|
New laws govern storing, destroying patient medical records
Both laws define personal information as:
- A social security number not encrypted or redacted or
- An individuals's first and last names or first initial and last name, combined with
- Driver's license number
- State identification card number
- Credit card number or
- Financial account number or debit card number in combination with a security code, password or access code
|
|
Indiana recently passed two laws that require you to take extra precautions, even though state law has always required you to carefully safeguard the privacy of your patients' medical records.
The first new law imposes requirements on individuals, companies and other legal entities discarding personal information. The second one requires disclosure of any security breach of computerized personal information. The new laws have broad applicability and include health care providers storing patient information on paper and electronically.
The definition excludes information lawfully obtained and publicly available from the government or other sources.
The first law:
Under the first law, unencrypted, unredacted personal information must be disposed by shredding, incinerating, mutilating, erasing or otherwise rendering the information illegible or unusable.
Remember Indiana law requires you to maintain patients’ medical records for a minimum of seven years from the last time you treated the patient, although the ISMA recommends retaining them indefinitely. Contact your medical malpractice insurance company for its recommendations on retention.
If you do decide to destroy patient records after the retention period expires, make sure you destroy them as described above. Or hire a reputable document destruction company to destroy them and provide you a detailed certificate of destruction.
The second law:
The second law requires an entity owning or licensing computerized data that includes personal information to disclose any breach of security of such a system as soon as possible and without unreasonable delay.
A breach is defined as the unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of any maintained personal information. It includes computerized data transferred to another medium – including paper, microfilm or a similar medium – even if the transferred data are no longer in a computerized format.
Notice must be given to any Indiana resident whose personal information was or may have been acquired by an unauthorized person. Disclosure must be by U.S. Postal mail, telephone, facsimile or electronic mail.
Violation of either of these laws can result in serious penalties. If you have questions about these new laws or wish to obtain a copy, please contact the ISMA Legal Department.
|
