How to properly store physical HIPAA documents

Avoid hefty fines by making sure you follow all the guidelines

While many files are electronic and tucked away on hard drives, there are still millions of physical documents out there that need to be properly stored following HIPAA guidelines.

To learn more about how physical documents should be handled, Medical Economics spoke with Raymond Rangel of Data Storage Centers.

(Editor's note: The transcript has been edited for brevity and clarity.)

Medical Economics: What are the HIPAA requirements for storing physical documents?

Rangel: Records should be stored out of sight of any unauthorized individual, so for all intents and purposes, they should be secured safely in a storage room and locked cabinet files. And more importantly, good business practices are making sure that the control of who has physical access to the records are limited to only authorized personnel.

ME: What are the most common mistakes that medical practices make when storing HIPAA documents?

Rangel: I think records mishandling—all patient information should be kept strictly confidential. So avoid leaving an open file in a waiting area or in clear view of other patients, ,where other people can actually see the information from the medical records. You want to make sure that at every time you're dealing with a medical record, that the medical file, folder, or record is secured at all times. Another thing is, that sometimes medical practices get somewhat complacent, and they'll talk about the medical conditions to another person other than the patient. Sometimes you have to be careful, because that's privileged information. You have to be careful about how you go about talking about the medical record in an open setting.

ME: If someone prints out an electronic document, does that physical copy now have to be stored like any other HIPAA document?

Rangel: Sometimes the original paper copy has a unique legal force. It's a discretionary call; you just have to make sure what information are not subject for destruction. Those are the ones that you have to make sure that you have maintained those physical copies. If someone prints out an electric document, you want to make sure that they're arranged according to the types of records that they are. So, keeping a specific record type is important, this way, you know the importance of what that document is and how to procure it or secure it.

ME: If physical copies are converted to electronic records, can the physical copies then be destroyed?

Rangel: Yes, you can destroy the paper records after they're scanned. Usually, after they've been reviewed for a certain amount of time, generally speaking, 30 to 60 days, once you can actually qualify that all of the material is properly scanned, that the quality is there and that it is the natural representative of what was scanned. Once you have that, you can destroy those records.

ME: How long does a practice have to store HIPAA documents? And what is the proper way to dispose of expired records?

Rangel: Those vary from state to state, so check what your state requirements are. For example, in Arizona, generally speaking, it is six years. So first and foremost, find out what your state requirement laws are, and you can do it. And another way is, the timeframe starts from the creation of the record until it's last use, so you can use that as kind of a guide. Now, there's one consideration, and that is not all records are the same. For example, you have to make sure that if they fall under a pediatric medical record, that has to be retained longer. So even though Arizona says six years, pediatric records typically have to be stored a minimum of 10 years, and a lot of times until the patient turns 18. And then you start the clock from there as well.

ME: Are documents typically just shredded for proper disposal?

Rangel: Let's say that it's made the six years or you've had them scanned already, so you actually have them. If you've met all your safeguards, then, yeah, you can shred them. I recommend that, and you could do it yourself. But since we're talking about medical practices, the best practice is that it will usually be done professionally. And the reason they have it done professionally, is because along with having it professionally shredded, they also get issued a certificate of destruction. This certificate affirms that they've met their legal requirements to the disposal rule. So that way, hypothetically speaking, if they ever get audited, you say, ‘Hey, I've contracted with a professional destruction company and here's the certificate.’

ME: What are the fines for improperly storing HIPAA documents? And how do these actions usually come about?

Rangel: Fines typically start from anywhere from $100 and they can go up as high as $50,000 per violation. In some rare circumstances, they've actually had fines up to $1.5 million. It all depends on how egregious the violation is.

ME: How are practices found out? Is it patient complaints? Is it audits? Is it an employee whistleblower?

Rangel: All of the above. I think when companies get a little too lax, then that's always going to open the door to a possible HIPAA violation. So it's always good to have good redundant safety practices and security practices there. If you're in a professional setting, you should basically have that taught to you from the very beginning, that you're dealing with privileged information, and so there are procedures and policies that need to be followed.