The question is not clear if the concern is for medical records retention or other electronic medium like email that might also have PHI. There has been plenty of discussion of email retention due to some of the high profile cases. One point that has been made in regards to email but really applies to any medium, the information should be kept in a manner that is easily retrievable and searchable. If you spin medical records off in different formats over the years and then have to find an audit trail it can get expense to put together all the pieces. Remember that almost all technology vendors have upgrades and compatibility is seldom downwards.
Regards,
David Frenkel
Business Development
GEFEG USA
Global Leader in Ecommerce Tools
www.gefeg.com
425-260-5030
-----Original Message-----
From: Kathleen Connor [mailto:kathleenconnor@;attbi.com]
Sent: Tuesday, October 15, 2002 3:16 PM
To: [EMAIL PROTECTED]
Subject: Business Issues Proposed Response to Issue # 160
The following issue that was submitted to the WEDI SNIP Issues
Database and assigned to the Business Issues sub-Work Group for resolution.
Please review the proposed response and submit comments to the Business
Issues Listserv. If there are outstanding questions about the proposed
response, we will discuss them during the 10/29 Business Issues Conference
Call. Otherwise, we will forward this to the Transaction Workgroup to be
approved for posting.
#160: Tracking utilization
<http://snip.wedi.org/tracking/displaydata.cfm?ReferenceTrackingNumber=160
ISSUE:
Two questions about tracking utilization / viewing of patient
information: 1. Data must be stored for up to 6 years, but do the
requirements state that it has to be easily retrievable during the same 6
year period? Can the information be stored on disk . . . some place other
than the customer's server? The amount of information saved - transaction
and tracking info - over a 6 year period will be difficult for many of our
customers to store if it must be available at their finger tips. 2. Some of
our patient information summaries are provided in a list (e.g, SSN + name
only). If you pull up the name "Jones", all of the Jones' and their SSNs
will appear. It is clear to us that we need to provide capabilities to our
customers that track and record who accessed the detail and when, but do we
also need to track the access to the summary list because it contains PHI
too? Thanks for your comments.
RESPONSE: From Leah Hole-Curry, JD FOX Systems, Inc.
1. Privacy does not require that PHI be stored for six years.
Privacy requires under 164.530(j) that evidence of compliance with the rule
(such as policies and procedures, written communications, or actions
required to be documented in writing) be retained for six years. Thus,
a privacy policy, the written disposition of a complaint, and an
accounting of disclosures provided to an individual are all examples of
documentation that must be retained for six years.
This requirement is so that HHS can conduct a compliance review, so
this documentation must be retrievable, but does not necessarily have to be
"at the fingertips" of an entity.
Disclosures subject to accounting under 164.528 must be tracked and
information necessary to respond to an accounting request must be
retained for six years. Note this accounting relates only to
disclosures, not (internal) uses and that disclosures related to
treatment, payment, and health care operations as well as a few
others are not subject to tracking. Thus the amount of information needed
to
be stored for accounting for disclosures should be relatively small.
When an individual requests an accounting, the covered entity has a
maximum of 60 days to respond.
For PHI, generally, state law and/or federal law determines the
retention period of health information maintained by health plans and
providers. Many entities retain for at least the statute of
limitations period applicable to their activity which range from one to ten
years. A
common retention period would be six to ten years. Where and how
much is stored would be a matter of state/other federal law or the company's
business practices.
2. If the name and SS# (PHI) is disclosed for purposes other than
the exceptions listed in 164.528, then it must be recorded along with the
other requirements for the accounting. Again though, this appears
to be either a use, or a disclosure for routine treatment, payment, or
operations reasons and thus would not need to be accounted for.
Finally, the proposed security regulations do require audit
mechanisms (mechanisms to record and examine system activity) and internal
audits
or reviews of the records of system activity (such as logins, file
accesses, and security incidents). However there is no specific
guidance on whether a sampling or every login or access, etc., is
required to be recorded and examined. Further, there are no current
requirements for how long the audit log or the audit review need to
be kept, or what needs to be kept from either the log or review (e.g. only
sensitive data, all data, suspected or known violations or all
activity, etc.).
Thus company risk attitudes and security best practices would need
to be consulted to determine what, how much, and for how long the audit logs
and audit reviews should be held.
**********************************************************************
To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=Business
and enter your email address.
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board of
Directors nor WEDI SNIP. If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.
Posting of advertisements or other commercial use of this listserv is
specifically prohibited.
<<attachment: winmail.dat>>
