Featured Standard – PR.2&3: Patient Record Security and Maintenance

PR.2: You must have a secure patient record system that allows prompt retrieval of information.

PR.3: Your patient records must be reasonably protected from all risks. You must take appropriate measures to maintain backups of patient data ( Guide pg. 52-53).

Do you and your staff know your facility’s policy for securing and maintaining patient records? If the answer is ‘no’ or ‘what policy?’ then pay close attention, because this month we’re highlighting two very important Patient Record standards. These standards are critical to your practice not only because they ensure your compliance with HIPAA but because they ensure patient privacy and increased operational efficiency.

It all boils down to two things, security and accessibility.

Security should always be in place no matter how or where you keep your records. Your record system can be either paper or electronic; whichever works best for your business. At the very least, paper charts should be secured in a place not accessible to the public such as a locked file cabinet and electronic records should be maintained on a password protected network.

Notice the word ‘reasonably’ in PR.3; what may be a reasonable record system for one practice may not be for another and should ultimately match the size, scope and location of the business. For example, it is reasonable for all facilities to protect their files from theft by keeping them in a locked cabinet or room. However, when you begin taking into account geographic location and other specific factors, what’s reasonable for your record system should change. For instance, it would be reasonable for facilities located in a low flood plain to avoid storing records on the ground floor of the facility, whereas this may not be a concern for facilities at higher elevations. Use common sense when assessing this standard and consider: how would you want your medical records stored?

In addition to keeping your records secure, they should also be easily accessible. You must be able to promptly retrieve charts for any situation that could arise; examples include patient inquiries, walk-ins, emergency device repairs and ABC surveys.

These standards are required for all company locations. For facilities that have primary and affiliate offices, it may be company policy to keep all patient charts at the primary location. This is fine, but keep in mind that the requirement of ‘allowing prompt retrieval of information’ is still in place.

Make sure you have a policy for how patient information should be shared in the event that an affiliate needs a patient chart residing at the primary location. For example, your policy might state that the primary facility will fax or email any requested information to affiliate locations when needed. ABC does not put a timeframe in the standard, but prompt should be taken literally. If a patient walks in to an affiliate location for an unscheduled appointment with an issue needing attention, they should not be kept waiting for an extended amount of time to receive treatment.

While keeping your patient records secure and accessible may be something you feel you’ve mastered, take time to really assess how you are storing your records and if there are scenarios in which your current policy/procedure falls short. It may be as simple as having better education and communication about these standards with your staff.