Do Follow Your State's Laws
While HIPAA does not specify an exact time period for the disposal of patient records, certain states have their own laws. It's important for healthcare providers to familiarize themselves with their respective state's laws regarding the disposal of patient records. Retaining records beyond this time could result in a fine or other penalties, so don't make this mistake.
Do Create a BAA When Sharing Patient Records with Third-Parties
If you plan on utilizing the services of a third-party – and you intend to give that party access to patient records – you must create a Business Associates Agreement (BAA). This written document details the way in which the patient's data will be used, along with an expiration date on which the third-party business associate may no longer use or access the information. Failure to create BAAs is among the most common type of Health Insurance Portability and Accountability Act (HIPAA) violations.
Don't Dispose of Patient Records in the Trash
Let me rephrase that: don't dispose of patient records in the trash without first destroying them to the point where no personally identifiable information can be retrieved or recreated. Healthcare providers are often fined for this very reason. To protect your practice from data breach, destroy all paper patient records by either shredding, burning, pulverizing or otherwise destroying them before throwing the remains in the trash.
You can learn more about the acceptable methods of PHI disposal by clicking this link.
Don't Store EPHI Without Encryption
While encryption isn't a HIPAA requirement, it's still a good idea to use it when storing Electronic Protected Health Information (EPHI). Encrypting digital patient records will help protect against data breach while subsequently mitigating the damage should a breach occur.
Don't Allow Workers to Take Home Portable Storage Devices
There are a few exceptions in which it's OK for healthcare workers to take home storage devices, but it's generally best to err on the side caution by discouraging or even prohibiting this in the first place. For instance, if a worker brings home a tablet computer that contains the medical records of hundreds of patients, there's an inherit risk of a data breach. If a burglar breaks into the worker's home and steals the tablet, all of those records could be exposed – or worse, they could be sold on the black market to the highest bidder.