The Health Insurance Portability and Accountability Act (HIPAA), can be termed as one of the most important American healthcare laws to be passed. Brought to effect by the congress in 1996 and signed by the then president, Bill Clinton, the HIPAA law was originally designed for the purposes of health insurance coverage for the people who were between jobs.
Before the implication of the law, people who would be in between certain jobs, would find it difficult to pay for important and critical healthcare as they wouldn’t have any health insurance. HIPAA was brought into effect specifically to help those people who couldn’t afford health insurance.
However, presently HIPAA has come to be much more than that. While focusing on improving the customer experience in the healthcare sector, HIPAA is now concerned with the nationwide protection and data storage of patients and the laws related to its protection.
With constant threats to the recorded and stored data of patients, the existing laws were proving to be insufficient and therefore, HIPAA has become the most important data privacy and protection law of the US.
However, the legislations of HIPAA can be a little too complex at times, for example when it comes to their record retention requirements, it maintains a separate policy for medically related and non-medically related records.
When it comes to HIPAA’s storage and retention of medical records, the legislation deals with documents pertaining to:
- Personal health information and medical history – Documents like prescriptions, diagnostic tests, surgeries, diagnosed conditions, registration, etc., acquired previously are what help the healthcare provider assess your condition and accordingly treat you. Without such information there is a risk of the healthcare provider misdiagnosing you and prescribing medication that may have adverse effects.
- Personal identification information/personal information – Patients records with Social Security Number, bank accounts detail, invoices, receipts, billing, etc., are at the constant risk of being hacked causing undesirable situations like identity theft, cybercrimes, etc. By complying with the HIPAA regulations, these risks can be avoided and personal information of the patient is protected.
The healthcare industry has many types of businesses as well as healthcare providers, health plans, healthcare clearinghouses, and HIPAA-covered business associates that are required to comply with their regulations. If these organisations fail to comply with the legislations, they will face consequences of high fines and ignorance will not be entertained.
When it comes to medical records, there is no nationwide standard for the official HIPAA record retention period as each state follows its own laws. Whereas, the process of storing and transmitting those records is the same all over the country. The duration period of record retention varies not just from state to state but also from different in-state healthcare providers. There are namely two factors that influence the duration of the retention period of medical records:
- The type of medical record – varies from vaccination report, employee medical record, etc.
- The state where the medical record is created – Different states have different laws pertaining to the duration of retaining the medical records of patients.
For example; in the state of Florida, physicians are required to retain the medical records of patients until their last contact with that patient while hospitals in Florida are required to retain medical records up to 7 years. At the same time, North Carolina is required to retain records for even more years that than and different policies pertaining to what age they were admitted at, etc.
At the same time, based on the state laws, the register file can be susceptible to being destroyed if there is no requirement for it in the country anymore. However, for ambulatory surgical services in any state, there is no specific retention duration for storing information.
Now, when it comes to the manner in which this information is stored and retained, as mentioned above, the requirements are the same for the entire country.
The requirements are:
- The businesses or “covered entities” in order to protect the data for whichever duration it is being stored for, are required to use appropriate means to do so. For example, the administrative, technical, and physical safeguards that are used for the storage of the medical records should be top notch and efficient. And, if it were to be disposed of, it is their responsibility to ensure that those records are done so securely so as to avoid the risk of crimes like identity theft etc.
- The administrative safeguards being used should contain top-notch policies and procedures in order to be able to manage the access of information within the respected organisation. It also requires the administration to train the workforce in HIPAA compliance. This needs to be done in order to maximise efficiency.
- The Physical safeguards are required to have proper and efficient physical protection of the data stored in order to be able to prevent the access of unauthorised personnel. This measure is the most effective measure for safeguarding as it is very straightforward and usually involves workstation and device security.
- The Technical safeguards pertain to the computer systems and the PHI communications which are being transmitted electronically. These systems need to be safeguarded in an efficient way as to avoid unauthorised people to gain access to them and the data being stored or transmitted through them.
Even though these are the main requirements of the HIPAA legislations, some states may even include taking further measure in the storage and protection of data and privacy. However, the laws of the HIPAA legislation are in order to enable the access of authorised individuals of the healthcare industry to patient medical records whenever required, for the core purpose of making the healthcare industry more efficient.