As a dentist, patients come to you for expert advice and treatment for the health of their teeth and gums. Patients also expect a level of privacy and responsibility, as they trust you with their personal information.
Dental patient information falls under HIPAA. This act holds dentists to a legal expectation that they will protect patient medical records and private health information. HIPAA also regulates the release of dental records and provides patients with more control over their personal information.
For dentists, the main consideration regarding the storage of patient records is the security rule, which includes administrative, technical, and physical protections that are in place to prevent unauthorized access. Following the HIPAA Security Rule requires dentists to take the following steps:
- Verify that the health records they produce, receive, store, or send are available but that the integrity and privacy of those files are maintained.
- Establish defenses against potential threats to the privacy and security of patient documents that can be reasonably anticipated, such as security issues and fire and water damage. Set up protections to prevent the unauthorized use of information or disclosure that is not allowed and can be reasonably foreseen.
- Ensure that your employees follow compliance guidelines.
HIPAA's application to paper records
HIPAA is a federal law created in 1996. Under this law, national standards were created to protect the personal information of patients from being disclosed without their knowledge or consent.
The HIPAA Privacy Rule prohibits the unauthorized disclosure of a patient's health information in any format, including paper records. The privacy rule's goal is to protect an individual's health information while allowing for the flow of information when needed to provide quality healthcare. The privacy rule is set up to protect a patient's rights while permitting the use of important information by medical professionals.
Permitted uses and disclosures of medical information without a patient's consent include public health activities, health oversight activities, organ donation (when required by law), research, workers' compensation, disclosures to law enforcement, disclosures relevant to judicial and administrative proceedings (to prevent a serious threat to one's health), disclosures involving victims of abuse, and disclosures relevant to the identification of deceased persons.
Length required to keep HIPAA records onsite
State laws typically dictate how long medical records are to be kept. HIPAA administrative rules require dentists to keep adult patient records for six years and pediatric patient records for 10 years. The time frame starts from the date the documentation was created or the date when it was last in effect, whichever date is later.
HIPAA requirements overwrite state laws if the state has a shorter retention period. Check with your state's health and human services department to see what your state's retention period is.
The HIPAA Privacy Rule does not have requirements governing the retention of medical records. However, it does require dentists to apply appropriate technical, administrative, and physical safeguards to protect the privacy of patient medical records for however long the dental office maintains them until they dispose of the records.
HIPAA storage tips for paper records
Whether your practice uses a paper filing system or an electronic health record system (and is only occasionally printing documents), reducing access to patient records and implementing security procedures are key.
You can control access to patient paper records by storing them in locked filing cabinets and ensuring that only the necessary people have access via a key. Patient records should never be left unattended on desks or filed in open shelving. Offices, storage rooms, and anywhere a patient's records could be compromised should be secured with keys, ID cards, or alarm keypads.
It is also a good idea to implement a tracking process for the location of patient records along with a check-in system to the storage facility or repository. This can be as simple as a sign-in sheet with the name of the person checking out the records and the time and date noted next to their name. Electronic systems requiring the swiping of ID cards are a more technical and secure way to track record movement.
Keep all of a patient's records together. Do not separate documents from the file. If you are in your office and a colleague comes in, turn over the document or cover it to not expose private information.
When disposing of documents, always shred them. Never throw away whole patient records. Throwing away intact documents can lead to identity theft. Therefore, any documents containing personal information must be shredded. Cross-cut shredding is the preferred method of disposing of documents.
Following these HIPAA document storage guidelines will help prevent the exposure of sensitive patient information. If you are found to have let patient information be released without proper authorization, legal implications can apply. Keep the above tips in mind when deciding how you will store your patient files to ensure you are complying with the law.
Jerry Dilk is the senior consultant of information governance at Data Storage Centers in Phoenix. Data Storage Centers specialize in the storage and organization of physical media and sensitive records for commercial enterprises.
The comments and observations expressed herein do not necessarily reflect the opinions of DrBicuspid.com, nor should they be construed as an endorsement or admonishment of any particular idea, vendor, or organization.