How Should Medical Records Be Stored and Secured?

It is essential to secure and safeguard all patient medical records. These records are at risk of being exposed and giving away information about a patient’s health. In 1996, the Health Insurance Portability and Accountability Act was created to protect patients’ medical histories and personal health information in the United States. Before HIPAA, there was no set standard for storing medical records across health care organizations in the United States. HIPAA was created to address patient privacy and to develop a standardized way of managing documents.

Compromising a patient’s privacy is a significant concern in medical records management, as are medical errors. Serious errors are more likely when records are not managed correctly or when data breaches occur, which is why medical errors have grown to be the third leading cause of death in the United States, according to Johns Hopkins University.

Electronic patient management systems help, as medical records can be instantly updated across the network. However, while 89% of physicians use electronic medical records, only 72% are certified, according to the Centers for Disease Control and Prevention. Working with a system that isn’t certified could leave records more prone to security breaches.

What Is Medical Records Management?

Medical records management is a system of protocols and procedures used to protect confidential information on patient care. These ensure that patient data and information are stored securely and are appropriately maintained through the data life cycle. Medical records management keeps medical professionals in compliance with federal regulations and laws on protecting sensitive patient information.

With medical records management, there have to be policies in place for each stage of the life cycle or interaction with those medical records. From the time the patient record is created, it needs to be appropriately handled. This is the case regardless of why the record is being handled, whether that’s a request from the patient, a review by a physician, or a request from a third party. The documents must also be held for the required amount of time before they are properly destroyed. This timeline will vary by state.

HIPAA Policies and Compliance for Medical Record Storage

HIPAA creates standards for storing protected health information, often abbreviated PHI.

With HIPAA regulations, some basic rules must be followed. These include rules to ensure the confidentiality, integrity, and availability of all electronic PHI that is created, received, maintained, or transmitted.

Additionally, providers must:

  1. Identify and protect against possible threats to the security or integrity of patient information.
  2. Protect against reasonably anticipated, impermissible uses or disclosures of medical records.
  3. Ensure compliance by those in the workforce, such as office staff and medical providers.

Administrative Policies for Storing Medical Records

Per HIPAA, covered entities must:

Implement a Security Management Process

HIPAA requires a security management process to be in place to protect health information. This helps with risk analysis and management to evaluate the likelihood of risks to e-PHI and implement security measures to address those risks.

Designate Security Personnel

The covered entity needs to have a security official designing and implementing a security procedure or policy.

Limit Access to PHI

Access to information must be limited in a way that is consistent with the HIPAA Privacy Rule. This limits the disclosure and use of PHI to the very minimum necessary. The HIPAA Security Rule establishes role-based access allowances.

Conduct Training for All Employees

All employees must be trained to work with e-PHI correctly. Covered entities, such as health care providers, need to train in security policies and procedures. If workforce members violate the policies or guidelines, the entity must impose appropriate sanctions against those individuals.

Evaluate Policies and Procedures

Finally, entities need to perform assessments to see if their security policies or procedures meet the Security Rule in its entirety.

Physical Security for Medical Record Storage

Per HIPAA policies, covered entities must:

Limit Physical Access to Storage Facility

When limiting physical access to the storage facility, the covered entity needs to implement a process of authorizations to determine who can have access. Only authorized users or individuals may have access to the facility at any time.

Implement Policies and Procedures for Workstation and Device Security

Since workstations and digital devices are accessed by people in an office or a secure area, it’s essential that only those who are authorized access the documents. Covered entities need to have policies and procedures in place to reuse, dispose of, transfer, and remove media in a way that protects private health information.

Technical Security for Medical Record Storage

Per HIPAA policies, covered entities must:

Limit Electronic Access to PHI

Access control is a serious concern for PHI protection. Covered entities need to implement technical procedures and policies that allow only specific, authorized individuals to access any electronic PHI.

Audit Electronic Access to PHI

With audit controls, covered entities must use software, hardware, or other mechanisms to track any access or activity in an information system. For example, if a hacker were to access a document in the system, the audit controls should identify the attack and examine what kind of access occurred. Good health information technology software may help identify threats in an electronic health record system or on a hard drive so that data doesn’t get into the wrong hands.

Securely Transmit PHI

If transmission of the electronic documents is necessary, the healthcare provider must implement security standards for doing so. These should guard against unauthorized access when the information is transferred over an electronic network.

How Long Are Medical Records Stored?

Every state has its requirements for the storage of medical data. HIPAA defers to the states on how long records must be stored, depending on the location and vary by state. There can also be different timelines for storage depending on the type of provider. For example, physicians and hospitals may keep records for various lengths of time.

To stay compliant with federal law and with federally funded programs such as Medicare and Medicaid, a medical business office or hospital must retain patient medical records for at least five years. Critical access hospitals must keep records for at least six years to stay compliant.

Other kinds of records may need to be kept longer. For example, if medical personnel are exposed to hazards, the Occupational Safety and Health Administration’s regulations may come into play. Those regulations mandate that exposure records be kept for 30 years, even if HIPAA doesn’t require the records to be retained for that long.

Under HIPAA privacy regulations, disclosure accounting documents, policy documents, and procedure documents need to be kept for at least six years. This is based on the HIPAA Privacy Rule.

States are different. For example, California requires all medical practitioners to keep their records for at least 10 years.

Medical providers need to keep patient records for at least seven years in Texas. For pediatric patients, records may not be destroyed until the individual is at least 21 years old.

In New York, obstetric and pediatric records have to be kept until the child turns 19. Records for adults need to be kept for at least six years at a time. Companies can keep themselves safer by maintaining electronic records for at least six years at their medical facility, but longer retention times may be advised in exceptional cases.

State laws determine how long records have to be kept, so this is something to be cautious of before destroying documents.

How Are Medical Records Destroyed?

When it is time for paper or electronic health records to be destroyed, it must be done in such a way that they cannot be used for illegal or unauthorized purposes. To do this, organizations have to follow specific protocols. Medical practices may destroy paper documents by:

  • Burning.
  • Shredding.
  • Pulverizing.
  • Pulping.

Electronic records must be destroyed using software or magnets on hard drives to fully eliminate the data. Without the use of specialized software or magnets, it could be possible to recover files even after they’ve been deleted.

How to Safely and Securely Store Medical Records

Safely storing medical records is the key to staying compliant with HIPAA. Medical records and PHI should be stored out of sight of those who are not authorized to access them. For example, a digital document may be kept on a physician’s and medical records professional’s locked network, or a room of patient files may only be accessible by approved personnel with a special code.

While doing this might seem impractical or excessive, violating patient privacy is a serious offense. To help safely and securely store medical records, you should do the following:

Create Policies and Procedures

Policies and procedures need to be created to comply with the Security Rule. These then must be retained for at least six years since their last effective date as a written record.

To maintain the safety of patient files, this procedure or policy will need to be followed. HIPAA allows some freedom in how medical facilities protect patient data. Still, it is helpful to have direct policies that are easy to follow and train new workers on when needed.

Regularly Train All Employees on Policies and Procedures

Medical facilities need to regularly train their employees on their policies and procedures to protect patient confidentiality and keep the facility compliant with HIPAA. For example, if the policy is to take the patient file out, hand it off to the nurse, hand it to the doctor, and then return it to the office to refile, this should be done every time. Any deviation from the procedure, such as setting the document aside in a shared office, should be noted and followed up on for correction.

Develop a Label System for Accurate Indexing

To index patient files, it is helpful to have a labeling system. Many offices label by birthdate, last name, or full name. Depending on the number of patients at the facility, it may be more reasonable to file by the first letter of the last name and in alphabetical order. Using a middle name and birth date may also be appropriate for patients with the same name.

The goal is to have a label system that makes it possible to find patient information without pulling the wrong files quickly. Pulling the incorrect files could lead to a breach of confidentiality.

Automate Processes When Applicable

When possible, automating processes helps keep medical information and documentation secure. For example, instead of keeping copies of the patient’s prescriptions in a paper file, storing them digitally may be better for safekeeping. Like HIPAA-compliant cloud services or end-to-end encryption, technical safeguards may help prevent identifiable health information from being leaked.

Stay on Top of Data Security

Finally, stay on top of data security. An office should have a data security officer to identify threats and address them. If there is a data breach, patients may need to be informed. The security officer needs to regularly self-audit the system to prevent a data breach. Antivirus software should also be used to maintain security. Cookies should be cleared and monitored for potential phishing or keylogging.


As mentioned earlier, self-auditing the system is the best way to prevent a digital breach. However, you can also audit the office. Check for paperwork that is out of place or that isn’t stored as it should be. Mention file transfers that did not go as they should have. Self-auditing will help find more security risks to be assessed and addressed.

Find out more about our intake services, contract services, or medical records division by speaking with one of our sales associates at (800) 200-CAMG or reach out to us here.

Are you looking for data-driven marketing for your law firm?

As a full-service agency, CAMG handles everything from marketing and creative to the support your law firm needs to operate campaigns at the maximum efficiency.


Marketing Agency Dedicated to Law Firms

  • Television
  • Radio
  • Public Relations
  • Medical Record Retrieval & Review
  • Search Engine Optimization
  • Paid Digital
  • Out of Home
  • Intake & Contracting Services