Published Jul 29, 2013
beccaleelee
1 Post
I'm trying to find out how far back a hospital would have to be able to produce audits of activity in patient records, per HIPAA (ie, the number of years). This isn't the same thing as producing an accounting of disclosures, which is what I originially thought.
Does anybody know where this is referenced in HIPAA?
Esme12, ASN, BSN, RN
20,908 Posts
I do not know what you mean? what do you need this information for that would help me know what you are talking about? Activity of the patient records is accounting of disclosures....do you mean patient admissions, labs, tests????
mlbluvr
171 Posts
Indefinitely and forever. More seemingly osbcure digitized information is being kept in ever larger memory banks. Safe to assume your every keystroke, anywhere, ever, will be permanently affixed somewhere. Why- did you take a peek at something that has you sleepless at night... ?
nurseprnRN, BSN, RN
1 Article; 5,116 Posts
Have you gone to the OCR website and searched for that information yourself? What did you find? (I am not about to go and do your "homework" for you :) but I'm sure it's there if you look. )
Anonymous865
483 Posts
It's been a few months, since my last HIPAA training, but at that time the government hadn't decided how long you had to keep the audit logs which track when a patient record is accessed. The discussion has been everything from 3 months to several years. To make things more challenging no one is sure what level of information you have to track. Do you have to track every single time a person accesses a patient record and what information they looked at? Do you have to just track who has looked at a patient record, but not each time they looked at it? Do you have to track what information they looked at in the record or just that they accessed the record.
Still why do you need to know this? Are you in medical records? Private practice?.......regulations vary according to type of facility.
the HIPAA Privacy Rule does not include medical record retention requirements. Rather, State laws generally govern how long medical records are to be retained. However, the HIPAA Privacy Rule does require that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records and other protected health information (PHI) for whatever period such information is maintained by a covered entity, including through disposal. See 45 CFR 164.530(c
The HIPAA simplification of the rules is 115 pages long......http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf
BloomNurseRN, ASN, BSN, RN
1 Article; 722 Posts
I would imagine indefinitely would be necessary, possibly up to the point they started being able to audit that information. That's an extremely sensitive topic and something facilities have to be very careful of, especially given how easy it is for people in a healthcare system to access records. A few years ago I knew a handful of people who lost their jobs because they worked in billing for a hospital and when the department did an audit it was found they had accessed family members records without a legitimate reason to do so. These are serious matters and while I don't think there is a hard and fast rule/date, as long as possible is what I picture.