Hello Vicki-
Having experience with a HIPAA reportable event in the past, I can assure you having too much old data (that you can perhaps not quantify in the event of a suspected breach or loss) can mean much more liability when it comes to the class action lawsuits that follow such an incident. We do not notify patients at the 10 year mark.
We implemented a 10 year retention plan process for PACS and any paper is set for destruction as soon as it is scanned into our electronic document manager.
We have secure bins for CDs & paper documents that a mobile shred company comes weekly to shred on our site under our staff's supervision.
The same shred company handles the little remaining hard copy film we need destroyed.
We pull all hard drives from computers, servers, laptops,etc., document the serial # of the drive in a destruction log, drill multiple holes through that data area of the hard drive, then have our courier staff transport the hard drives to a local recycle plant where we get receipt acknowledgement of those specific drives.
We retain all receipts from these services for review by the OCR if needed.
The one thing we still struggle with is RIS- haven't really found a good way to purge any info for patients who haven't received services in the past 10 years.
Hoping this helps- feel free to contact me with questions or to discuss.
------------------------------
Vicki Melendez
Radiology Regional Center
Fort Myers FL
239-936-2316
------------------------------
Original Message:
Sent: 06-18-2020 23:33
From: Vicki Parikh
Subject: Image Retention and Destruction Policy
Hi Everyone,
We are reviewing our image retention policies and also trying to find more guidance on destruction policies.
One of the questions that has arisen is if patients need to be notified prior to permanent destruction/deletion of their medical records if they are past the retention time frame (typically 10 years depending on study and patient)?
Do others find retaining images beyond the required time frame to be more of a liability than a benefit to a practice? I'd also be interested in knowing how practices are dealing with digital records and purging (if PACS & RIS are not capable of managing records life cycle).
In relation to media destruction, how are others disposing of electronic media (old PCs, servers, etc) that may contain PHI? Does physical destruction of each piece of equipment need to be documented? Is it required to use a certified destruction company?
If anyone has a written policy they'd be willing to share, I'd greatly appreciate it.
Thanks in advance!
------------------------------
Vicki Parikh
Practice Administrator
Mid-Delaware Imaging
------------------------------