Protecting Young Minds: Ensuring HIPAA-Compliant Disposal of Mental Health Records

When it comes to the destruction of a minor's mental health record, HIPAA doesn't provide a specific, uniform time frame for how long these records must be kept.

Instead, HIPAA defers to state laws, which are often more stringent regarding the retention of minors' records.

Generally, a minor's medical records (including mental health records) should be retained at least until they reach the age of majority (usually 18 or 21, depending on the state).

California: Record Retention Rules

· Under Title 22 California Code of Regulations § 72543 (applies to health facilities):

o Health records must be kept for at least 7 years after discharge, or

o At least 1 year after the minor turns 18, whichever is longer—but never less than 7 years total.

· For psychiatry or psychotheraphy records:

o Therapy records must be retained for a minimum of 7 years from the date therapy ends, or

o 7 years after the patient reaches 18, whichever is longer.

· For Medi-Cal Records:

· Psychotherapy records for minors be retained for a minimum of ten years according to the California WIC (Welfare and Institutions Code section 14124.1).

Destruction must be secure- regardless of when records are destroyed. Disposal of the medical or mental health records must be done in a manner to prevent unauthorized access or reconstruction of the information. This typically involves methods like shredding, burning, or pulverizing paper records and degaussing or physically destroying electronic media.

Documentation is required: It's crucial to document the destruction of records, including the date, method used, and who witnessed the destruction.

Civil HIPAA violations for improper disposal

Failure to Wipe Electronic Devices: A healthcare organization disposes of old computers, hard drives, or photocopiers without securely wiping or destroying the electronic PHI stored on them. The stored data could be accessed by unauthorized individuals who later acquire the devices, leading to a significant fine. For instance, one Health Plan was fined $1.2 million for failing to erase sensitive information from photocopier hard drives before returning leased equipment.

Another significant case, though not specifically mentioning minors' records, involved a New England dermatology center, which was fined $300,640 for disposing of empty, labeled specimen containers in regular trash, exposing the PHI of 58,106 patients. This demonstrates that improper disposal of physical items containing PHI, regardless of the patient's age, can lead to substantial fines.

More broadly, a Dallas children's medical center was fined $3.2 million for failing to address known risks, including the failure to use encryption on portable devices, which led to the disclosure of patient PHI. While not exclusively about disposal, it highlights the importance of securing patient data, including that of minors, throughout its lifecycle, including proper disposal of electronic devices.

Why it's a good practice to mention it

While not explicitly required to be included in the Notice of Privacy Practice (NPP,), HIPAA mandates that covered entities implement reasonable safeguards to protect the privacy of PHI, which includes proper disposal.

The Notice of Privacy Practices (NPP) is a document that covered entities, like hospitals, must provide to individuals regarding the use and disclosure of their Protected Health Information (PHI).

So, let me emphasis my last point. Even though it's not a HIPAA requirement, it's a good practice to include a general statement in the NPP about the covered entity's commitment to protecting the privacy of PHI, including through its proper disposal.

Just Keeping You on Track…

DLH-enterprises5150.com