Destruction of medical records seems simple: You simply delete a file from your electronic health record and call it a day, right? Not so fast. Destroying medical records requires quite a bit more than that if you want to stay compliant with federal and state laws.

You’ll need to retain medical records for the minimum amount of time required by state and federal law, which usually ranges from seven to 11 years. After that, you may want to eliminate patients’ records from your system.

Check out five possible ways that will allow you to practice compliant destruction of medical records.

1. Shredding Medical Records

If you’re dealing with paper records, you can shred them either in-house or by using a shredding service. According to HIPAA requirements, your documents will need to be shredded in a way that they’re unreadable and can’t be recreated. This may mean using a cross shredder so someone couldn’t simply place the shredded paper back together.

If you use an off-site shredding service, make sure you have a signed business associate agreement (BAA) on file with that organization. You should also get a certificate of destruction after they complete the job.

2. Burning Medical Records

Although burning isn’t necessarily the simplest way to destroy medical records, this method does make it easier to ensure that nothing identifiable is left behind. If you burn paper records, confirm afterward that everything is fully burned and that no identifiable data remains.

You can also burn optical disk media if your records are kept on that type of device. Confirm that this data is burned down to ash so no one would be able to access it.

3. File Drive Wiping Software

In many cases, simply deleting electronic files from your hard drives isn’t enough to ensure that you’ve removed all PHI from your system. You should consider using a drive wiping program, which overwrites the space that the deleted code leaves behind when you delete files.

If you back up your computer files to a cloud-based or offsite system, make sure you also delete the files from there as well.

4. Reset Mobile Devices

If you have PHI on mobile devices and you need to destroy that data, manually delete the files and then complete a manufacturer’s reset so the device goes back to factory settings. This allows the system to overwrite the prior data with brand new code, deleting the PHI that you may have had on the device.

5. Consider Disk Grinding Devices

Practices that keep medical records on CDs should consider using a disk grinding device, which makes the CD completely unusable. If you use a service to grind your CDs, ask them to sign a BAA, and request a confirmation of destruction after each round of destruction of medical records.