Medical records are one of the most highly-regulated types of files due to the amount of personal information that they contain. In this video, you will learn which types of files need to be securely destroyed, when to do so, and the different options for destruction.
Video Transcription
Medical Records Destruction: The Guide to HIPAA-Compliant Shredding
1. What Do Medical Records Contain? What Goes Into a Medical Record?
Protected Health Information (PHI)
Medical records contain sensitive, protected health information (PHI) about a person’s health and history.
Disposing of PHI with the proper destruction processes for medical records is critical to protecting the patient privacy from hefty penalties form HIPAA.
2. Different Types of Medical Records & PHI: Common Medical Information to Destroy
There are eighteen types of information defined as PHI and protected under HIPAA:
-
-
- Account numbers
- Biometric identifiers (fingerprints, retinal scan, etc.)
- Certificate / license numbers
- Device identifiers and serial numbers
- Dates
- Email addresses
- Fax numbers
- Full face photos and comparable images
- Geographic data
- Internet protocol addresses
- Health plan beneficiary numbers
- Medical record numbers
- Names
- Social security numbers
- Telephone numbers
- Vehicle identifiers and serial numbers
- Web URLs
- Unique identifying numbers, characteristics, and codes
-
Common types of medical records healthcare providers need storage and destruction for include:
-
-
- Surgical history
- Obstetric history
- Medications and medical allergies
- Family history
- Health habits
- Immunization history
- Growth chart and developmental history
- Physical examinations
- Chief complaints
- Orders and prescriptions
- Test results
-
3. Factoring in HIPAA: Where Does HIPAA Fit in With Medical Records Destruction?
What Is HIPAA?
Passed in 1996, the Health Insurance Portability and Accountability Act (HIPAA) helps to protect PHI. HIPAA requires implementing safeguards to prevent prohibited uses and disclosures of PHI, including during its disposal.
According to the HIPAA Privacy Rule, medical records are required to be stored and maintained for at least 6 years after the date of their creation or date of last use—whichever comes first.
HIPAA Rules Violations: The Cost of Noncompliance
| Violations Prior to 2/18/2009 | Violations After 2/18/2009 | |
| Penalty Amount | Up to $100 per violation | $100 – $50,000 (or more) per violation |
| Calendar Year Cap | $25,000 | $1,500,000 |
Medical Record Retention: How Long HIPAA Says to Hang On
| Medical Record Type | Retention Period |
| Diagnostic Images | 5 years (after age of majority) |
| Disease Index | 10 years |
| Fetal Heart Monitor Records | 10 years (after age of majority) |
| Master Patient / Person Index | Permanently |
| Operative Index | 10 years |
| Patient Health Records | 10 years after last use |
| Physician Index | 10 years |
| Register of Births / Deaths | Permanently |
| Register of Surgical Procedures | Permanently |
4. Medical Records Destruction & Disposal: When Medical Records Should Be Shredded
Medical Records Destruction According to HIPAA
HIPAA leaves it up to providers to decide on destruction methods, but does not permit medical records to be discarded without proper disposal methods like shredding or electronics destruction.
When Medical Records Should Be Destroyed
| After Retention Periods Pass | Transition to Paperless | Administrative Mistakes |
| Your medical records and other files containing PHI have passed their required retention times | You’ve just transitioned to using electronic health records (EHR) and your paper records are scanned | Clerical errors were made while handling medical records and a new copy needs to be created or filed |
Steps to Take Before You Shred Medical Records
- Research state medical records retention laws
- Create a plan to store and track medical records for retention
- Establish a destruction plan for when retention times are up
Once your medical records are prepared for shredding, the only step left is deciding on your method of destruction.
Common Medical Records Destruction Methods
| Mobile Shredding | Off Site Shredding |
| Mobile shred trucks come to your location, destroying medical records on-site while you watch. Since many need to document record destruction jobs, certificates of destruction are also typically provided to detail the project specifics. | Trucks come to your location to pick up medical records, but instead of shredding on-site, the records are taken in locked bins to an off site facility. Since trucks don’t need to stay for shredding, off site becomes more cost-efficient the more records you dispose at one time. |
Searching for Medical Records Shredding?
Shred Nations works with a nationwide network of local shredding experts. We find the right shredder that can handle your destruction project, when and where you need them.
To get free, no-obligation quotes in just minutes, fill out the form on the right or give us a call at (800) 747-3365.
