Understanding the HIPAA Medical Records Destruction Rules
The HIPAA medical records destruction rules relate to the safeguards covered entities and business associates must implement to ensure Protected Health Information and electronic Protected Health Information is disposed of compliantly. The HIPAA medical records destruction rules have no impact on state requirements for retaining medical records – which can be much longer than the HIPAA document retention requirements.
Although HIPAA has document retention requirements, there are no minimum retention periods in HIPAA for medical records. However, the HIPAA Privacy Rule does require that covered entities implement appropriate administrative, technical, and physical safeguards to protect the privacy of medical records for whatever period the records are maintained by the covered entity. This requirement also applies to the destruction of any personally identifiable data maintained with medical records in the same data set.
The HIPAA Medical Records Destruction Rules
Although there are no specific HIPAA rules for the destruction of medical records, the HIPAA Privacy Rule requires covered entities to determine what steps are reasonable to safeguard Protected Health Information during the destruction process and develop and implement policies and procedures to carry out those steps. In determining what is reasonable, covered entities should assess potential risks to patient privacy in the context of what form the information is in and how it is being destructed
The HIPAA Security Rule requires covered entities and business associates to develop and implement policies and procedures to facilitate the compliant disposal of electronic PHI and/or media on which it is stored. Any members of the workforce involved in the destruction process, or who supervise other members of the workforce responsible for destructing medical records in compliance with HIPAA must receive training on the PHI destruction policies and procedures.
Failing to implement reasonable safeguards to protect PHI in connection with its destruction could result in impermissible disclosures of PHI, and several covered entities have received substantial fines for failing to comply with the HIPAA medical records destruction rules:
- In 2009, CVS Pharmacy Inc. was one of the first covered entities to reach a financial settlement for a HIPAA violation – the company agreeing to a $2.25 million settlement for the improper disposal of PHI.
- The following year, the pharmacy chain Rite Aid agreed to pay $1 million to settle a similar HIPAA violation; and, a few years, the independent Cornell Prescription Pharmacy had to pay $125,000 for also disposing of PHI improperly.
- It is not just pharmacies who fail to comply with the HIPAA medical records destruction rules. In 2013, the former owners of a medical billing practice were fined $140,000 for disposing of 67,000 medical records in a public dump.
- More recently, the New England Dermatology and Laser Center agreed to settle an investigation into the improper destruction of medical records for $300,640 and implement a Corrective Action Plan for two years – which will incur further indirect costs.
Even when covered entities have not been fined, there can be substantial indirect costs for improper disposing of medical records in breach of HIPAA. The HHS Breach Report currently includes more than 200 examples of covered entities who had notify individuals of improper disposals, pay for credit-monitoring services, refresh policies and procedures, and provide additional HIPAA training.
How to Destruct Medical Records in Compliance with HIPAA
HHS’ Office for Civil Rights has previously released guidance on how to destruct medical records in compliance with HIPAA. With regards to paper records, the agency suggests “shredding or otherwise destroying PHI […]so the PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed prior to it being placed in a dumpster or other trash receptacle”.
With regards to the bulk destruction of PHI, the agency suggests depositing PHI in locked dumpsters that are only accessible by authorized persons or maintaining PHI in a secure area until such time as a disposal company removes it to destroy it professionally. In such circumstances, it will be necessary to enter into a Business Associate Agreement with the entity responsible for destructing the records.
With regards to ePHI stored electronically HHS’ Office for Civil Rights advocates clearing and purging electronic media, or destroying the media by disintegration, pulverization, melting, incinerating, or shredding. It is important to note that some clearing and purging techniques are not 100% effective on modern hard drives, and it may be possible to recover deleted data in some cases.
It is also important to note that some states have more stringent medical records destruction rules than HIPAA; and, in some states, any organization that creates, maintains, or transmits personal health information may be subject to medical records destruction rules – not just HIPAA covered entities and business associates. If you are unsure which medical records destruction rules apply to your organization, it is recommended you seek professional compliance advice.
