Imaging Informatics: Should Patient Records Stay or Go?
By Kayla Matthews
Radiology Today
Vol. 19 No. 8 P. 6

Health care organizations lacking in strong retention policies run the risk of storage issues and compliance concerns.

By its very nature, health care is a data-dense industry.

Every time a patient visits a doctor, hospital, or outpatient facility, data are created. Complicating matters, those data have to be maintained for a certain amount of time before they can be destroyed.

Creating an effective and efficient data retention policy is important, not only to ensure the protection of patient data but also to prevent old and irrelevant information from cluttering hospital operational systems, such as PACS.

What can be done to help hospitals and radiology departments create and maintain effective data retention policies? Let's take a look.

Creating an Effective Data System
Most patient information follows a four-step cycle.

Data are created when a patient makes an appointment and subsequently visits a provider. That information is then utilized during treatment. These data will continue to be utilized as long as the patient is being treated.

Once treatment has concluded, the data enter a period of maintenance. The length of this period varies depending on state law. Some states require that medical and hospital records be retained for five to 10 years while others, such as Massachusetts, require that they be maintained a full 30 years after discharge or final treatment.

At the end of their life cycle, health data are destroyed according to HIPAA regulations. There are currently no federal standards for retention, leaving it up to each individual state to regulate how long medical information needs to be retained before it can be destroyed.

As a result, creating an effective data system is essential to maintaining a fluid hospital environment. A data retention policy based on state regulations or statutes allows old and unused data to be cleared out after a certain period of time, freeing up space for their more recent and accurate brethren.

Data Retention Challenges
"Health care organizations are required by various state and federal laws to retain records and make them available to patients and other requesting parties," says Keith Olenik of The Olenik Consulting Group. "These requirements also include varying timeframes for how long the information must be retained."

The lack of a consistent standard complicates matters, Olenik says. "Creation of a retention schedule that outlines the retention time period for each different type of information and the corresponding regulation is critical to ensure compliance," he says.

"Access to all of the information that would [compose] a medical record can also be very difficult," Olenik continues. "The medical record, for example, is often [composed] of information created in different electronic systems. An order to fulfill a request to release the medical record can require health care staff to search all of these systems just to produce the requested information."

In some cases, there may be a reason to keep hospital data long beyond the traditional destruction date. "Not only does data change with time but [also] the context in which it was captured can often tell a significant story to the outside examiner," says Dennis Campbell, vice president of DataSync Technologies.

 Data Stewards vs Data Custodians
An effective data retention policy requires both data stewards and data custodians. Data stewards are responsible for the data themselves, including the content, the context in which they were collected, and the associated business rules.

In a hospital environment, physicians and nurses are considered to be data stewards.

Data custodians, on the other hand, are responsible for the structure of the database and the technical environment in which the data are stored. In the age of EHRs and networked databases, this includes but is not limited to the following:
• internal data security to ensure private patient data are accessed only by authorized individuals;
• maintaining backups of stored data;
• third-party cybersecurity; and
• interaction with data stewards to resolve data quality issues.
Data custodians and data stewards must work hand in hand to ensure data integrity. Both parties are essential parts of data retention policies.

Retention and Destruction Policies
"Destruction of clinical data can occur after all retention requirements have been met or the information no longer has relevance," Olenik says.

What constitutes a compliant data destruction policy?

"First, hospitals, health care provider offices, and clinics should perform a thorough review of state and federal rules and guidelines for specific retention requirements for each type of record," says Loretta Wingard, health information systems director and privacy official at Munson Healthcare Grayling Hospital in Michigan.

Wingard says providers should consider space limitations both in terms of physical document storage and electronic document storage. "Both methods will present certain limitations and future retrieval processes to consider," she says.

In terms of destruction policies, physical data such as paperwork and film-based medical imaging studies must be disposed of in a secure location that is inaccessible to the public or other unauthorized persons. If a secure location is not possible to maintain, the data must be destroyed by shredding, pulping, or other means that make reassembly impossible.

For electronic data, the information must be destroyed either by rewriting the hardware where they are stored with nonsensitive data or by destroying the hardware itself through shredding or incineration. If the data are rewritten, the hardware can be reused, but it is not advisable to donate or otherwise allow the hardware to be used beyond the facility.

"Retention and destruction policies should also provide guidance for what not to destroy and when not to destroy," Wingard says. "Documents and records involved in current litigation, or if the facility has been notified for a pending litigation, should be maintained intact [for] the duration of the action."

Facilities are required to keep a record of destroyed data, including the date and method of destruction, a description of the data destroyed (without exposing any protected health information), inclusive dates, and a statement that the records were destroyed as part of the normal business course, with the signature of the individual or individuals supervising and witnessing the data destruction.

"A compliant destruction policy will provide direction for appropriate destruction timeframe, method of destruction for each media type, and a recordkeeping of the destruction," Wingard says. "The goal is to render the material unreadable—anything less could result in a noncompliant privacy and security policy."

Destruction policies must designate a supervisor or "gatekeeper." Wingard says, "Who in the facility owns the process? Is this one person, a committee, a specific department, or a combination thereof? Someone needs to review, monitor, and direct the work [of data destruction] to ensure the policy is followed."

Data Destruction Timeframes
The health records of active patients present a conundrum of sorts. Are health care organizations required to destroy all information related to a patient when the required retention time ends or can older data be purged and current information retained if the individual is still a patient at that facility?

"In the ideal world [for medical records], it would be in the best interest of the patient and/or the patient's family to maintain the medical records forever," Wingard says. "The wealth of health knowledge for the patient, family, and future caregivers is immeasurable whether for understanding a recurrent condition, family health history, or supporting a disability claim."

However, the logistics and costs required to maintain medical records forever are too limiting for facilities to realistically implement, Wingard says.

The exact purge timeline depends on state statutes. Some providers purge every one or two years based on patient discharge dates. Whether data are being destroyed in full or partially, each purge must be chronicled. "Facilities must maintain a destruction log and maintain that log permanently," Wingard says.

At a minimum, she says the log must include the following:
• a description of the records to be destroyed;
• the dates and or date ranges of the records;
• the date(s) of destruction;
• a description of how the records were destroyed;
• a declaration that the records were destroyed in accordance with facility policy and in the normal course of business;
• the signatures of the authorizing party and the person either witnessing or performing the destruction; and
• the date of destruction.
Wingard says the log should be maintained by the data retention supervisor or a supervising committee.

Eye on the Future
The avalanche of data pouring into health care organizations is not letting up anytime soon. In addition, the form and content of databases continue to be reshaped. As a result, having an effective and efficient data retention and destruction policy in place has become essential. Doing so helps radiologists maintain the integrity of data storage systems without jeopardizing protected health information or compromising patient care.

— Kayla Matthews is a writer contributing to conversations about health, technology, and new developments in science. You can follow her on or on Twitter @KaylaEMatthews.