We have discussed choosing the right EMR. You have picked your system, gotten the training, and gone live. You are living happily-ever-after with your electronic charts. But what about all of those paper charts that are lurking in your practice? What should happen to them? There are rules and regulations about when and how they can be disposed of.
There are several factors that dictate how long a practice must retain paper records. It is important to look at state laws, Medicare and Medicaid and insurance regulations, and the statute of limitations for malpractice or other legal actions. The North Carolina Medical Board guidelines, updated in 2009, state:
- Medicare and Medicaid: 7 years
- Medical Malpractice: consult your malpractice insurance carrier
- Immunization Records: must be kept indefinitely
The destroying of records is strictly governed by HIPAA regulations. According to the US Department of Health and Human Services, the entity that implements HIPAA, “covered entities must implement reasonable safeguards to limit incidental, and avoid prohibited uses and disclosures of PHI, including in connection with the disposal of such information.” It is illegal to dispose of any PHI, including paper charts, in a way that is accessible to the public. That includes, but is not limited to, dumpsters, recycling centers, and public trashcans. There is no one way that charts must be disposed of, as long as they are rendered “unreadable, indecipherable, and otherwise cannot be reconstructed.” The most popular way to accomplish this is to have the records shredded. Burning, pulping, and pulverizing are also options. The company that is hired to destroy the records is considered by HIPAA to be a business associate, and a contract for safe and appropriate disposal must be created. For more information see this entry about vendor agreements.
Once you are prepared to destroy your practice’s paper charts, contact your attorney. Together you can form an action plan that includes an appropriate vendor and meets the requirements for what information needs to be saved and what does not. It is important to consult with an experienced healthcare lawyer who is well versed in the latest state law. Fines for misappropriation of PHI are steep, and the negative exposure that surrounds breaches is immense. Protect your patient’s privacy rights and keep your practice safe by following the law to the letter.
Waller Lansden Dortch & Davis LLP. (March 26, 2008). Retaining Medical Records: How Long is Long Enough. FindLaw. Retrieved November 8, 2012. http://corporate.findlaw.com/law-library/retaining-medical-records-how-long-is-long-enough.html
Retention of Medical Records. (May 1, 1998, modified May 2009). North Carolina Medical Board. Retrieved November 8, 2012. http://www.ncmedboard.org/position_statements/detail/ retention_of_medical_records/
Department of Health and Human Services. (n.d.) Frequently Asked Questions About the Disposal of Protected Health Information. HHS.gov. Retrived November 8, 2012. http://www.hhs.gov/ocr/privacy/hipaa/ enforcement/ examples/disposalfaqs.pdf