Standards FAQ Details | Joint Commission
Follow us on Twitter Friend us on Facebook Vimeo linkedIn Share with your Friends Print this Page
Sunday 11:47 CST, March 18, 2018

Standards FAQ Details


Medical Record - Security
Modify | April 11, 2016
We contract with an after hours cleaning service. Our medical records are stored in an unlocked area or on open shelves with in a secure area. The after hours cleaning crew members sign confidentiality statements. Is this acceptable or should we store the records under lock and key?

The Joint Commission standards require organizations to comply with applicable law and regulation to ensure the privacy and integrity of protected health information (PHI) are maintained. When an organization's staff is not present to monitor medical records storage areas, alternative approaches must be employed to protect privacy and confidentiality of this information. Keeping such information secure when staff is not present generally requires a process that includes a locking mechanism.  Use of alternative approaches, such as a signed confidentiality statement in lieu of a locking mechanism, should be thoroughly evaluated by the organization’s legal and risk management leadership to determine if such approaches comply with regulatory requirements (CMS, state law/regulation, etc.).

The requirements found in the Information Management (IM) chapter of the Accreditation Manual apply to both paper and electronic medical records. Organizations should work with their Information Technology (IT) leadership to determine strategies for ensuring the security of electronic medical records. At the time of the survey, compliance with the requirements found at IM.02.01.01 which require organizations to maintain the privacy and confidentiality of information will be evaluated.

Conducting a risk assessment is a helpful way of identifying risks associated with various options being considered by the organization.   A proactive risk assessment examines a process in detail including sequencing of events, actual and potential risks, and failure or points of vulnerability and that prioritizes, through a logical process, areas for improvement based on the actual or potential impact (that is, criticality) of care, treatment, or services provided.

The introductory section of the Leadership (LD) chapter provides an example of a pro-active risk assessment model that an organization may use.  However, this specific approach is not mandated as there are other risk assessment tools available that may better meet the needs of the organization.   Other examples may include a root cause analysis, failure mode and effect analysis, plan/do/check/act process, etc., or combinations and variations.

Was this response helpful?

Comments (Optional - For internal use only)
Thank you for your feedback!