Section / Risk Management / Policy Number / 2-K
Topic / Records Security / Last Review Date / 06/19/16
CARF Standards / 1.E.1.j; 1.E.3; 1.K.2.a / Last Revision Date / 01/27/14
Purpose / To ensure that client, personnel, and administrative records are efficient, safe, and secure

1.Retention of client paper records

  1. Active client paper records are maintained in locking file cabinets in a locking office in alphabetical order by client last name. Each office location maintains the files for clients in that geographic area.
  2. Records are stored away from exterior windows to protect against damage in the event of a hurricane. A fire extinguisher is maintained near the file room to protect records in the event of a localized fire.
  3. During office hours, office staff are present to ensure that clients or other outside individuals do not have access to client records. After hours, file cabinets and/or file rooms are locked.
  4. Clinicians may keep copies of some client documents to refer to during treatment. These copies are maintained in a secure location while in the clinician’s possession. These copies are shredded when the client is discharged from treatment.
  5. Dischargedclient paper recordsaremaintainedin a locked office, located at each office location or in locked off-site storage. Discharged records are grouped by year of discharge and are organized in alphabetical order by client last name.

2.Release of client records

  1. The Records Clerk in each office is responsible for responding to records requests. The Program Manager or other office staff trained in records management policies may respond to records requests in the absence of the Records Clerk.
  2. Clinicians are not permitted to make copies of client records for delivery to any outside agency or individual.
  3. When a records request is received, the Records Clerk ensures that there is a HIPAA compliant Release of Information signed by the client or legal guardian before sending the records to the requestor.
  4. All records released, including those given to the client/guardian, are recorded on a Records Release Log maintained in the client chart.

3.Retention of personnel records

  1. Personnel records are maintained in a lockingfile cabinet in a locking office at the main office location.
  2. During office hours, the Human Resources Manager is present to ensure that clients, agency staff (except executive staff), or other outside individuals do not have access to personnel records. After hours, the file cabinet and/or file room is locked.
  3. Personnel records will be retained for 7 years after staff termination.

4.Destruction of client records

  1. Client records will be destroyed 7 years after date of discharge.
  2. Electronic records will be kept for 7 years and then moved into the electronic archives.
  3. Records will be shredded by the agency or an outside agency will be contracted to perform this task.

5.Destruction of personnel files

  1. Personnel records will be destroyed 7 years after termination date.
  2. Records will be shredded by the agency or an outside agency will be contracted to perform this task.

6.If any legal action has been initiated against the organization, the client, or personnel, the client or personnel record involved will not be destroyeduntil 7 years after the legal action has been settled.

7.Electronic records

  1. When client records are electronic, they will be maintained on a HIPAA compliant website or secure server. Each staff will have access to electronic records using a unique login account and password.
  2. Client database information and staff database information are maintained on a secure server with daily online backup to prevent loss of data.

1.E.1.j / The organization demonstrates a process to comply with privacy of the persons served obligations / Corporate Compliance, Records Security
1.E.3.a / Policies and written procedures address confidential administrative records / Records Security
1.E.3.b / Policies and written procedures address the records of the persons served / Records Security, Client Record Quality
1.E.3.c / Policies and written procedures address security of all records / Records Security, Technology Plan
1.E.3.d / Policies and written procedures address confidentiality of records / Records Security, Technology Plan
1.E.3.e / Policies and written procedures address compliance with applicable laws concerning records / Records Security, Technology Plan
1.K.2.a / The organization implements policies promoting confidentiality of information for persons served / Client rights, Records Security

Risk Management –Record Security