HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Understanding the HIPAA Medical Records Destruction Rules

Some of the biggest fines for HIPAA violations have been for failing to comply with the medical records destruction rules. Consequently, it is vital Covered Entities and Business Associates are aware how to destruct medical records compliantly.

Each state has its own requirements for retaining medical records; and, in some cases, certain types of medical records have to be retained for longer periods than others. Federal laws can also dictate how long specific records have to be retained (i.e., OSHA 1910.1200(g)), and if these records are maintained in a designated record set, they are considered to PHI and Covered Entities are required to keep them until the retention period expires.

Although HIPAA has document retention requirements, there are no minimum retention periods for medical records. However, the Privacy Rule does require that Covered Entities implement appropriate administrative, technical, and physical safeguards to protect the privacy of medical records for whatever period the records are maintained by the Covered Entity. This requirement also applies to the destruction of medical records.

The HIPAA Medical Records Destruction Rules

Although there are no specific HIPAA medical records destruction rules, the Privacy Rule requires Covered Entities to determine what steps are reasonable to safeguard medical records through the destruction process and develop and implement policies and procedures to carry out those steps. In determining what is reasonable, Covered Entities should assess potential risks to patient privacy in the context of what form the information is in and how it is being destructed

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Additionally, the Security Rule requires Covered Entities and Business Associates to develop and implement policies and procedures to facilitate the compliant destruction of electronic PHI and/or media on which it is stored. Any members of the workforce involved in the destruction process, or who supervise other members of the workforce responsible for destructing medical records in compliance with HIPAA must receive training on the PHI destruction policies and procedures.

Failing to implement reasonable safeguards to protect PHI in connection with its destruction could result in impermissible disclosures of PHI, and several Covered Entities have received substantial fines for failing to comply with the HIPAA medical records destruction rules:

  • In 2009, CVS Pharmacy Inc. was one of the first Covered Entities to reach a financial settlement for a HIPAA violation – the company agreeing to a $2.25 million settlement for the improper disposal of PHI.
  • The following year, the pharmacy chain Rite Aid agreed to pay $1 million to settle a similar HIPAA violation; and, a few years, the independent Cornell Prescription Pharmacy had to pay $125,000 for also disposing of PHI improperly.
  • It is not just pharmacies who fail to comply with the HIPAA medical records destruction rules. In 2013, the former owners of a medical billing practice were fined $140,000 for disposing of 67,000 medical records in a public dump.
  • More recently, the New England Dermatology and Laser Center agreed to settle an investigation into the improper destruction of medical records for $300,640 and implement a Corrective Action Plan for two years – which will incur further indirect costs.

How to Destruct Medical Records in Compliance with HIPAA

HHS´ Office for Civil Rights has previously released guidance on how to destruct medical records in compliance with HIPAA. With regards to paper records, the agency suggests “shredding or otherwise destroying PHI […]so the PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed prior to it being placed in a dumpster or other trash receptacle”.

With regards to the bulk destruction of PHI, the agency suggests depositing PHI in locked dumpsters that are only accessible by authorized persons or maintaining PHI in a secure area until such time as a disposal company removes it to destroy it professionally. In such circumstances, it will be necessary to enter into a Business Associate Agreement with the entity responsible for destructing the records.

With regards to ePHI stored electronically HHS´ Office for Civil Rights advocates clearing and purging electronic media, or destroying the media by disintegration, pulverization, melting, incinerating, or shredding. It is important to note that some clearing and purging techniques are not 100% effective on modern hard drives, and it may be possible to recover deleted data in some cases.

It is also important to note that some states have more stringent medical records destruction rules than HIPAA; and, in some states, any organization that creates, maintains, or transmits personal health information may be subject to medical records destruction rules – not just HIPAA Covered Entities and Business Associates. If you are unsure which medical records destruction rules apply to your organization, it is recommended you seek professional compliance advice.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.