Documentation and ShreddingThe advice below has been provided by Caplan & Earnest. It is directed to and can only be relied upon by our client, the Colorado Chapter of the APTA (Chapter), and is not directed to nor it may it be relied upon by any individual member of the Chapter who has not engaged our services as counsel. With respect to the medical records questions posed by the member, about which the Chapter has asked us for advice regarding the same, I have attached a record-keeping policy we prepared for the Chapter in 2014, the contents of which remain current. With respect to the shredding questions posed by the member, about which the Chapter has also asked us for advice regarding the same, a more detailed answer is available on request, but I have included below the essential guidance that is appropriate for this topic. The questions posed appear in black type; our responses appear in blue type. We think it is critical to emphasize that it is mandatory to have a written Business Associate Agreement (BAA) with any vendor which is destroying medical records. The PT is going to be on the hook if the PT works with a company that doesn’t use reasonable safeguards and there is a breach. The Office of Civil Rights (OCR) in the US Department of Health and Human Services (HHS) has issued a monetary sanction to at least one company where the destruction vendor was the one who caused a breach. Just having the BAA really isn’t enough if the PT hasn’t done due diligence to find out what safeguards the company is using. We also think providing the guidance from HHS is helpful (see below). For more information on proper disposal of electronic personal health information (PHI), see the HHS HIPAA Security Series 3: Security Standards – Physical Safeguards - PDF. In addition, for practical information on how to handle sanitization of PHI throughout the information life cycle, please consult NIST SP 800-88, Guidelines for Media Sanitization - PDF. I know I can shred charts myself but I am thinking of bringing it to a place that does that. Do they have to have some type of "certification" or HIPPA certification? They do not have to have a certification, but you need to be able to confirm that the business uses appropriate safeguards to prevent unauthorized viewing, use, or disclosure by any of the company’s workers or subcontractors. Working with a vendor who is experienced with and understands the importance of secure destruction of medical record would of course be advisable. You also must first have any company you hire to perform record destruction sign and agree to the terms of a written HIPAA Business Associate Agreement. (If there was a breach of any of your records after you gave them to the shredding company, you could still be held responsible and would have to be certain that appropriate notifications were timely provided to individuals and to the Department of Health and Human Services.) I have seen that our town has a free shredding day where trucks come and you can watch your files be shred , I just didn't know if I could use this service? You could only use such a service if: (1) you could be sure that the shredding cross cut the papers into small enough pieces that records could not be reconstructed (pieced back together), and (2) you first had the company providing the shredding sign and agree to a written HIPAA Business Associate Agreement with your practice. Under guidelines on destruction issued by the National Institute of Science and Technology (NIST), shredded pieces of paper records must be cross-cut to 1 millimeter by 5 millimeters or smaller. Once shred can they go in any garbage bag? Can they be recycled? Does the shredded charts need to go to a specific garbage place or recycling plant? If you are using shredding for destruction, you could only put them in a garbage bag or recycle bin if you can be certain that the shredded pieces of paper are so small that they could not be reconstructed (1mm x 5mm or smaller). It is your obligation to make sure that the shredded papers are unreadable, indecipherable, and could not be pieced back together under any circumstance. (That is why some companies use other forms of secure destruction such as de-inking, incineration, or pulverizing papers). Healthcare professionals are obligated by law to maintain and ensure the confidentiality and security of their patients’ records including after providing them to another company for destruction. That is why it is critical to first have the destruction company agree to and sign a written HIPAA Business Associate Agreement and to be sure that you are using a reputable company that is following through with using reasonable safeguards and training its workers on safeguarding. I am switching over to electronic paperless charts. If I get a paper fax for a prescription, I can scan it into my computer and upload to my electronic charting system and once it is there, I can shred the paper document correct? Yes. But you want to make sure the scan of the fax is complete and legible before securely destroying the paper copy. (HIPAA requires safeguards to ensure the integrity of electronic records you keep.) |
Join Our Free Mailing List
Want to hear the latest news on the physical therapy industry in Colorado and receive information on upcoming events? Please complete this form and you'll be added to our free email list. If you'd like information on membership, please call us at 303-351-5397 or email [email protected].
Click Here to Join Mailing List!
Join APTA Colorado's Text Alert List!
Subscribe to receive text message alerts from APTA Colorado about legislative updates, event notifications and more. You will receive no more than five messages per month.
Receive APTA Colorado Texts!
Thank you to our 2023 Conference Sponsors & Exhibitors
Presenting Sponsor
Break Sponsor
Exclusive Swag Bag Item Sponsor