Destroying and disposing of records
When destroying patient information in electronic form after the required retention period has expired, ensure the eRecord is permanently deleted or irreversibly erased.
Some privacy commissioners recommend that the electronic storage device (e.g. hard drive) be physically destroyed to ensure the permanent deletion of patient information. This may include physically destroying the electronic storage device, or it may be sufficient to use wiping software to delete the information on the hard drive. However, depending on the sophistication of the software, wiping may not irreversibly erase every bit of data on a drive. Physicians should avoid selling or giving away electronic storage devices that contain or once contained patient information.
As technological expertise is required to effectively destroy electronically stored information, it is preferable that physicians hire an accredited service provider to destroy patient information maintained in EMRs. Some privacy commissioners have stated that when engaging a commercial service provider to dispose of patient information, physicians must enter into a written contractual agreement with that service provider. The agreement should clearly spell out the responsibilities of the service provider to securely destroy the health information records, and how the destruction will be accomplished, under what conditions, and by whom.
Procedures are required to ensure eRecords are adequately destroyed. In fact, some Colleges and privacy legislation require that written policies be established for the retention and destruction of records containing personal health information.
Physicians should also be familiar with all applicable rules or obligations for destroying medical records. Some privacy legislation requires physicians keep a record of:
- the individual whose personal health information is destroyed and the time period to which the information relates, and
- the method of destruction and the person responsible for supervising the destruction.
Information retention periods
The CMPA recommends that medical records be retained for at least 10 years from the date of the last entry or, in the case of minors, 10 years from the date on which the minor reaches the age of majority. For obstetrical care, the CMPA recommends that maternal records (e.g. prenatal and labour and delivery records) be maintained for at least 10 years from the time the infant reaches or would have reached the age of majority.
Colleges in some jurisdictions have adopted lengthier retention periods to reflect changes in the limitation periods for the commencement of medical malpractice actions. In those jurisdictions physicians are encouraged to retain records for a longer period to reflect those limitation periods.
For more information see the CMPA article, “How to manage your medical records: Retention, access, security, storage, disposal, and transfer”