Solutions for Effective Data Destruction in Medical Facilities
May 19, 2015
Whether your organization is a hospital, a dental office or a pharmacy, you end up accumulating large amounts of data over the years. And with a large volume of patients and staff, you will soon find your file cabinets bursting. Meanwhile, you can’t just start shredding everything, because you have certain data retention requirements to meet. Here are a few tips and strategies from our Maryland data destruction experts to help you figure out the best ways to keep your records organized.
Types of Sensitive Data
There are certain types of data generated by your medical facility that fall under specific federal and state regulations and need to be maintained and destroyed accordingly. Other types of data may not be that sensitive, yet you might still want to make sure they are not simply thrown in the trash to protect yourself from fraud or identity theft. Here are the main types of information you should protect up to their secure destruction.
- Personal Health Information (PHI) of patients: test results, insurance information, invoices, patient’s medical history, etc. (federally regulated by HIPPA)
- Human Resources Data: employee files, salary and benefits information, employment eligibility, payroll records, background check results, etc. (federally regulated by the U.S. Department of Labor)
- Financial Documents: tax forms, invoices, balance sheets, financial reports, etc. (federally regulated by the IRS)
Data Retention Schedules
Depending on which federal or state agency has control over specific sets of data, different documents will fall under different retention schedules. For example, under the Fair Labor Standards Act, employee information should be retained for 3 years, but the IRS recommends holding on to the employee tax files for a minimum of 4 years. Consult with your attorney to make sure you are aware of all the regulations you have to follow.
Keep in mind that the retention thresholds we listed above as an example are the minimal thresholds, and you are allowed to keep these documents longer if you need to. For a large medical facility, however, this may present an issue of storage and clutter. To avoid it, set your own schedule of how often your personnel will check for and expunge old records. This can be done annually or every 2-3 years, depending on the volume of data you accumulate.
Maintaining Organized Records
To keep things organized on the back end of your practice when it comes to data retention, separate your records into 3 categories: permanent, active and inactive.
- Permanent records should be kept safe and never destroyed (unless replaced by a newer version when appropriate). These documents include income tax returns, your internal procedures and policies, annual reports, site plans and building permits, licenses and other document originals and record copies.
- Active records are documents that are currently in use or are consulted on a regular basis for internal audits and quality reviews, release of information requests or for patient care purposes. These records should be kept safe until they become inactive and pass the data retention threshold.
- Inactive records typically have to do with patients who are deceased or who finished their course of treatment and haven’t been back in a long time. These records are the prime candidates for engagement once the retention requirements are met.
It is up to you set a point at which a record becomes inactive. For example, you can set a threshold of 5 years since the discharge date, which would make all records of patients discharged prior to 2010 inactive.
Sensitive Data Destruction
Once you determine which records are candidates for destruction, separate them from the rest and contract with your local Maryland medical waste management company for pickup. Keep in mind that paper records are just a part of the picture. You should also remove sensitive information from hard drives, destroy CDs and DVDs and any other media.
The common data destruction methods we use at BWS include:
- Paper shredding in our secure facility. The shredded paper is then directed to the recycled paper mill for repulping.
- Incineration upon your request.
- Reformatting of hard drives that are then donated to charity to be reused.
- Physical destruction (grinding) of digital file storage media upon your request.
Your data destruction vendor should supply you with a certificate of destruction that should state what, when and how the data was destroyed along with the signatures of witnesses. Keep this document on file.
Remember that you are responsible for all the sensitive data your medical organization produces up until the point of destruction. This is why it’s important to hire a trustworthy and experienced medical data destruction vendor that will take safeguards against breaches and will keep your data safe. If you have any questions about how we achieve this at BWS, feel free to call us or contact online for an estimate on our data destruction services.
"I’ve been using Biomedical Waste Services, Inc. for nearly 20 years! I’ve had superior customer service since day one with no surprises on our invoices."
- Dr. Kim