December 2016
Record Destruction: When, Which Ones, and How
By Sarah Elkins
For The Record
Vol. 28 No. 12 P. 6
When it comes to the protection, management, and release of medical records, expert advice abounds. But turn the conversation to the destruction of medical records and the experts start checking their watches.
Establishing a retention policy and determining exactly when records should be destroyed is tricky business, perhaps explaining why there is little definitive advice beyond, "Make sure you consult legal counsel." No one wants to be caught holding the bag, or the chart, as it were. That's understandable. Regulation varies from state to state, and the amount of detail to be found in state code varies widely, too.
To complicate the issue, state retention policies are not the only worry weighing on the minds of record custodians. Despite the risks associated with retaining records longer than legally necessary, some health care organizations say they simply can't purge their records.
Defining the Legal Record
With EHR adoption now widespread, defining the legal record has become more complicated. Many HIM directors aren't so worried about when to destroy records; rather, they worry that what they are retaining may not actually be the legal record.
"EHRs Serving as the Business and Legal Records of Healthcare Organizations," an AHIMA brief published in May 2016, explains the issue: "Because of the urgency health care organizations have felt to begin deploying EHRs, health care entities, vendors, and others sometimes neglected to build in the processes and system capabilities needed to enable optimal EHR management functions and ensure the electronic rather than the paper version could stand as the legal business record."
In short, EHRs lack information governance oversight. The data they maintain cannot consistently be trusted. That leaves health care organizations, especially those on tight budgets, feeling stuck. They have to achieve meaningful use, but they also have to cling to their old paper-based methods if they are unsure about their EHR's capabilities.
Most hospitals and clinics are operating in a hybrid environment with at least some of a patient's record existing in paper. Often the electronic record is pieced together by scanning documents from disparate systems. In some cases, this includes handwritten doctors' and nurses' notes. Many facilities employ a system by which paper documents are scanned daily and shredded upon upload to the EHR. The assumption is that the scanned documents serve as the legal record. Unfortunately, a judge may disagree.
That's exactly what happened in at least one instance, says Gary Osborne, operations manager at EvriChart, a medical records storage company. "A single court case cost one of our customers millions of dollars. That incident was the beginning of their ban on destroying physical records," Osborne recalls.
In this particular malpractice suit, he explains, the plaintiff argued that the scanned documents could have been altered prior to scanning. Because the facility had destroyed the physical document, there was no way of proving otherwise. Producing a scanned copy was as good as producing nothing at all. The judge ruled the electronic record was not the legal record. The end result was a costly settlement and increased storage fees for retention of paper records that coexist within the EHR.
"The issue is always litigation," Osborne says. "Our customers who are storing their postscan records worry that the electronic record may not be good enough. Plus, they know there are a lot of errors in the scanning. Pages get stuck together; there are misfiled documents. It's just too risky to destroy the originals even if they may never need them."
Acquisitions Cause Uncertainty
In December 2015, a PricewaterhouseCoopers report predicted 2016 would be a year of "merger mania." This prediction came after what had already been two record-breaking years of mergers and acquisitions in the health care sector. The ripple effect of those changes is far reaching, and directors at the hospital level find themselves in suspended animation waiting to see what their new rules will be.
In Buckhannon, West Virginia, Stephanie Newbrough, RHIT, HIM director of St. Joseph's Hospital, a 25-bed critical access facility, has effectively pushed the pause button on establishing a destruction policy. "In 2014, I learned that we were being purchased and decided not to go forward with a retention plan due to previous corporate entities that I have worked for," she says. "We have records from basically the day we opened in 1921, most of it on film or fiche."
In the year since the acquisition, Newbrough has been working closely with enterprise information management (EIM) directors at West Virginia University (WVU) Medicine, parent corporation of St. Joseph's, on a long list of departmental initiatives. A retention plan has yet to make it to the top of that list, but it's certainly on the docket.
In part, Newbrough remains in a holding pattern because St. Joseph's is transitioning to Epic, a move that will drastically change the landscape of the HIM department. Nevertheless, she remains confident the project will come to fruition. "In the near future, we will work on creating a retention and destruction policy that comes from all of the EIM directors and WVU Medicine legal counsel that meets the needs of our patients," Newbrough says.
In the meantime, she's sitting on 95 years of medical records. But she's not alone—hundreds of hospitals continue to change hands all over the country, leaving many other HIM directors in limbo.
Holes in the Code
Technically speaking, Newbrough is already following her state's retention policy. West Virginia code states, in summary, that records must be kept in the original form, microfilm, or an electronic data process. The code is silent on how long records should be kept. Because there is no specification of a retention period, the implied retention is forever.
However, it's safe to say most health care facilities in West Virginia are destroying records. "Oh, yes, we destroy them," says Christine Metheny, RHIA, CHPS, CHTS-IM, HIM director and chief privacy officer at WVU Medicine. "We went through a very rigorous process with a legal consultant who did a lot of research. After careful consideration, we established a retention policy of 20 years."
WVU Medicine comprises nine hospitals and their affiliated practices and clinics; St. Joseph's Hospital is one of its newest additions. The health system's flagship hospital, J.W. Ruby Memorial Hospital, and the adjacent institutes, went electronic in 2004, scanning into its Horizon Patient Folder system. In 2008, it converted to Epic. For now, its annual destruction involves a contract with Shred-it, which shreds their aged-out records onsite.
"In the not-so-distant future, we will shred our very last physical record," Metheny says. That will be cause for celebration at Ruby Memorial, which will become completely paperless from the point of care. Metheny hasn't had to make the leap to destruction of digital records, but she's already considering what that will mean.
A Different Animal
"I think that's going to be a hard challenge because it's a live record," Metheny says. "To pull pieces and parts out is not that simple. I believe the destruction process is going to be a lot more complicated."
Metheny will likely have to undertake a new rigorous process of research and legal consult as she begins to develop electronic record destruction policies. This is another area where state regulations are less than helpful. In the absence of specific guidelines on how electronic data should be destroyed, organizations are left to come up with a procedure that covers their bases.
Tony Maro, CISSP, CIO at EvriChart, says, "We utilize an app that overwrites a hard drive 20 times with random data prior to discarding the drive. For CD-ROMs and DVDs, we shred them with a cross shredder, even when the data are encrypted."
According to Maro, the bigger issue is "when a computer, hard drive, or USB stick is discarded without the company realizing it ever had PHI [protected health information] on it to begin with—or forgetting to check. That's generally when there's a breach, because there was no effort to destroy the data."
As AHIMA puts it, "Today, the EHR can and often does reside in several different information systems. HIM professionals ensure that information management and record of care standards are applied consistently across these various systems to maintain the level of integrity necessary for the health care organization's records."
For health systems such as WVU Medicine, destroying electronic data also means knowing all of the many places that data exist. That, in itself, makes electronic destruction infinitely more complicated than destroying a physical record.
— Sarah Elkins is a freelance writer based in West Virginia.