All Data Fast News is © Data Fast Solutions, unless where otherwise indicated • All Rights Reserved
While medical record retention requirements are not governed by the HIPAA Privacy Rule, state laws generally do provide direction on how long medical records should be kept. However, per Health and Human Services, the HIPAA Privacy Rule requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records and other protected health information (PHI) for whatever period such information is maintained by a covered entity, including through disposal. (See 45 CFR).
Many healthcare providers today are utilizing electronic medical records in their day-to-day practice even if older charts have not yet been migrated completely. With technology rapidly advancing, it can be a challenge for medium and small healthcare facilities to navigate the rules and regulations of HIPAA and state laws as well as the technology needed to retain electronic protected health information (ePHI) safely.
However, there are some helpful guidelines by Health and Human Services to help ensure ePHI is being managed and retained securely.
The Privacy and Security Guide provides a specific section on working with electronic health records (EHR) and health I.T. developers to help understand the privacy and security practices put in place. It reads as follows:
“When my health IT developer installs its software for my practice, does its implementation process address the security features listed below for my practice environment?
o ePHI encryption
o Auditing functions
o Backup and recovery routines
o Unique user IDs and strong passwords
o Role- or user-based access controls
o Auto time-out
o Emergency access
o Amendments and accounting of disclosures
• Will the health IT developer train my staff on the above features so my team can update and configure these features as needed?
• How much of my health IT developer’s training covers privacy and security awareness, requirements, and functions?
• How does my backup and recovery system work?
o Where is the documentation?
o Where are the backups stored?
o How often do I test this recovery system?
• When my staff is trying to communicate with the health IT developer’s staff, how will each party authenticate its identity? For example, how will my staff know that an individual who contacts them is the health IT developer representative and not a hacker trying to pose as such?
• How much remote access will the health IT developer have to my system to provide support and other services? How will this remote access be secured?
• If I want to securely email with my patients, will this system enable me to do that as required by the Security Rule?”
The additional section on cybersecurity is especially helpful as cloud based storage of ePHI is more prevalent. This section has a link to the HHS Security Risk Assessment Tool at:
This can be useful for small to medium-sized health care practices and their I.T. professionals.
As technology changes and improves quickly, it may be helpful for healthcare professionals to know that there are HIPAA trained I.T. professionals such as Data Fast Solutions who can assist them effectively.
This article is ©2017 Data Fast Solutions • All Rights Reserved