I Own a Small Business: Do I Need to Know About Shredding Medical Records?
Whether you work in an office that is part of the medical profession or run your own small business, you still need to know how to treat confidential information including any medical records that may be part of your files.
Any file that contains personally identifiable information relating to medical treatment must be maintained and destroyed according to the rules and regulations cited in HIPAA and the Texas Department of State Health Services.
HIPAA Regulations Apply to Every Business and Person in America
HIPAA provides a minimum standard for all of the United States, but Texas may create future regulations that are more strict. As the person who handles this personally identifiable information, you are required to stay up to date on any changes to the state and federal rules.
Which Medical Records are Eligible to be Destroyed?
In general, most patient files that meet the standards on the destruction schedule can be destroyed including:
Paperwork regarding a Leave of Absence request for medical reasons
Any file in an employee’s records that cites a medical condition and/or treatment
However, you should not send any medical records to the shredder that are being cited in an ongoing investigation, legal suit or are currently being used for treatment.
If you maintain your destruction schedule with those two numbers in mind, most of the time you won’t need to refer to the detailed regulations.
What does the 7 or 10 years refer to?
7 years since the last time the patient was treated
If a minor: keep the records until they are 21 or for 7 years past their last treatment–whichever is later
You may create an inactive file area or electronic file that stores medical records for the required waiting period, but it must be separate from other personally identifiable information and locked or encrypted.
You must create a log that indicates which files have been put into long-term storage waiting for destruction and only certified employees will have access to that cold storage. Any movement in or out of the storage area must be documented on the log.
Your log will also indicate when the records are destroyed and who witnessed the destruction.
What is the Safest Method for Destruction?
Now that you have sorted out which files are eligible for destruction, how should you get rid of them? HIPAA and Texas medical records destruction requirements both stipulate that the files must be:
Shredded such the paper cannot be pieced together
Any hard drive that ever contained an encrypted file is shredded
You have a few options to get the job done.
In-House Shredding: Your business can purchase and maintain a cross-cut shredder that meets the standards set forth in the regulations. However, the liability of ensuring destroyed documents are properly and thoroughly disposed of remains on your shoulders. This method will not take care of electronic hardware destruction.
Off-Site Shredding Company: Your employees place the documents scheduled to be destroyed in a locked bin. The bin is picked up by a certified technician and sent to a central facility for processing. From there, you hope that your shredding company follows all required procedures.
Mobile Document Shredding Service: This is the highest recommended option. A truck from a service like PROSHRED® is equipped with a shredder and arrives at your business as scheduled. Your staff and the shredder representative both witness the destruction of all files. There are additional services for hardware destruction.
Burning: There is no question that burning completely destroys all paper files. However, shredders recycle the used paper into consumer goods. Incinerators are not an eco-friendly option. However, if you maintain one in your plant, it may be an economical option.
Is Redaction Allowed? No. Redaction is expressly forbidden in both the federal and Texas records destruction guidelines. You cannot simply white out any personally identifiable information and toss the file into the trash.
Delete or Destroy Electronic Files and Equipment? If you wish to remove electronic files from your database, the law simply requires a complete deletion by an authorized IT professional. If you are getting rid of an old computer that was used to store medical data, it must be physically shredded by a company capable of that procedure.
HIPAA Guidelines vs. Texas Medical Shredding Guidelines
Remember the 7 and 10-year rule? That follows the Texas shredding guidelines.
The HIPAA guidelines tend to stick to the 6-year rule, but your business will need to follow the longer storage time required by the state.
Protect Your Business and Employees with Mobile Document Shredding Services
When considering which way, you should destroy your documents, take into consideration the liability connected to these files.
Mobile document shredding services from a reputable company like PROSHRED® provide the most secure option, where the files are destroyed in front of your eyes. The service provides you with certification of destruction.
When you opt for less-secure methods and the files are tossed into the general trash intact, you can open your business up to lawsuits.
Create and Adhere to Your Own Destruction Schedule
Besides opting for a reputable mobile shredding service, following a strict and well-documented destruction schedule will also protect your business and reduce liability.
Your master list must be maintained on a secure network and encrypted according to the HIPAA regulations.
When the file is destroyed according to your schedule, there will be a final notation in the master file that matches the certificate of destruction from your shredding service.