Ensure the secure destruction of patient records, electronic systems and PHI

Published On February 05, 2018

An important part of closing a medical practice is the secure destruction of patient records once the retention period is over.

Without a doubt, security is a top priority in healthcare. For medical practices that are up and running, there are many resources available to ensure patient records, electronic systems and the protected health information (PHI) those records and systems hold are kept secure. These resources range from the continuous education of staff on security policies and protocols to implementing the latest security technologies.

But what happens when a medical practice closes down and shuts its doors? The answer is that security doesn’t stop and the secure destruction of patient records must be ensured.

Unfortunately, there is little guidance on how to close your practice while maintaining compliance and security of PHI and electronic systems. This is especially true when it comes to critical details such as healthcare records management. These details often get buried among the many other items on the to-do list for medical practices that are closing down.

Although it may get overlooked when a medical practice closes, successfully managing as well as executing the secure destruction of patient records and PHI are critical to maintaining compliance and security.

Know the patient record lifecycle

Patient records have a retention period. What this means for medical practices that are closing is that those patient records must be securely stored, managed and made available to authorized requestors once the medical practice has closed. Once this retention period expires, however, it is important that the medical practice complete the secure destruction of patient records. This process can be tricky for a couple reasons.

One reason is that the retention period for a patient’s medical record could expire many years after a medical practice closes. This means medical practices should create a plan so that those records are automatically destroyed without the need for additional intervention. A medical practice’s plan for managing patient records once they have closed down should include pre-authorized secure destruction at the end of the retention periods. Furthermore, a Certificate of Destruction should be kept on file for compliance purposes.

Another reason this process can be tricky is because it’s important that, once the retention period is over, a medical practice adopts a consistently implemented and defensible process that not only destroys all PHI but destroys this information beyond a recoverable state.

Know where all PHI resides

Another aspect of records management that often gets overlooked when a medical practice is closing is securely disposing of and destroying PHI housed in several different locations.

For example, electronic systems as well as any equipment that holds sensitive PHI need to not only be identified but securely destroyed. Practices will often forget about the sensitive PHI housed in day-to-day equipment such as copiers, fax machines, laptops and even cell phones. Therefore, it is imperative that medical practices securely wipe and destroy any and all equipment that has transmitted or housed PHI.

Make sure you aren’t missing a step

As you’re preparing to close your practice, ensure that all your records management needs and requirements are met by familiarizing yourself with best practices. It is important that you are confident your medical practice isn’t missing an important step.

Securely destroying and disposing of patient records and PHI is just one aspect of securely managing records while closing your medical practice. However, there are other steps that need to be taken to ensure security and compliance.

Click here to learn more about information management best practices for closing practices.