When it comes to privacy, nothing is more valuable than a patient’s medical records. Medical practitioners have the responsibility of protecting the data of their patients–not just from an ethical standpoint, but from a legal one too. Obtaining, storing, and destroying medical records must be done in a way that keeps patient privacy a priority, and that aligns with the regulations that oversee proper treatment of patient medical information.
What is HIPAA law?
The Health Insurance Portability and Accountability Act, or HIPAA, is a national set of standards that medical professionals must follow to keep the information of patients private. It first emerged in 1996 and it is intended to keep patients both informed and protected from information being used for non-medical purposes, or without their permission. HIPAA takes into account that reasonable information-sharing rules must be in place to benefit the patient. In other words, the act is designed to keep medical information private but still allow for timely, quality care for patients.
What is a Practitioner’s HIPAA Responsibility to Patients?
There are two HIPAA-allowed reasons a practitioner would disclose information to an entity on the part of a patient. The first is to the individuals themselves when they want to see their records, or to their designated representatives (who are chosen in writing). The second is when the U.S. Department of Health and Human Services is conducting a review or investigation that may lead to enforcement access. Beyond that, a practitioner must have written consent to share that information.
The law was written before the internet was commonplace, so some patients and healthcare providers complain that it needs updating to accommodate electronic convenience. To stay in keeping with the original outlines of the law, however, practitioners still require permissions in writing and stay away from e-mailing things like medical records to their patients.
How Can Documents be HIPAA-Compliant When Shredded?
Though much of the permissions to share medical records must still be done the “old fashioned” way, HIPAA does not prevent practitioners from digitizing their own documents in-house. When this digital transfer takes place, it means that healthcare professionals have handwritten duplicates of the information that is now available to them in an electronic format. Getting rid of the remaining written records is often a step these practitioners are eager to take, both to eliminate the duplication and to provide an even higher level of privacy to patients. There are also certain medical records that can be disposed of after a certain time frame, but once again, these need to be destroyed in a way that aligns with HIPAA.
Clearly just throwing away medical records is not a smart move, and it is certainly not HIPAA compliant. Shredding the documents is a safer route, but even then, vigilance in how the records are destroyed is necessary to keep the medical information out of the wrong hands. There are no HIPAA specific rules when it comes to shredding medical documents, but to stay in compliance, the American Health Information Management Association suggests that practitioners:
Have a Uniform Shredding policy.
Healthcare organizations are urged to create a document shredding policy that is the same every time. This ensures everyone has step-by-step instructions and that there is an outline of what should be done each time. If a medical organization decides to outsource document shredding to a third-party, they should ensure that this type of policy is in place and that is aligns with the tenets of HIPAA.
Keep good shredding records.
If a medical facility chooses to have a contractor shred its records, it is important to obtain all of the following information from that contractor to keep on hand at the practice. This should include:
Method of destruction
Date of destruction
Statement that basically explains why the records were shredded
Description of what was destroyed that includes the date ranges
Signatures from anyone involved in the shredding decision making and in the actual destruction process.
Contractors AND medical facilities should keep these records handy. This documentation should be kept somewhere that is available to both regulators and the medical practitioner clients.
Protect themselves when using third-party contractors.
If a medical facility does decide to hire a contractor to destroy medical records through shredding, they should take a few additional steps to protect themselves. Those include:
A contract that indemnifies the facility from unauthorized disclosure.
Choosing a contractor that maintains liability insurance.
Insisting that the contractor provide documentation and proof of the destruction process. This should also include the method of destruction (in writing) and the estimated time that will lapse between obtaining the records and destroying them.
Is shredding the only approved way to destroy medical records?
Shredding is the smartest way to get rid of paper documents, but not all medical records are in a paper format or are easily shredded. To ensure that there is no chance of a record being reconstructed, a practitioner should follow these guidelines for destroying information based on its format:
Microfilm and Microfiche.
These can both be destroyed through recycling and pulverizing.
Any of these that are in write once-read many formats (also referred to as WORM) can’t be altered or used more than once, so pulverization is the recommended way to destroy them.
Without getting too technical, the best way to protect computerized information is to make the data there unrecoverable. This can be done by shredding or degaussing the computer hard drive. To shred a computer hard drive it must render the drive completely useable and be cut into several pieces. Degaussing leaves the data on magnetic media, scrambled or in random patterns that make it impossible to read or put back together in a way that makes sense. Some think that overwriting files makes them impossible to read but in truth, a file can be overwritten six times and still be recovered. To really get rid of this information the degaussing process needs to be implemented.
Degaussing, as opposed to overwriting, is also preferred for magnetic tapes (and for the same reasons listed above).
In the end, properly shredding medical documents protects patients, practitioners, and contractors. Take the time to do it correctly or hire the right company to meet your HIPAA compliant shredding needs. Remaining HIPAA compliant is non-negotiable, and destroying records in the right way keeps patient privacy intact.