Confidentiality, Privacy & Security

Destruction of Electronic Records

  • 1.  Destruction of Electronic Records

    Posted 14 days ago

    We previously have only destroyed paper records with associated Certificates of Destruction.  Following AHIMA's guidelines of retaining records for 10 years, we are due to destroy our electronic records that are 10 years and older.  This will be the first time destroying electronic medical and counseling records.  Does anyone have experience with this?  Is a Certificate of Destruction required as it is with destruction of paper records?  Previously we used a licensed shredding company for the paper records.  Is a licensed company required to do the destruction of electronic records?  That really wouldn't apply for the electronic records as we will be doing it ourselves, correct?   We would really appreciate all input.  Also guidance to any AHIMA articles regarding this would be appreciated as well.  Thanks so much!



    ------------------------------
    Carol Taber
    Health Information Coordinator II
    ------------------------------


  • 2.  RE: Destruction of Electronic Records

    Posted 13 days ago
    Carol,

    That is a very good question. Really the destruction of electronic records will be up to the vendor, the device and the media involved. Anything a third party could take and crush, degauss (demagnetize) or render 'destroyed' as far as electronic info is concerned and then issue a destruction certificate is a good idea. Remembering there are HIPAA/NIST guidelines for destruction.

    The harder part is destroying records as a part of a EHR or other system, where the software will probably perform the destruction and it might not be doing a HIPAA grade destruction, but you may have no choice. So for those types of records be sure you completely check out the vendor and their mechanisms for destruction. If your IT or the vendor actually queues up and performs the destruction of selected records within a database I'd think you would keep a record of what got destroyed, but probably it's not a certificate, just a record or list with details of the destruction that could be produced if needed.

    Also update you policy for retention/destruction to ensure it covers all these areas.

    There may be an AHIMA practice brief on this, but I don;t remember for sure, search the Body of Knowledge.

    Hope this helps!

    ------------------------------
    Kelly McLendon, RHIA, CHPS
    Managing Director
    CompliancePro Solutions
    kmclendon@complianceprosolutions.com
    321-268-0320
    ------------------------------



  • 3.  RE: Destruction of Electronic Records

    Posted 13 days ago

    See 45 C.F.R. @164.310(d)(2)(i). "When an organization disposes of electronic media which may contain ePHI, it must implement policies and

    procedures to ensure that proper and secure disposal processes are used."

     The implemented disposal procedures must ensure that "electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800–88: Guidelines for Media Sanitization, such that the PHI cannot be retrieved."

     Electronic media and devices identified for disposal should be disposed of in a timely manner to avoid accidental improper disposal.

     Organizations must ensure that all electronic devices and media containing PHI are disposed of securely; including non-computer devices such as copier systems and medical devices.




    ------------------------------
    Vivian Thomas, RHIA CHDA CHPS CPHQ CDIP
    Health Facility Examiner/Medical Records Consultant CA Dept of Public Health
    ------------------------------



  • 4.  RE: Destruction of Electronic Records

    Posted 12 days ago
    Vivian is correct in her citations. The issue is if you are destroying records from within an application like an EHR, what mechanism does the vendor use to destroy that data, may times it won;t meet NIST guidelines for multi-pass destruction algorithms, but there won't be a choice not to use the vendor that controls the records and their built in destruction applications. Just take care to understand how each type of electronic c record destruction works and do your best to have them meet the NIST guidelines. Engage the vendors to understand how they perform destruction and question them if they don;t meet NIST guidance.

    ------------------------------
    Kelly McLendon, RHIA, CHPS
    Managing Director
    CompliancePro Solutions
    kmclendon@complianceprosolutions.com
    321-268-0320
    ------------------------------



  • 5.  RE: Destruction of Electronic Records

    Posted 12 days ago
    Yes, I am speaking of EHR records.  Thanks!

    ------------------------------
    Carol Taber
    Health Information Coordinator II
    ------------------------------



  • 6.  RE: Destruction of Electronic Records

    Posted 6 days ago
    ​Carolyn, it is dependent if you are completing the process of destruction of the information from your internal resources or if you are working with your electronic records vendor.

    If you are destroying records internally, there needs to be a project plan on the purging of the data, which sits at the database level of the application, and then at the storage level.  There are two separate groups in the IT Department that would take care of these types of tasks.  Internally, the purging process should follow the NIST Guidelines - 800-88 - Guidelines for Media Sanitization, and refer to Clearing and Purging definitions.  The "physical" destruction would not take place until the disc that holds the data is destroyed, usually due to age of the equipment.  And that is what you refer to in the paper records world.  I would recommend that you bring in project management to get something of this magnitude off the ground.  There will be many stakeholders to work with to get to the point were data can be deleted and ensuring it does not affect any of your systems.

    If you are working with your electronic records vendor, then I would require an attestation of destruction of your records.

    ------------------------------
    [Holly] [Woemmel]
    [Senior Manager of Privacy and Compliance
    [Nuance Communications]
    ------------------------------



  • 7.  RE: Destruction of Electronic Records

    Posted 4 days ago

    I would be interested in hearing what your EMR vendor tells you about destruction of the electronic records.  Has anyone done this yet? 

     

    Anna Berry Pfeil, MA, RHIA

    Director, Health Information Management

    Norton Healthcare

    502.629.8527

     

     

    This message is confidential, intended only for the named recipient(s) and may contain information that is privileged or exempt from disclosure under applicable law.  Any patient health information must be delivered immediately to intended recipient(s).  If you are not the intended recipient(s), you are notified that the dissemination, distribution or copying of this message is strictly prohibited.  If you receive this message in error, or are not the named recipient(s), please notify the sender at either the email address or telephone number above and delete this e-mail from your computer.  Thank you.

     

     






  • 8.  RE: Destruction of Electronic Records

    Posted 2 days ago
    ​We have begun discussion of destruction of records in our Document Imaging system (OnBase) and they have tools for purge/destroy.  Our EMR does not have the capability to destroy records or at least that is what we are told when we ask.  We keep pursuing this as currently we don't have 10 years of records in our EMR, but we have 6 years and soon will want to destroy.

    ------------------------------
    Cynthia Spann
    Executive Director Health Information
    Community Health Network
    ------------------------------