New HIPAA rules demand tighter retention practices.
The most important first step is to evaluate the way off-site record storage vendors (business associates under HIPAA) identify and index each record in their possession. Many vendors do not maintain a detailed, accurate inventory, which places them and the covered entities (CEs) they serve at greater risk for breaches, penalties and fines.
Record inventory beyond the box
Records must be accounted for and electronically indexed to the individual level into the storage facility's inventory control system, and both the business associate (BA) and CE must possess the inventory.
If boxes of PHI were stolen (or lost) from an off-site storage facility, the BA and CE would be unable to respond to the incident appropriately because they would be unable to identify and notify every individual of the potential breach and the respective state government department as required under the new HIPAA regulations. The CE and BE would be subject to criminal or civil penalties because they could not identify the individuals for notification and mitigation of the lost PHI. Overall, bad publicity would prevail.
Providers should negotiate with their off-site storage company to determine the cost of havig all individual records inventoried. It is unlikely that a CE who is unwilling to pay to inventory its records will find a truckload of un-indexed records on its doorstep. However, it is in the CE's best interest to partner with the BA, because the off-site storage company is an extension of the hospital's own records library.
Retrieval and retention drives need detailed inventory
Secondly, CEs and BAs also require inventories for effective record retention and retrieval. An example comes from a recently retired health information management (HIM) director for a large, multi-location healthcare facility who recounts an incident when the facility's tracking system crashed. With the system down, the facility did not know what was in storage, and the off-site storage vendor did not have a computerized list of all the charts. Shortly thereafter, a request was made for a chart, and the facility was unable to find it. This led to a lawsuit resulting in significant monetary damage to the facility.
With regard to retention, a record may be subject to many different laws, with each law mandating a different length of storage. In California, for example, the MediCal Act and the Emergency Medical Services Fund require patient records be kept for a minimum of three years, whereas OSHA requires employee health records to be kept for the duration of an employees' employment plus 30 years if an employee could potentially have been exposed to dangerous substances.
Clearly, the CE must know who is in possession of each specific record in order to produce the record in a timely manner and comply with record retention laws.
Provider liability: Shifting risk is risky business
Finally, the storage relationship is a collaborative one. There are benefits to partnership and dangers in failing to work together. Just as a CE would not undermine its on-site records library, it should not do so to its off-site library by attempting to unnecessarily shift risk to the BA. Shifting the risk unnecessarily from the CE to the BA does not foster high levels of patient service, security and privacy.
However, with increased liability comes increased cost. “For the storage vendor to accept more risk at the same negotiated prices denies the economic reality of the free-market system,” says Jim Booth, executive director of PRISM International, a nonprofit professional trade association for the commercial information management industry. Providers should anticipate increased costs for paper record storage under the new HIPAA rules.
Going forward
With the CE and BA equally responsible for the protection of PHI, it is incumbent upon both parties to establish the location of each unique record. Doing so will require that record storage companies spend the time to index the records and that CEs pay for the additional work that they likely waived during the initial transfer of records. The process will not be without cost, but legally both parties are accountable.
Furthermore, the regulatory climate will not become more lax as it attempts to protect privacy in light of advances in technology. The need to store and manage physical records will continue for decades, even with the implementation of electronic health records. Without a mutual effort to inventory records, there will be much finger pointing in court — and elsewhere — for many years to come.
The storage relationship is a collaborative one. There are benefits to partnership and dangers in failing to work together.
Important points for inventories and documentation management
• In the event of a lawsuit, the covered entities (CEs) must know who is in possession of a record in order to produce it within a mandated time.
• Retention requirements may be subject to a variety of laws, such as length of storage or duration of employment. A detailed inventory makes the process more efficient and less risky in regards to compliance.
• Knowing the location of records is critical and can only be ensured with a proper inventory system.
• Storage companies must spend the time to index the records. The CE will have to pay for the additional work that may have been waived during the initial transfer of records.
April D. Robertson, MPA, RHIA, CHPS, FAHIMA, is vice president, customer advocacy, HealthPort.
For more information on HealthPort solutions:
www.rsleads.com/011ht-203
