Medical Record - Security
Our patient medical records are stored in an unlocked area on open shelves within a secure area. We contract with an after-hours cleaning service in which the crew members have signed confidentiality statements. Is this acceptable or should we store the records under lock and key?
Any examples are for illustrative purposes only
The Joint Commission standards require organizations to comply with applicable law and regulation to ensure the privacy and integrity of protected health information (PHI) are maintained. When an organization's staff is not present to monitor medical records storage areas, alternative approaches must be employed to protect privacy and confidentiality of this information. Keeping such information secure when staff is not present generally requires a process that includes a locking mechanism. The use of alternative approaches, such as a signed confidentiality statement in lieu of a locking mechanism, should be thoroughly evaluated by the organization's legal and risk management leadership to determine if such approaches comply with regulatory requirements (CMS, state law/regulation, etc.).
In conclusion, all areas should have a process in place for maintaining the security and integrity of PHI. The adopted processes should be subject to security audits that can identify system vulnerabilities and policy violations. Signed, confidentiality statements alone may not necessarily result in the proper security and integrity of PHI. Additionally, per IM.02.01.03, the hospital must follow their policy regarding security of health information. Such a policy may include who has access to medical records when staff is not present to monitor the records. The policy should also address all areas where medical records are stored.
The Joint Commission standards require organizations to comply with applicable law and regulation to ensure the privacy and integrity of protected health information (PHI) are maintained. When an organization's staff is not present to monitor medical records storage areas, alternative approaches must be employed to protect privacy and confidentiality of this information. Keeping such information secure when staff is not present generally requires a process that includes a locking mechanism. The use of alternative approaches, such as a signed confidentiality statement in lieu of a locking mechanism, should be thoroughly evaluated by the organization's legal and risk management leadership to determine if such approaches comply with regulatory requirements (CMS, state law/regulation, etc.).
In conclusion, all areas should have a process in place for maintaining the security and integrity of PHI. The adopted processes should be subject to security audits that can identify system vulnerabilities and policy violations. Signed, confidentiality statements alone may not necessarily result in the proper security and integrity of PHI. Additionally, per IM.02.01.03, the hospital must follow their policy regarding security of health information. Such a policy may include who has access to medical records when staff is not present to monitor the records. The policy should also address all areas where medical records are stored.
Manual:
Ambulatory
Chapter:
Information Management IM
Last reviewed by Standards Interpretation: February 08, 2022
Represents the most recent date that the FAQ was reviewed (e.g. annual review).
First published date: April 11, 2016
This Standards FAQ was first published on this date.
This page was last updated on February 08, 2022
with update notes of: Review only, FAQ is current
Types of changes and an explanation of change type:
Editorial changes only: Format changes only. No changes to content. |
Review only, FAQ is current: Periodic review completed, no changes to content. |
Reflects new or updated requirements: Changes represent new or revised requirements.