While most healthcare organizations have transitioned to electronic medical records (EMRs), there is still a significant amount patient records stored in paper format. Medical transcription companies turn audio records of physician dictation into text documents needed for patients’ medical charts, billing, insurance claims, and importantly to support caregiver decision making.
Regardless of format, medical records must be stored securely in compliance with the applicable law and the standards prescribed by HIPAA and the Joint Commission .Enacted in 2003, the Privacy Rule protects all forms of identifiable health information provided by or to patients in a given medical organization. This protected health information (PHI) and can be oral, digital, or on paper.
Protected Health Information under HIPAA
The HIPAA Privacy Rule establishes national standards for record keeping to support digitization of patient records with the goal to ensure the privacy and integrity of PHI. Under HIPAA, protected health information is defined as individually identifiable information relating to the past, present, or future health status of an individual that is created, collected, or transmitted, or maintained by a HIPAA-covered entity in relation to the provision of healthcare, payment for healthcare services, or use in healthcare operations (PHI healthcare business uses).Information that is considered PHI includes, but is not limited to:
- National identification numbers and demographic information such as name, birth dates, gender, ethnicity, and contact and emergency contact information
- Health information such as diagnoses, treatment information, medical test results, and prescription information
- Details about the type of care the patient received or how they paid for it
PHI is only considered PHI only when an individual can be identified from the information.
Paper Records and HIPAA Compliance
The medical record is confidential and should be protected from unauthorized disclosure by law. Medical records and PHI must be stored and used so as to minimize incidental disclosure of PHI.HIPAA mandates that medical records must be appropriately secured against theft, fire and water damage, and erroneous destruction. Hard copy medical documents have similar standards for management as electronic records. Let’s take a look at the policy and guidelines for storing and protecting physical HIPAA documents.
- Paper records should be stored so that they are not accessible to an unauthorized individual, meaning that they should be secured safely in a storage room and locked cabinets.
- Only authorized individuals should be allowed to access to medical records and PHI.
- Medical files, folders or records should be secured at all times. When moving or handling medical records and PHI in volume, medical records and PHI should be covered in a way that no personal identifiers are visible.
- As it is privileged information, care must be taken not to discuss the medical record in an open setting.
- Individual documents should not be separated from the medical record and PHI. If pages are removed to make copies, they should be arranged according to the specific record type. This important to know what that document is and how to acquire it or secure it.
- Retention policies should be set up to identify how long certain medical records need to be retained based on the applicable legislation and regulations. Each state has different requirements. Retention policies should be applied consistently so that records are not destroyed prematurely.
- Generally, paper records can be destroyed after they are scanned. After they have been reviewed for a certain period of time, typically 30 to 60 days, and all the material has been properly scanned to obtain quality copies, those records can be destroyed, clarifies Raymond Rangel of Data Storage Centers (www.medicaleconomics.com).
- Retention schedules differ based on type of medical service or patient. For e.g., pediatric records have to be retained for a much longer period than typical adult healthcare records. For instance, though the period paper records have to be retained in Arizona is six years, pediatric records are required to be stored for a minimum of 10 years, and often, until the patient turns 18.
- HIPAA requires avoiding incidental disclosure of PHI during disposal. Though a particular disposal method is not required, shredding is listed as an appropriate method for disposing of PHI in the forms of both paper and electronic waste. Experts recommend professional shredding services, as this would ensure issue of a certificate of destruction.
Organizations that fail to comply with HIPAA requirements are subject to fines and, in serious cases, imprisonment. All covered entities and business associates, including medical transcription companies should perform regular risk analyses to identify threats to PHI confidentiality. HIPAA covered entities and business associates have to implement measures to protect against the threats, or mitigate the consequences if the threats were to occur.
The federal government is spending billions to speed digital health record adoption. EMRs allow physicians to monitor and improve overall quality of care within the practice/organization. When medical records are electronic, organizations have greater control over security as it allows them to control precisely who has access to patient information and when. Transcription can be outsourced to a HIPAA compliant medical transcription company will ensure that all patient information is kept private with robust encryption methods and strict security protocols.