If you work in a medical profession, it is important to know how to treat the confidential information found in many medical records. The New York State Department of Health and HIPAA (Health Insurance Portability and Accountability Act of 1996) have strict retention, storage, and shredding guidelines for these type of personally identifiable documents.
Medical Records Retention in New York
State laws typically govern how long medical records need to be retained. However, HIPAA requires a covered entity (ex: a physician billing Media) to retain the required documentation for six years from the date of its creation or the date when it was last in effect, whichever is later.
The NYS Department of Health, however, requires medical doctors to retain records for any adult patients for 6 years. Minor patients are kept for 6 years and until one year after the minor reaches the age of 18 (whichever is longer). For hospitals, medical records must be kept for six years from the date of discharge. Minor patient records are kept 6 years from the date of discharge or 3 years after the patient reaches 18 years (whichever is longer). Records for deceased patients must be kept for 6 years after death.
It is important to note that State laws supercede HIPAA requirements. So if your state requires a longer retention period, be sure to comply.
Storing Medical Records
Medical records must be kept for a fair amount of time. So where can you store medical records until they are able to be shred? You may create an inactive file area or electronic file that stores medical records for the required waiting period, but it must be separate from other personally identifiable information and locked or encrypted. However, if square footage is in short supply, it may be best to utilize a record storage service.
Whichever method you prefer, you must create a log that indicates which files have been put into long-term storage waiting for destruction and only certified employees will have access to that cold storage. Any movement in or out of the storage area must be documented on the log.
Shredding Medical Records in New York
HIPAA requires healthcare providers to regularly shred any documents containing information on a patient’s medical history in order to prevent identity theft. If you are collecting or holding medical records, any spare copies need to be destroyed on a regular basis as well.
So how do you know what to shred and what is ok to toss in the trash? Under HIPAA shredding laws, any document that contains the following needs to be destroyed:
- Social Security Numbers
- Name and Addresses
- Medical history
- Medical test details
- Vaccination records
It is best to assume that if a document contains a name and at least one other piece of identifying information, it is covered by HIPAA shredding rules.
Medical Record Destruction Process
Now that you are clear on which documents need to be destroyed, how should you get rid of them? HIPAA stipulates that the files must be:
- Shredded such the paper cannot be pieced together
- Any hard drive that ever contained an encrypted file must be shredded
Redacting records is not allowed, ie: you cannot simply white out any personally identifiable information and toss the file into the trash. When it comes to shredding medical records, you have a few options:
Your business can purchase and maintain a cross-cut shredder that meets the standards set forth in the HIPAA regulations. However, the liability of ensuring destroyed documents are properly and thoroughly disposed of remains on your shoulders. Furthermore, purchasing and maintaining the necessary equipment is a costly undertaking. Not to mention the added labor costs associated with manually shredding these documents.
There is no question that burning completely destroys all paper files. However, utilizing a shredder allows you to recycle the used paper into consumer goods. Incinerators are not an eco-friendly option. However, if you maintain one in your plant, it may be an economical option.
Off-Site Shredding Company
When you utilize an off-site shredding service employees place the documents scheduled to be destroyed in a locked bin. The bin is then picked up by a certified technician and sent to a central facility for processing. Selecting the right shredding company is important in this instance. You want to know you can trust them to follow all required shredding procedures. Be sure they provide you with a Certificate of Destruction after each shredding service.
Mobile Document Shredding Service
This is the most popular (and safest) option. A mobile shredding truck arrives at your business at a pre-scheduled time. With a mobile shredding service, your staff and the shredder representative both witness the destruction of all files. Once the shredding is complete you are provided with a Certificate of Destruction.
Hard Drive Destruction
Remember, if you are getting rid of an old computer that was used to store medical data, the hard drive must be physically shredded by a company capable of that procedure.
Affordable & Secure Medical Record Retention & Destruction Services
ConfiData offers medical record storage, off-site shredding, mobile shredding, and hard drive destruction services you need to stay compliant under one roof. We serve all of Central and Upstate New York including Utica, Syracuse, Binghamton, Albany, Watertown and more. If you are looking for a reliable all-in one partner to keep your business compliant and secure, we would love to chat! Give us a call at 1-800-627-4733 or fill out or contact form to request a free initial consult.