Businesses close for many reasons: an owner decides to retire, sell, or relocate. Sometimes a medical practitioner joins another group or relocates their facility. Today, many of these decisions are being driven by the changes the COVID-19 pandemic has brought.

Whether you’re closing your doors temporarily or permanently, these safety and risk management tips covering patient and client information can make the transition easier.

COVID-19 and Medical Facility Closures

Patients and practices alike are postponing elective procedures and non-emergency health situations. Many healthcare providers are temporarily reducing their hours or even closing their practices until the lockdown in their state is lifted or eased. Doing so, though, is not simply a matter of closing the door and turning the key.

Together with properly notifying patients of the closure, facilities must also make provisions for their patients to access their medical records while being mindful of the laws that govern medical records retention and disposal.

The first step a facility should take is making sure all medical records, particularly in-patient ones, are complete. When notifying patients of a temporary or permanent closure the information they receive should also address medical records requirements:

• A HIPAA-compliant authorization form such as this one provided by the state of Alabama should be included with the closing notification letter. Patients should be notified they can designate a new provider who they want to receive a copy of the records, but original records should be retained by the provider.
• Provide patients with information on where their medical records will be stored during the closure and how long those records will be retained.
• Supply a mailing address where patients may send future requests for records.

If a facility is permanently closing, arrangements must be made to securely store the documents in a way that’s consistent with federal and state HIPAA privacy and security policy laws.  The area where the records are stored must be safe from theft, fire, flood, vermin, and weather-related damages. If a custodian of records is designated, patients must be informed of that information, too.

All medical records should be inventoried prior to storage or transfer and the facility should retain a copy of the inventory. Whether a facility is closing, relocating, or temporarily shutting down, it must comply with state and federal laws that govern paper and electronic medical record retention and disposal.

General Guidelines for Records Disposition

Generally, a medical facility remains liable for incidental or accidental disclosure of PHI (personal health information) during and/or after a closure. That makes it important to take appropriate action to protect the integrity of PHI records. In addition to following state laws regarding retention and disposal, factors to be considered include:

• State licensing standards.
• Guidelines issued by professional organizations.
• Medicare and Medicaid requirements.
• How outdated records will be destroyed in accordance with HIPAA rules.

If a facility chooses to destroy records, it’s crucial to ensure patient confidentiality is not compromised. Requesting advice from experienced healthcare legal counsel can help determine the appropriate path to follow.

Records Disposal for Non-Medical Organizations

Non-medical businesses are not exempt from protecting customers and clients from improper use of their personal identifiable information (PII) such as name, address, social security number, phone numbers, or email addresses. Most states now require that PII records be disposed of in a secure fashion, typically by shredding, erasing, or otherwise modifying them so that they are undecipherable or unreadable through any means.

Most businesses don’t have the proper equipment to meet these regulations. To ensure compliance with all state and federal laws, it’s best to use a document destruction service that guarantees paper and electronic records will be properly destroyed without the risk of compromising privacy. A destruction log should be permanently retained along with a certificate of destruction.

It’s true that not all records necessarily contain PII information but in most cases it’s safer to assume that if the information appears in some records, it may reappear in others. A global document retention and destruction policy that emphasizes proper, secure disposal of all records is a good idea. TriHaz is currently offering area businesses free labor for the proper and secure disposal of all electronic and paper patient, client, and customer records that contain sensitive, PHI data, making this a great time to ensure outdated or unwanted records are securely disposed of.