trained on the risks linked to improper disposal, how to use designated destruction methods and trash containers, and how to log any record destruction in the company record. It doesn’t matter whether these staff members are full-time, interns, temps or employed via other methods. If they’re destroying medical records on behalf of your practice, they must all be trained.

	Subscribe to Healthcare Practice Advisor
	Get actionable advice to help improve your practice’s reimbursement, compliance, and success in this weekly eNewsletter.
	Comments This field is for validation purposes and should be left unchanged. Email* This field is hidden when viewing the form List Source This field is hidden when viewing the form List Name This field is hidden when viewing the form landing_site Yes! I would like to receive free weekly issues of Healthcare Practice Advisor. This field is hidden when viewing the form LeadGenSKU