HIPAA Compliant Records Management

This article explores how to create a Records Management Strategy to ensure an IT organization is HIPAA compliant. This is not a comprehensive or authoritative guide. And laws may be subject to change and may vary depending on the state in which a company operates. This article looks at what HIPAA is and what IT managers need to be aware of.

The Health Insurance Portability and Accountability Act (HIPAA) was established for Protected Health Information (PHI) and Personally Identifiable Information (PII) and may be enforced with state regulations, including fines, criminal liability, imprisonment, reputational damage, and other penalties. Recent available information has put some of those fines for businesses in the range of $50,000 to $1.5 million. And for individuals seeking to use that information for personal gain, up to $250,000. 

Protected health information (PHI) is information that contains any of the 18 elements identified by HIPAA as PHI. These include any physical or mental health records of a patient, healthcare received by an individual, or any payments made for healthcare, unless the individual in question died more than 50 years ago. Some of the 18 elements include names, addresses, dates (e.g., birth dates, exam dates), phone numbers, email addresses, social security numbers, medical records numbers, health plan beneficiary numbers, account numbers, license numbers, vehicle identifiers, biometric identifiers, facial images, or any uniquely identifying numbers, characteristics, or codes. 

Personally identifiable information (PII) includes any information entered into medical records or used to make medical decisions. It could also include information obtained from a patient survey.

When hiring contractors, or working with business associates (e.g., medical supplies companies), the law requires an associate agreement for any involved parties that receive PHI. Those associates are not allowed to use PHI for marketing materials, unless authorized by those who are being marketed to. For example, collecting email addresses, phone numbers, or medical conditions from PHI to market goods or services to those individuals. Any of those business associates, because they are receiving PHI, are subject to a HIPAA compliance audit by the Department of Health and Human Services.

Some HIPAA violations are more serious than others. Level 1 violations include leaving or discussing private information in public places, leaving private information in public trash, or leaving computers unsecured. Level 2 violations include transmitting PHI by mail or fax, entering wrong information into a patient’s account, or disclosing PHI to the wrong patient. Level 3 violations include employees accessing electronic medical records, releasing PHI to unauthorized recipients, releasing medical records, or posting patient information on social media. And Level 4 violations include accessing medical records for personal gain, selling or releasing medical records for personal gain, theft of PHI records, or texting PHI.

Companies that violate HIPAA rules are required to notify any affected parties, including patients and the Department of Health and Human Services. If the breach impacts more than 500 people, then the business is required to notify the media. 

A records management strategy ensures an organization is creating, maintaining, and disposing of records in a HIPAA compliant way. While HIPAA requires HIPAA related records to be retained for six years from the date the content was last used, different states may have longer retention requirements. For example, some states require organizations to retain their HIPAA records from seven to ten years. 

A records manager or records coordinator may be designated who is responsible for developing and administering the strategy, reviewing and recommending revisions to the strategy, and reviewing record inventories. And each department or facility should be responsible for implementing the records management strategy under its control. A records management committee, which may consist of legal, accounting, human resources, or other departments, may need to meet annually to review and approve the records retention policies and records retention schedule.

The retention schedule includes the minimum and maximum amount of time to retain specific types of records. This may be a list of record types with their retention period published to the related departments. When uncertain about the amount of time to retain records, create a policy of warehousing or archiving records for at least ten years to be safe.

A hold on a record may occur if it’s part of ongoing litigation, an audit, or a governmental investigation. Records that are on hold should never be destroyed. Records that are eligible for destruction may be shredded, rendered unreadable, or completely destroyed.