Record Storage, Security, & Retrieval

Standard 5.6: Record Storage, Security, & Retrieval

The Professional Practice Standards regarding record storage, security, and retrieval. This includes the standard, examples in demonstrating the standard, and related resources.

Record Storage, Security, & Retrieval

Standard 5.6: Record Storage, Security, & Retrieval

The Professional Practice Standards regarding record storage, security, and retrieval. This includes the standard, examples in demonstrating the standard, and related resources.

Jump to Topic:

The Standard

 

5.6.1 Registrants take steps that are reasonable in the circumstances to ensure that personal health information is protected against theft, loss and unauthorized use, disclosure, modification, or disposal.

Standard 5.6

Demonstrating the Standard

  • Standard 5.6

    • Developing record-keeping policies when the registrant is a health information custodian or following the policies of the registrant’s group practice or employer when they work for a health information custodian.
    • Organizing records in a logical and systematic fashion to facilitate retrieval and use of the information.
    • Maintaining records in such a way as to support an audit trail.
Standard 5.6

Commentary

Background

Whether records are on paper or electronic, there are various safeguards and measures to maintain the security and integrity of personal health information, including:

 

Physical safeguards

 

  • Securing paper records and electronic devices in locked spaces
  • Ensuring screens displaying personal health information are not viewable by individuals without authorization
  • Securely disposing paper files, e.g., micro-cut shredding

 

Electronic safeguards

 

  • Firewalls, encryption, virus protection, system security updates
  • User ID and password protection
  • Automated backups at reasonable intervals, recovery tests
  • Record integrity and audit capability to capture:
    • Date, time, and author of each entry, including changes that preserve the original entry
    • Who has viewed the record, and when
    • Log of data exports and exchanges with other systems
  • Alternate record-keeping method in case of system failure
  • Secure deletion of client records once retention period has ended

 

Administrative safeguards

 

  • Need-to-know access
  • Confidentiality agreements with anyone who can view personal health information
  • Privacy training
  • Log to track when files are to be disposed

 

Registrants also make reasonable efforts to maintain the security of client records during transmission or disclosure (for example, by using mail or courier with tracking or encrypted electronic transmission).

 

Registrants need to ensure that any electronic record-keeping system they use allows them to meet their record-keeping obligations. These obligations include, but are not limited to, the ability to retrieve, transfer, amend,[1] and securely destroy records.

 

[1] The system must also maintain the original entry.

Join our mailing list and stay up to date with the latest news

Sign up to receive news and information from us.

Sign Up Today