Access All Live + All On-Demand Trainings for 1 Year! SAVE $500 NOW

All Blogs

Archive/Destroy: Comply w/HIPAA Medical Record Access Rules

Samantha
Posted Apr 28, 2022
Share: Share on Facebook Share on Twitter Share on LinkedIn
All Blogs

Archive/Destroy: Comply w/HIPAA Medical Record Access Rules

Posted April 28, 2022
Share: Share on Facebook Share on Twitter Share on LinkedIn
Medical records archiving

Archiving and destroying unused medical records may seem like the perfect solution to medical storage space issues (both electronic and paper). However, if you get it wrong, you can end up violating access to medical records rules.

Before you destroy any information, be sure you’re not violating HIPAA by not being able to provide your patients with timely access to medical records. While HIPAA states that you must keep patient medical records for a minimum of 6 years (and some state laws require them to be kept for longer), experts recommend that you keep patient records for up to 10 years to defend against HIPAA right-to-access and False Claims Act complaints.

This additional four years of patient records that must be easily accessible can create a storage nightmare for your practice, especially if you’re dealing with limited digital or physical space. To combat storage issues while keeping your most important patient records on-hand, create a medical records auditing and archiving process.  This will help you more easily and systematically determine which records should be kept immediately available, when they should be put into a less-accessible archive, and the appropriate time to destroy them.

Note: When providing a patient with access to their medical records, it’s important to note that psychotherapy notes are an exception to these rules. Patients do not have the right to access a provider’s psychotherapy notes. You can find more detail on this in the “HIPAA” link above.

Destruction Determination

Records of patients you served over 10 years ago can generally be slated for destruction (although you should check with your attorney before picking your timeline). This means the information can be physically destroyed with a paper shredder or they’re simply deleted from your servers.

Keeping a record of the information you destroy is extremely important to show compliance with HIPAA’s right-to-access rules, which requires you to provide patients with timely access to medical records. There are numerous listings on the Office of the Inspector General’s (OIG) website of practices that were required to pay massive penalties for failing to meet this requirement.

To help protect your practice it is important that you document each time you destroy any patient record. Accordingly, creating a spreadsheet that’s that is updated whenever you destroy patient records is an easy way to maintain this documentation.

Here is some of the information you should document in your spreadsheet:

  • Date records were destroyed
  • Dates of service for destroyed records
  • Initials of person who approved or otherwise directed the destruction
  • Consider breaking down your entries in groups by the patient’s provider (if your practice has more than one provider)

Archiving for Access

Maintaining records for 10 years doesn’t mean that every file must be accessible all the time.

To free up electronic storage or closet space, you can archive records with dates of service between 6 and 10 years from the current date. This way, you can still provide patients with access to medical records if you absolutely need to, but they’re not cluttering up your main storage.

Similar to the spreadsheet created for logging which records you’ve destroyed, create a spreadsheet for records you’re putting into archive. This sheet allows you to quickly reference where specific information is in the event a patient requests access to medical records.

Some columns you should add to your archive spreadsheet include:

  • Date records were archived
  • Dates of service for archived records
  • Initials of person who approved or directed the archive
  • Providers’ names (if you have more than one provider)
  • Location of the archived records (i.e., server name, app, etc.)
  • Date records destroyed (cross-check this date with your destruction spreadsheet)

Your archive spreadsheet will be instrumental in helping you and your staff quickly pinpoint the location of any archived records and allow you to meet HIPAA access to medical records requirements.

Note: You could decide to have one spreadsheet that documents both medical records destruction and archiving. Just be sure to have a column that indicates which action was taken.

Archive vs. Destruction

Ideally, each month you’ll assess your patient records and decide whether they should be archived or destroyed. Taking the time to do this monthly helps you keep on top of the process, avoids your storage from getting overloaded, and removes excessive staff time to handle backlogs.

However, sitting down and carving out time every month to archive or destroy patient records isn’t always realistic. At a minimum, make it part of your annual plans so things don’t get too backed up.  And remember to document all actions you take.

Knowing what records you can destroy – and when – is tricky. Delete the wrong things too soon and you could find yourself facing major fines. Get expert guidance to what you need to keep and for how long in Healthcare Training Leader’s online training session, Avoid Medical Record Destruction Mistakes and $50,000 Fines. In this 60-minute immediately accessible training, you’ll get everything you need to create a compliant medical records destruction policy to protect your practice. Sign up today.

Archiving and destroying unused medical records may seem like the perfect solution to medical storage space issues (both electronic and paper). However, if you get it wrong, you can end up violating access to medical records rules.

Before you destroy any information, be sure you’re not violating HIPAA by not being able to provide your patients with timely access to medical records. While HIPAA states that you must keep patient medical records for a minimum of 6 years (and some state laws require them to be kept for longer), experts recommend that you keep patient records for up to 10 years to defend against HIPAA right-to-access and False Claims Act complaints.

This additional four years of patient records that must be easily accessible can create a storage nightmare for your practice, especially if you’re dealing with limited digital or physical space. To combat storage issues while keeping your most important patient records on-hand, create a medical records auditing and archiving process.  This will help you more easily and systematically determine which records should be kept immediately available, when they should be put into a less-accessible archive, and the appropriate time to destroy them.

Note: When providing a patient with access to their medical records, it’s important to note that psychotherapy notes are an exception to these rules. Patients do not have the right to access a provider’s psychotherapy notes. You can find more detail on this in the “HIPAA” link above.

Destruction Determination

Records of patients you served over 10 years ago can generally be slated for destruction (although you should check with your attorney before picking your timeline). This means the information can be physically destroyed with a paper shredder or they’re simply deleted from your servers.

Keeping a record of the information you destroy is extremely important to show compliance with HIPAA’s right-to-access rules, which requires you to provide patients with timely access to medical records. There are numerous listings on the Office of the Inspector General’s (OIG) website of practices that were required to pay massive penalties for failing to meet this requirement.

To help protect your practice it is important that you document each time you destroy any patient record. Accordingly, creating a spreadsheet that’s that is updated whenever you destroy patient records is an easy way to maintain this documentation.

Here is some of the information you should document in your spreadsheet:

  • Date records were destroyed
  • Dates of service for destroyed records
  • Initials of person who approved or otherwise directed the destruction
  • Consider breaking down your entries in groups by the patient’s provider (if your practice has more than one provider)

Archiving for Access

Maintaining records for 10 years doesn’t mean that every file must be accessible all the time.

To free up electronic storage or closet space, you can archive records with dates of service between 6 and 10 years from the current date. This way, you can still provide patients with access to medical records if you absolutely need to, but they’re not cluttering up your main storage.

Similar to the spreadsheet created for logging which records you’ve destroyed, create a spreadsheet for records you’re putting into archive. This sheet allows you to quickly reference where specific information is in the event a patient requests access to medical records.

Some columns you should add to your archive spreadsheet include:

  • Date records were archived
  • Dates of service for archived records
  • Initials of person who approved or directed the archive
  • Providers’ names (if you have more than one provider)
  • Location of the archived records (i.e., server name, app, etc.)
  • Date records destroyed (cross-check this date with your destruction spreadsheet)

Your archive spreadsheet will be instrumental in helping you and your staff quickly pinpoint the location of any archived records and allow you to meet HIPAA access to medical records requirements.

Note: You could decide to have one spreadsheet that documents both medical records destruction and archiving. Just be sure to have a column that indicates which action was taken.

Archive vs. Destruction

Ideally, each month you’ll assess your patient records and decide whether they should be archived or destroyed. Taking the time to do this monthly helps you keep on top of the process, avoids your storage from getting overloaded, and removes excessive staff time to handle backlogs.

However, sitting down and carving out time every month to archive or destroy patient records isn’t always realistic. At a minimum, make it part of your annual plans so things don’t get too backed up.  And remember to document all actions you take.

Knowing what records you can destroy – and when – is tricky. Delete the wrong things too soon and you could find yourself facing major fines. Get expert guidance to what you need to keep and for how long in Healthcare Training Leader’s online training session, Avoid Medical Record Destruction Mistakes and $50,000 Fines. In this 60-minute immediately accessible training, you’ll get everything you need to create a compliant medical records destruction policy to protect your practice. Sign up today.

Subscribe to Healthcare Practice Advisor
Get actionable advice to help improve your practice’s
reimbursement, compliance, and success in this weekly eNewsletter.
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden