Audit Logs and HIPAA and Record Retention—Oh, My
In an effort to stay current, your office makes technology changes—some big, some small—throughout the year. The only difficulty with these changes (beyond making sure implementation runs smoothly) is remembering that each one has the potential to affect your compliance with record retention laws.
HIPAA itself does not require practices to keep patient medical records for any set period. However, most states do require covered entities to retain electronic PHI for a certain period. This can present a problem for a physician shutting down a practice or a practice that’s been informed its EHR company is going out of business.
Additionally, HIPAA requires practices to be able to show audit logs to any patient who requests them, showing when, to whom, and how their patient health information (PHI) was transmitted. Obviously, that means those activities need to either be part of the patient record or accessible in the event of a request.
Furthermore, some practices only consider the patient record itself when determining compliance. They don’t think about new technologies such as chat systems and secure e-mail as containing PHI that falls under record retention laws—but they might.
Two solutions
Fortunately, there are solutions to help practices with this dilemma. If your practice is thinking about changing out a major system, such as EHR or practice management, consider outsourcing the data archiving task to a third party that specializes in doing this for healthcare entities. Any data that’s not being transferred to the new system can be stored in a relational database.
Make sure the service you engage converts all the data from the old system, not just outstanding financials and demographics. The archived data should be searchable (by name, social security number, and/or account ID) in order to be usable and help with record-retention compliance.
Another possibility is using an online system to guarantee none of your files or communications (including email, text, interoffice communication) are completely secure and HIPAA compliant. These new systems are built for medical practices and designed to facilitate communication and workflow in a highly secure environment.
Staffers and providers can send and store email, use text messaging and chats, store files, manage shared calendars, create and track tasks, share files, and create workgroups. Look for a system that uses multiple layers of security and keeps logs that can be shared with patients who request them.
Finally, no matter what system you use to communicate with patients, store and amend patient records, or manage your practice, make sure that you have full rights to all the data. It means reading the fine print of the terms and conditions, but you don’t ever want to encounter a situation where your data is held hostage by a vendor you no longer wish to work with.
Sources:

  1. Health information policy, HHS, https://www.hhs.gov/hipaa/for-professionals/faq/580/does-hipaa-require-covered-entities-to-keep-medical-records-for-any-period/index.html
  2. “How Long to Keep Medical Records Under HIPAA?” Datica blog, https://datica.com/blog/how-long-to-keep-medical-records-under-hipaa/
  3. “Individuals’ Right Under HIPAA to Access Their Health Information,” HHS, https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html

Last Updated on July 14, 2017