While there may be some differentiation state to state about who ultimately “owns” a medical record, the one constant nationwide is that to remain HIPAA compliant, every physical medical record must be stored, accessed, and moved throughout its life cycle in compliance with specific privacy regulations. These rules were significantly tightened under the American Recovery and Reinvestment Act of 2009 (ARRA) and include provisions that every hospital, practice and third-party provider must be compliant with all current HIPAA regulations. (Source)
Keeping track of every record throughout its life cycle and ensuring its protection can be a formidable challenge. Plus, the government has amplified its enforcement and penalties related to protected health information (PHI) of up to $1.5 million annually per type of violation.
So, how can your healthcare IT team ensure the electronic medical records in your care are secure and compliant? Let’s take a look at chain of custody (COC).
What defines custody of a document?
In general, custody refers to when a person has physical possession of a document or has visual sight of the document.
Similarly, Chain of Custody refers to how any time someone touches, looks at or stores a document, the company must keep a record of the activity. The chain of custody can be stored in a system that keeps track of a document’s location and who has accessed it.
It is important for your healthcare organization to have a plan to maintain accurate chain of custody of your electronic health records. The plan should include details about:
- Security – Who has access to each type of electronic health record (from PHI to HR data to other operational records)
- Storage & Retrieval – How the documents are accessed and stored. One long-term secure storage option is an archive, such as Harmony Healthcare IT’s Health Data Archiver. This solution should offer the ability to audit the chain of custody. Benefits include easily seeing who has accessed the record via audit logs in the archive and ensuring the ability to migrate the COC from the source application if it exists.
- Custody Log – A process to identify each time a record is stored or received. This includes a log that notes who accessed the document, where/when it was accessed and a description of the document being accessed.
Avoiding a Chain of Custody Failure
If the unfortunate happens and there is a problem with your electronic document management, your organization could suffer the loss of documents up to a large scale security breach. Besides the obvious reputation issues, security breaches are expensive. The two largest recent security breaches with Community Health System and Anthem cost upwards of $100 million. Legally, breached entities face potential class-action lawsuits and multi-year compliance plans. Additionally, consumer trust, the bedrock for provider and payer relationships with patients, evaporates. (Source)
One of the main problems we see with healthcare organizations is that storing legacy data in multiple places causes more problems than it solves. As many healthcare organizations strive for one common go-forward EHR or ERP system, they should also strive for one common archive. Preserving medical or employee records in a single location makes for simplified eDiscovery, access, request for information fulfillment and reporting. It is not uncommon for healthcare organizations to have upwards of 30 disparate legacy systems up and running at one time. It’s a good idea to consult with trusted industry experts to help you properly and safely prioritize and project manage the decommissioning of legacy systems. Minimizing the number of locations that data exists can also potentially help minimize the risk of security breaches.
Don’t do it alone. Time and resources both are limited. With the strict and ever-evolving HIPAA compliance regulations and the massive volume of EHR’s on your watch, contact a trusted record retention expert to help outline and implement a solid plan for data storage and retrieval.
Bottom line: Keep the chain of custody secure.