Ohio Administrative Code
Title 3364 - University of Toledo
Chapter 3364-90 - Guidelines for Protected Health Information
Section 3364-90-16 - Medical record retention and destruction; disposal of protected health information

Universal Citation: OH Admin Code 3364-90-16

Current through all regulations passed and filed through September 16, 2024

(A) Policy statement

The university of Toledo will ensure the privacy and security of protected health information "PHI" in the maintenance, retention and eventual destruction and disposal of such media. Destruction and disposal of PHI will be carried out in accordance with federal and state law, and as defined in the university's retention policy. The schedule for destruction and disposal shall be suspended for records involved in any open investigation, audit or litigation.

(B) Purpose of policy

The health information management "HIM" department is responsible for maintaining a medical record for each inpatient and outpatient. These records will be properly maintained and accessible. After the retention requirements have been met, destruction of the legal medical record will be carried out by a method that ensures no possibility to reconstruct the contents of the record.

(C) Procedure

This policy shall apply to health information that is generated during provisions of healthcare to patients in any of the university's patient care units, patient care centers or faculty practices as well as human subjects research under the auspices of the university or by any of its agents in all university schools, units, departments and university owned or operated facilities.

(1) Record retention
(a) Medical records may be an electronic medical record, paper documents, microfilm, electronic data storage, etc., but must be maintained in such a way that the information is available for clinical reference upon request. Opportunities for loss and/or damage must be minimized and records must be secured to prevent unauthorized access.

(b) All clinical and administrative university of Toledo medical record information prior to document imaging (paper documents) will be kept for ten years after discharge or service date for inpatient and outpatient encounters.

Pediatric charts will be retained for twenty-five years. The following will be kept indefinitely:

(i) Master patient index.

(ii) Death register.

(iii) Surgery register.

(iv) Transplant register.

(c) University of Toledo medical record documents that are scanned and stored in horizon patient folder will be available in electronic image format according to the guidelines listed above. The paper copy will be maintained for ninety days and then destroyed according to policy.

(d) Other acquired documentation from outside resources used for clinical decision making and treatment planning will be scanned and stored in horizon patient folder and will be available in electronic image format according to the guidelines listed in this rule. Paper copies received from outside facilities can be destroyed once appropriately (readable) scanned into horizon patient folder.

(2) Record destruction and disposal

The destruction and disposal of PHI will be carried out in accordance with the health insurance portability and accountability act of 1996 "HIPAA" regulations.

(a) No PHI will be destroyed before the minimum retention period has been met as indicated above.

(b) Confidential information includes that which contains PHI of a patient, relative or household member of a patient. All documentation containing PHI must be destroyed in a manner that prevents reconstruction. Destruction will be in the following manner:

Media

Destruction method

Paper

Incinerating, shredding or pulverizing

Computerized data

In accordance with rule 3364-65-06 of the Administrative Code (technology asset management policy)

Radiology films

Shredding or pulverizing

Laser disks "WORM"

Pulverizing

Microfilm/fiche

Shredding or pulverizing

Patient labels

Shredding

Pt label ink cartridges

Shredding

(c) Any documentation containing PHI must be personally shredded or placed in a secure recycling container. PHI must not be discarded in trash bins, unsecured recycle containers and other publicly accessible locations.

(d) Information Technology must be contacted to coordinate the destruction of any computerized media. See rule 336490-12 of the Administrative Code (security and protection of patient information both paper and electronic).

(e) Destruction of the legal medical record must be documented and maintained permanently and include the following:
(i) Date of destruction.

(ii) Method of destruction.

(iii) Description of the destroyed documents.

(iv) Inclusive dates covered.

(v) Statement that the records were destroyed in the normal course of business.

(vi) Signatures of the individuals supervising and witnessing the destruction.

If destruction services are contracted, the contract must meet the requirements of the HIPAA privacy and security rules and a business associate agreement "BAA" must be executed with the contractor through the office of legal affairs.

Contracts between the university and its business associate will provide that, upon termination of the contract, the business associate will return or destroy and dispose of all consumer health information. The destruction of PHI by the business associate will be documented in writing and sent to the university and include the information provided in Section(C)(2)(e) of this rule.

If such return or destruction is not feasible, the contract will limit the use and disclosure of the information to the purposes that prevent its return or destruction and disposal.

Disclaimer: These regulations may not be the most recent version. Ohio may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.