Retention and Destruction of Protected Health Information

HIPAA Policy-11

About This Policy

Effective: 07/01/2015
Last Updated: 12/13/2021

Responsible University Office:
Office of the Chief Privacy Officer

Responsible University Administrator:
Chief Privacy Officer
mawerlin@iu.edu

Policy Contact:
HIPAA Privacy Officer
HIPAA Security Officer
hipaa@iu.edu

Print or view a PDF of this policy: Many policies are quite lengthy. Please check the page count before deciding whether to print.

Scope

This policy applies to the workforce members in the designated Indiana University (IU) HIPAA Covered Healthcare Components and HIPAA Affected Areas, anyone rendering services as a Business Associate, and anyone who creates, receives, maintains, or transmits Protected Health Information (PHI) in any capacity at IU, including, but not limited to, faculty, staff, students, trainees, volunteers, visiting scholars, and third-party agents. For the purposes of this policy, all of the above will be referred to as workforce members.

This policy covers PII and PHI in any form, including electronic, paper, hardware, USB drives, CDs, etc.

Policy Statement

It is the policy of Indiana University to retain records containing PHI in a usable, retrievable, and legal format for a period as mandated by IU policies and procedures, federal, state, and local governing authorities, whichever is more stringent.

Record Retention:

Records may take the form of electronic medical records, paper documents, microfilm, electronic data storage, etc., and must be retained in such a way that the information is available for its intended business purposes. Records must be secured to prevent unauthorized access or disclosure and opportunities for loss and/or damage must be minimized.
1. Medical records shall be retained for the full period of time required by state laws and/or IU policies.
  1. Adult medical records will be retained for a minimum of seven (7) years from the last date of service;
  2. Pediatric medical records will be retained for a minimum of three (3) years beyond the age of majority.
2. Records may be microfilmed or electronically scanned, with procedures in place to ensure the accurate and complete retrievable reproduction of the original document. (Scanned electronic images of the record become the original, official record immediately after creation and are retained in accordance with the applicable policy.)
3. Research records that contain PHI may be governed by additional policies or regulations and shall be retained for the period of time required by the research protocol, research sponsor or funding agency or requirements of any associated research grant.
Record Destruction and Disposal:

Destruction/disposal of records containing PHI will be carried out in accordance with IU policies and procedures, HIPAA regulations and federal and state laws.
1. Each IU HIPAA Affected Area is responsible for arranging for the safe and secure destruction/disposal of records containing PHI and other critical or restricted information.
2. Records shall not be destroyed/disposed of before the minimum retention period has been met.
3. The destruction/disposal of any records must be approved by the IU HIPAA Affected Area responsible for the creation and/or retention of the records.
4. Destruction/disposal shall be suspended for records involved in any open investigation, including research misconduct, audit, or litigation.
5. Paper documentation containing PHI must be shredded or placed in a secure bin. Protected Health Information must not be discarded in trash cans, unsecured recycle bins or other areas accessible by the public.
6. The IU HIPAA Affected Area must ensure proper destruction/disposal methods by developing a procedure that meets the needs, security, and confidentiality of its area and which does not permit recovery, reconstruction or future use of the protected information.
  
  The method of destruction/disposal for a particular type of record must be appropriate to the medium. In general, examples of proper disposal methods may include, but are not limited to:
  1. Paper Records: shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.
  2. Electronic Media: securely wiping (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding).
7. UITS or the IT support personnel for the IU HIPAA Affected Area should be contacted to coordinate the destruction of any electronic media containing ePHI.
8. Outside vendors providing destruction and disposal services must be approved by IU’s Purchasing department. To ensure the contract meets the requirements of the HIPAA Privacy and Security Rules, a Business Associate Agreement must be executed, and the vendor may be required to go through a security risk assessment.
Documentation of Destruction/Disposal of PHI:

Destruction of records maintained as part of the designated record set or as required by contractual agreement must be documented and the documentation maintained permanently by the IU HIPAA Affected Area (see the sample Certificate of Destruction form attached to this policy). Permanent retention is required because it may become necessary to demonstrate that the records were destroyed/disposed of in the regular course of business.

Records of destruction/disposal should include:
1. Date of destruction;
2. Method of destruction;
3. Description of the destroyed documents;
4. Inclusive dates covered;
5. Statement that the records were destroyed in the normal course of business; and
6. Signatures of the individuals supervising and witnessing the destruction.
7. Destruction documents should be permanently retained by the Unit Privacy Officer, or the University Privacy Officer, as applicable; and
8. Name of IU approved vendor, if applicable.
Violations:
1. The IU HIPAA Affected Area must report any violation of this policy and/or unintentional destruction of PHI to the University HIPAA Privacy Officer.
2. All reported matters will be investigated, and, where appropriate, steps will be taken to remedy the situation.
3. Failure to comply with this policy can result in significant consequences to the individual as well as Indiana University, including violations of law, investigations, and criminal proceedings. Accordingly, individuals who violate this policy may be subject to a full range of sanctions, including disciplinary action, suspension, termination of employment and legal action.

Reason for the Policy

This policy establishes limits regarding the amount of PHI which may be used or disclosed for an intended purpose to the minimum necessary, in accordance with HIPAA and HITECH privacy regulations, in-conjunction with existing state laws, federal laws, and Indiana University Policy covering human subjects, security and privacy.

Definitions

Individually Identifiable Health Information (IIHI): A subset of health information, including demographic information collected from an individual, and: (1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and identifies the individual or there is a reasonable basis to believe the information can be used to identify the individual.

Minimum Necessary: A standard that requires covered entities to take reasonable steps to limit the use or disclosure of, and requests for PHI to the minimum necessary to accomplish the intended purpose. The minimum necessary standard does not apply to certain uses or disclosures such as those requests by a health care provider for treatment purposes, disclosures to the individual who is the subject of the information or pursuant to an individual’s authorization.

Protected Health Information (PHI): Individually identifiable health information held or transmitted by a covered entity or its business associate in any form or medium, whether electronic, on paper or oral.

See Glossary of HIPAA Related Terms for complete list of terms.

History

07/01/2015 Effective Date
08/01/2016 Added link for Glossary
06/xx/2017 Published on University policy site
12/13/2021 Updated policy contacts

Related Information

Indiana Code
Indiana Code § 16-39-7-1: Maintenance of health records by providers; Violations

HIPAA Privacy Rule
45 CFR 164.530I
45 CFR 164.530(e)

HIPAA Security Rule
45 CFR 164.310(d)(2)(i)
45 CFR 164.310(d)(2)(ii)

Related IU Policies/Guidance Document
HIPAA-G01: HIPAA Sanctions Guidance

Attachments

Certificate of Destruction