Q&A: Drafting a policy on shredding charts

Q: In a previous question, you said you can destroy paper records like charts as soon as they are scanned into the EMR if your state considers electronic storage media legally acceptable for medical records. My organization is currently rewriting our policy on shredding charts; is there any reference to this in HIPAA that we can use to back this up?

A: The federal HIPAA Privacy Rule does not specifically address retention periods or formats for medical records. Instead, those requirements are established by state law/regulation.

The Office of the National Coordinator for Health Information Technology provides a summary of state laws for medical record retention. You can find it online at www.healthit.gov/sites/default/files/appa7-1.pdf.

The Privacy Rule requires a covered entity (CE), such as a hospital or physician billing Medicare, to retain required documentation for six years from the date of its creation or the date when it last was in effect, whichever is later. HIPAA requirements preempt state laws if they require shorter pe-riods. The HIPAA requirements are available at 45 CFR 164.316(b)(2) (www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/pprequirements.pdf).

Editor’s note: Question answered by Mary Brandt, a healthcare consultant specializing in healthcare regulatory compliance and operations improvement. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Associate Editor Heidi Samuelson at hsamuelson@hcpro.com