Our patient medical records are stored in an unlocked area on open shelves within a secure area. We contract with an after-hours cleaning service in which the crew members have signed confidentiality statements. Is this acceptable or should we store the records under lock and key?

The Joint Commission standards require organizations to comply with applicable law and regulation to ensure the privacy and integrity of protected health information (PHI) are maintained. When an organization's staff is not present to monitor medical records storage areas, alternative approaches must be employed to protect privacy and confidentiality of this information. Keeping such information secure when staff is not present generally requires a process that includes a locking mechanism. The use of alternative approaches, such as a signed confidentiality statement in lieu of a locking mechanism, should be thoroughly evaluated by the organization's legal and risk management leadership to determine if such approaches comply with regulatory requirements (CMS, state law/regulation, etc.).  

In conclusion, all areas should have a process in place for maintaining the security and integrity of PHI. The adopted processes should be subject to security audits that can identify system vulnerabilities and policy violations. Signed, confidentiality statements alone may not necessarily result in the proper security and integrity of PHI.  Additionally, per IM.02.01.03, the hospital must follow their policy regarding security of health information.  Such a policy may include who has access to medical records when staff is not present to monitor the records.  The policy should also address all areas where medical records are stored.