Disposing of medical records

December 2, 2005

Under HIPAA, who bears the responsibility (including cost) for discarding old patient records that contain protected health information-the employed physician or the practice he works for?

Q: Under HIPAA, who bears the responsibility (including cost) for discarding old patient records that contain protected health information—the employed physician or the practice he works for?

A: Typically, the practice, since it has the duty to retain the records in the first place. But check your state's law to determine how long they must be retained. In New York, for instance, physicians must maintain patient records for at least six years or, in the case of a minor, for at least one year after the patient turns 18; anyone who doesn't may face professional misconduct charges. Also at issue is how one discards records containing protected healthcare information. Under HIPAA, anyone disposing of records must do so in a way that minimizes the risk of exposure to unauthorized users - through shredding, for example.