Running a successful business means hanging on to some important documents. Medical practices are no exception to that rule. Along with the business related documentation practices should retain to protect their assets, they also need to make sure that any patient medical records, or ePHI, being stored are stored with HIPAA best practices in mind. Here are 5 simple record retention guidelines to make deciding how, and for how long, to store all of your practice’s most important paperwork simple.
Familiarize with state requirements: HIPAA regulations are set to protect the privacy of patient information, so your record retention practices should reflect that. HIPAA rules require that you apply the appropriate administrative, technical and physical safeguards to protect the confidentiality of patient medical information for as long as you retain it. This may mean shredding physical paper documents when you no-longer need them, as well as encrypting ePHI. Retention lengths vary by state, so determine your state’s record retention requirements by visiting your state website before you delete anything permanently.
Meeting state record retention rules: Many practices are moving to digital storage, which creates the need for digital safeguards in order to remain compliant with your state’s retention length requirements. Physical storage devices (like flash drives) can malfunction, get lost, or undergo physical damage, all of which can put the integrity of your patients’ medical records in jeopardy. Online backup is the only comprehensive solution to secure patient medical record storage.
On the other hand, if you have cloud backup and your physical storage devices are compromised, your data will still be safe and recoverable in the cloud. This means if any of your patient medical records get lost or deleted, violating your state’s record retention requirement lengths, you’ll still be able to recover the data and restore your practice’s compliance.
Apply safeguards for cloud data (ePHI): While cloud backup eliminates many of the risks associated with digital data storage, you need to investigate the security of your cloud backup provider before you trust them with your patient’s data, and your HIPAA standing.
To start with, data encryption will protect patient medical information from falling into the wrong hands. If you backup your data with a cloud services provider, make sure the data you backup is encrypted before it’s ever transmitted to their data centers. Since encrypted data is password protected, only authorized individuals will be able to read the files. Also, make sure your cloud backup provider is working with a trusted data center where it will be safe from natural disaster, theft and loss.
Data centers at a minimum, should go through a SSAE 16 Type 2 audit, which is the strictest audit of its kind for service organization controls and certifies that their facilities and procedures are top-notch. You should also require your backup provider create a Business Associate Agreement (BAA) to meet your HIPAA compliance, get in touch with us at info@nordic-backup.com and we will create an agreement for you.
Business document storage: As a business, you need to retain documents outside of strictly patient information. Business purchases, sales, payroll and other business transactions should be recorded in your books and kept for tax purposes. The IRS lists all of the documents small businesses should keep. In most standard cases, you should retain these records for 3 years, but in special circumstances, you may be required to keep them indefinitely.
Don’t forget the importance of cloud backup: For the files you can’t afford to lose, either for HIPAA or internal reasons, back them up in the cloud as a rule of thumb. Cloud storage is the only digital storage and data recovery option that will allow you to mitigate the risks of data loss and digital security issues.
Protect your practices’ data now, before data loss or security issues arise. Find the perfect cloud backup plan for your medical practice to get started.
