The organization contracts with an after hours cleaning service.   The organization's medical records are stored in an unlocked area or on open shelves within a secure area. The after hours cleaning crew members sign confidentiality statements. Is this acceptable or should the organization store the records under lock and key?

While The Joint Commission does not survey to specific HIPAA regulations, the standards do require compliance with applicable law and regulation. Standard DSCT.1 requires organizations to maintain the privacy and confidentiality of information. When an organization's staff is not present to monitor medical records storage areas, alternative approaches may be employed to protect privacy and confidentiality. Examples of such approaches may include ensuring that any individuals who are authorized to perform their duties in areas where medical records are stored, including contracted staff, understand their role in maintaining security and confidentiality, having such individuals sign a confidentiality statement, and ensuring that all medical records are closed and stored appropriately so that patient information would not be visible to unauthorized individuals. The organization needs to ensure that the medical records area is secured once the cleaning crew members have completed their duties.