1.110 Retention and Protection of PHI

Op10.04-16 Retention and Protection


To ensure the availability of relevant data and information, it is the policy of the Missouri State to maintain specific retention schedules for various types of individually identifiable health information in compliance with federal and state laws and professional practice standards. Missouri State has a records disposition schedule approved by the State Records Commission. (RSMo 109.250) Microfilm/microfiche and electronic imaging are accepted forms of records maintenance. This policy shall be consistently applied with the more stringent law followed and records destroyed after the retention period has expired.


The University’s HCC

  1. Definitions.
    1. Protected Health Information (PHI): See HIPAA Procedure 1.005, 1.b. and c.


  1. Storage. All storage systems used by facilities within the Missouri State HCC shall be designed and implemented to ensure the safety, security, and integrity of Protected Health Information. The storage method selected shall be dependent on the security of the area and the volume of the information stored.
    1. Paper PHI records storage must be adequate to protect the physical integrity of the record and prevent loss, destruction, and unauthorized use.
      1. If the records office is shared with other departments not responsible for maintaining the records, the shelves or file cabinets must be lockable and kept locked whenever records staff are not in attendance.
      2. If PHI records are retained in a lockable office that is not shared with other staff or in a separate locked file room, open-shelf filing without lockable doors is acceptable. The office or file room should always be locked when staff is not in attendance.
      3. Storage area environment should not cause damage to the records and documents and meet accreditation and safety standards.
      4. Off-site storage should meet the above standards, be approved by the Unit or University Privacy Officer, as applicable, and have a signed business associates agreement.
      5. A record tracking system must be in place to identify when a record has been removed, who took the record, and where it is located.
      6. When a microfilm/microfiche imaging copy of the original paper record has been produced, it may be used as a permanent record of the original.
    2. Electronic: electronic storage of PHI records, if applicable, should have a permanent retrievable capability, and such capability should occur even when there is a technology change.
  2. Retention. Retention of PHI records and databases shall comply with federal and state regulations; accreditation, licensure and accepted standards of practice. The more stringent between federal and state law must be followed. This policy should be consistently applied and records destroyed after the retention period has expired.
    1. Medical Record: permanent retention or as advised in the current Missouri State departmental Records Disposition Schedule. Medical Record documents not on the schedule for permanent retention shall be kept six (6) years, and for minors, three (3) years after the patient reaches legal age as define by Missouri law.
    2. Patient Financial Records: permanent retention or as advised per current Missouri State departmental Records Disposition Schedule. Financial documents not on the schedule for permanent retention shall be kept six (6) years.
    3. Accounting of Disclosure of Information, a minimum of six (6) years according to the HIPAA Privacy Rule.
  3. Destruction. Destruction of PHI in paper or electronic format shall be carried out in accordance with federal and state law and pursuant to the Missouri State Records Disposition Schedule. Records approved for destruction must be destroyed so that there is no possibility of reconstruction of information.
    1. Paper. Microfilm/microfiche is an accepted form of records maintenance. When paper records have been microfilmed the original paper may be destroyed. If they are not destroyed, then their retention must be in accord the procedures outlined in this policy.
      1. Because all media and reproductions typically have the same legal effect as originals, when a record meets the guideline for destruction, all copies in any media should be destroyed.
      2. Appropriate methods for destroying paper records include burning, shredding, pulping, and pulverizing.
      3. Documentation of the destruction of records should include: date of destruction; method of destruction; description of records; inclusive date of records; statement that the records were destroyed in the normal course of business; the signatures of the individual supervising and witnessing the destruction. Destruction documents should be permanently retained. Documentation records must be maintained by the Unit Privacy Officer, or the University Privacy Officer, as applicable.
      4. If destruction services are contracted, the contract should be a business associates agreement that specifies: the method of destruction; the time that will elapse between acquiring and destroying the records; identify safeguards against breaches in confidentiality; indemnify the facility from loss due to unauthorized disclosure; and provide proof of destruction to the Unit Privacy Officer or University Privacy Officer.
    2. Electronic. When electronic records or computerized data is destroyed, it should be permanently and irreversibly non-retrievable.
      1. Computer Disks: Methods may include overwriting data with a series of characters, reformatting the disk, or physical destruction. Deleting a file does not destroy the data but merely deletes the filename from the directory preventing easy access until it is overwritten.
      2. For laser disks, back-up tapes, hard drives, and servers, the method of destruction shall be in a format or process as approved or prescribed by the Missouri State Information Services Division. The data must be irreversibly non-retrievable either through electronic or physical destruction.
  4. Any questions as to whether information retention or destruction is permitted or required by law should be directed to the Unit Privacy Officer or his/her designee.
  5. Sanctions. Failure to comply or assure compliance with the policy may result in disciplinary action, up to and including dismissal.
  6. Review Process. The University Privacy Officer will collect information from the Unit Privacy Officers during the month of April each year beginning in 2004 for the purpose of providing feedback to the HIPAA Management Team as to compliance with the procedure and any proposed modification or recommendation that additional training be implemented.

HISTORY: Effective March 21, 2003.