Essential Standard: Your agency has documented protocols to ensure client records are confidentially maintained and secured
This table specifies both required and recommended attributes that are evaluated during the accreditation process. Those attributes labeled as required must be present for accreditation. Attributes labeled as recommended could be reviewed, but are not necessarily required, during the accreditation process. Each requirement and recommendation is further explained in the sections below.
- Agency has a written and accessible policy for record keeping
- Records are kept in a secure and safe location
- All record keeping practices abide by HIPAA Privacy Rule Compliance, if your agency is a Covered Entity
- Staff is trained on how your agency maintains records and all employee responsibilities regarding record keeping
- Records should include all medical, counseling, and case management related to client
- Agency has a designated staff member who manages records and conducts regular reviews of records
- All record keeping practices abide by HIPAA Privacy Rule Compliance, regardless if your agency is a Covered Entity or not
Why keep records?
Effective record keeping benefits all agencies and practices. Good practices improve the efficient day-to-day operation of your organization, help record and maintain your client information, and enable transparency between the organization and clients.
Effective record keeping also ensures the security of confidential client files, supports staff to do their work more effectively, improves staff retention, and enhances business continuity
- Retaining records helps you to remember details of treatment and counseling for the client and can be utilized to assess client progress over time.
- Clients may request records to be sent to new care providers.
- Records may be required in the circumstances of a malpractice lawsuit, ethics complaint, or license board complaint.
Policy for Record Keeping
Your agency’s policy for record keeping should be:
- Written down and accessible to all staff
- Descriptive about responsibilities that all staff have for managing records
- Descriptive of limitations for staff access
- Inclusive of email and other electronic records
Administrative record keeping practices
Your agency can practice good administrative record keeping by:
- Informing all staff that record keeping is a priority
- Train staff on what their responsibilities are regarding record keeping
- Providing a budget for record keeping tools
- Abiding by the laws regarding record keeping and disposal of records
- Ensuring records are secure and only accessible to the appropriate staff
- Ensuring all electronic records are backed-up and that the integrity of the back-up data is checked
- Have at least one staff that is responsible for: managing records, completing regular checks to ensure policies and procedures are followed, and conducting a review process to check all records for accuracy
Bias and Trauma-Informed Record Keeping
Your agency should recognize that data is a socially-constructed process that can often involve bias, if not carefully monitored. Andrejevic notes the “asymmetrical relationship between those who collect, store and mine large quantities of data and those whom data collection targets.” Further, your agency should work to incorporate trauma-informed principles into record keeping. Specifically:
- Bring emotional labour, empathy, and an acknowledgement of the power of records.
- Recognize the power of archives to effect, and be affected by, individuals and archival practices.
- In data collection, put people first and acknowledge the needs of individuals and communities and the ability of records and archives to address this.
- A covered entity must obtain the individual’s written authorization for any use or disclosure of protected health information (PHI) that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule.
- An authorization must be written in specific terms, in plain language, and contain specific information regarding the information to be disclosed or used, the person(s) disclosing and receiving the information, expiration, and right to revoke in writing.
- It is important to make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request.
- A covered entity must develop and implement policies and procedures to reasonably limit uses and disclosures to the minimum necessary, including for routine, recurring disclosures, or requests for disclosures.
Access and Uses
- For internal uses, a covered entity must develop and implement policies and procedures that restrict access and uses of PHI based on the specific roles of the members of their workforce.
- These policies and procedures should identify those in the workforce who need access to PHI to carry out their duties, the categories of PHI to which access is needed, and any conditions under which they need the information to do their jobs.
- Individuals have the right to review and obtain a copy of their PHI in a covered entity’s “designated record set.”
- The “designated record set” is that group of records maintained by or for a covered entity that is used, in whole or part, to make decisions about individuals, or that is a provider’s medical and billing records about individuals or a health plan’s enrollment, payment, claims adjudication, and case or medical management record systems.
- Exceptions to the right of access include the following PHI: psychotherapy notes, information compiled for legal proceedings, laboratory results to which the Clinical Laboratory Improvement Act (CLIA) prohibits access, or information held by certain research laboratories.
- Individuals have a right to an account of the disclosures of their PHI by a covered entity or the covered entity’s business associates. The maximum disclosure accounting period is the six years immediately preceding the accounting request, except a covered entity is not obligated to account for any disclosure made before its Privacy Rule compliance date [See the HIPAA Privacy Rule for more on exclusions for this].
More on Privacy Policies and Procedures
- A covered entity must develop and implement written privacy policies and procedures that are consistent with the Privacy Rule.
- There should be a designated privacy official responsible for developing and implementing its privacy policies and procedures, and a contact person or contact office responsible for receiving complaints and providing individuals with information on the covered entity’s privacy practices.
- Workforce members include employees, volunteers, trainees, and may also include other persons whose conduct is under the direct control of the entity (whether or not they are paid by the entity). A covered entity must train all workforce members on its privacy policies and procedures, as necessary and appropriate for them to carry out their functions. A covered entity must have and apply appropriate sanctions against workforce members who violate its privacy policies and procedures or the Privacy Rule.
- A covered entity must mitigate, as much as possible, any harmful effect it learns was caused by use or disclosure of protected health information by its workforce or its business associates in violation of its privacy policies and procedures or the Privacy Rule.
- A covered entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information in violation of the Privacy Rule.
- For example, this might include shredding documents containing protected health information before discarding them, securing medical records with lock and key or passcode, and limiting access to keys or pass codes.
How long should you retain client records?
- Federal HIPAA laws do not set record retention periods
- You should retain records for at least the minimum time set by state law, if there is such a law in your state
- If your state does not set a minimum record retention period, you should aim to retain records for a minimum of 7 years after termination of services for adult clients. For children, aim to keep the records for a minimum of 7 years or 3 years past the time they reach your state’s age of majority (usually 18 or 19 years old), whichever time frame is longest from the time of the termination of services. Additional consideration should be made in light of the state’s statute of limitations.
- Covered Entities should keep records of the following after their creation:
- Notices of privacy practices
- Patient authorizations
- Risk assessments and risk analyses
- Disaster recovery and contingency plans
- Business associate agreements
- Information security and privacy policies
- Employee sanction policies
- Incident and breach notification documentation
- Complaint and resolution documentation
- Physical security maintenance records
- Access logs
- IT security system reviews (including new procedures and technologies implemented)
- Records for clients should include documentation for treatment / counseling sessions, including the client’s status before, during, and after treatment and how they responded to your counseling and how you responded to their concerns
- Counselors should document the following for each session:
- Observations at the beginning of each session
- The subject matter of each session and an outline of the session
- Communication between you and the client that discusses a plan of action for treatment
- The results of the treatment, including client’s responses to what you say and do
- The follow-up plan for future treatment / steps
- Any additional thoughts or observations that the counselor believes is important to note
- It is generally recommended that clinical records are kept indefinitely to ensure that your organization is able to respond to any liability or claim by a former or current client. Current client files should be considered active and regularly updated and checked, while previous clients who no longer use your service can be defined as having inactive records.
- It is recommended that inactive files are kept indefinitely and stored securely, defined as away from public access and under lock. This ensures that inactive files are not accessible to staff and others that do not need to see the information.
- For external counseling services, it is good practice to maintain a log of scheduled appointments kept and missed along with any documentation provided by the counselor to prove services have been provided. The external counselor however would be responsible for their own record keeping.
- Special considerations for minors
- Determine who has the right to a minor’s case file by determining the age threshold in your state and status of legal guardianship. Usually minors can control their own records starting in their early teens, meaning they can deny their parents access to the files.
- If parents do have the right to a minor’s file, your organization may create an agreement stating that the parents will only receive information regarding mental health status, goals/treatment plan, and progress and not detailed accounts of therapeutic sessions. Stress that the minor may be more willing to open up if they know parents will not have access to therapy notes.
- Organizations that provide social service, medical, or legal assistance to clients should maintain active client case files for as long as the client is within or has contact with the organization.
- As clients may return to the organization, the distinction between active and inactive files is often unclear for organizations so your agency should determine when to classify a client’s file as inactive.
- For retention of client files, the principal determinant is the state or federal funding sources that set requirements for such files. After the retention period set by the funding agencies has expired, the organization may continue to retain the files as permanent or historical records if they are deemed to be important or of significance for the organization.
- Client files are generally regarded as having long-term administrative value as the information may be used routinely or occasionally and thus, should remain in the office.
- While there are no HIPAA requirements for retaining medical records, Covered Entities are bound by the laws of the state in which they operate.
- Medical documents to consider including in client files:
- Informational papers provided by the pharmacy with prescriptions
- Copies of any instructions provided by medical providers
- Copies of inpatient or outpatient treatment plans provided by medical providers, including psychologists
- Residential programs may find it helpful to create, implement, and retain:
- Medication logs for each resident indicating the day and time each dose of each medication is taken, each dose should be initialed by the client
- Decline of services form indicating the medication/service that the client is declining and that the client releases the residential program from liability for any adverse effects of the decline of medication/service. Each missed dose of medication, noncompliance with instructions from a medical professional, or decline of medical service should be signed and dated by the client and a staff witness.
- For chronic health conditions, maintain health management records. For example: with diabetic clients, keep a log of blood sugar checks and insulin doses signed by both the client and a staff witness.
While your residential program may not be included as a Covered Entity, these are best practices and, therefore, would serve as a good example for effective record keeping.
- Agencies are considered Covered Entities when they are health care providers who bill for their services using an electronic transaction. Specifically, your agency must do the following:
- Furnish, bill, or receive payment for health care on a patient encounter or claims basis
- Send any transaction of that payment electronically
- If your agency provides health care service using grant funds and does not bill clients’ insurers then you would not be considered a HIPAA Covered Entity.
- If your agency does bill insurers but does so utilizing paper claim forms and does not bill insurers using HIPAA standard electronic transactions then you would not be considered a Covered Entity.
- If your agency communicates via email that may include PHI, any protected identifiable health information, but does not bill insurers using standard electronic transactions, then you are not a Covered Entity.
- If your agency has some grant funding but bill insurers using a standard electronic transaction for some service, you are a Covered Entity.
Andrejevic, M. (2014) Big data, big questions | The Big Data Divide. International Journal of Communication, 8, 17, p. 1673