How Does the HIPAA Privacy Rule Apply to Paper Medical Records?

Document Management
Last updated
April 1, 2024

When the HIPAA Privacy Rule was established in 2003, it was intended to deal with privacy surrounding digital records; therefore, specific language surrounding the management of paper records is vague. While most practitioners are moving toward electronic records, many historical records remain in hard copy format. Both ways are susceptible to breaches and must be handled with care. According to a recent study conducted by HIPAA Journal,

“Between 2009 and 2018 there have been 2,546 healthcare data breaches involving more than 500 records. Those breaches have resulted in the theft/exposure of 189,945,874 healthcare records. That equates to more than 59% of the population of the United States. Healthcare data breaches are now being reported at a rate of more than one per day.”

While, most breaches have been caused by hacking/IT incidents, unauthorized access/disclosure incidents are not far behind. In 2018, the report states that there were 158 hacking/IT-related breaches v. 143 breaches due to unauthorized access. Gail Bisbee, RN, BSN, i-SIGMA’s HIPAA Subject Matter Expert, recently shared her expertise with SRS to help our clients gain clarity on this complex yet extremely important subject.

What is HIPAA, and why was it created?

The acronym HIPAA stands for The Health Insurance Portability and Accountability Act. It was adopted by the US Congress in 1996.

HIPAA was created to achieve the following goals:

  • Allow for transfer and sharing of patient data to ensure continuity of care across the spectrum of health care providers;
  • Reduce health care fraud and abuse;
  • Mandate industry-wide standards for health care information on electronic billing and other processes; and
  • Require the protection and confidential handling of protected health information.

What is an EMR or EHR?

EMR is the acronym for Electronic Medical Record. EHR, which stands for Electronic Health Record, is typically used by software companies. However, both mean the same thing and are used interchangeably.

What is the HIPAA Privacy Rule, and how does it pertain to hard copy records?

The HIPAA Privacy Rule was enacted in 2003 with the goal of establishing national standards for record keeping and, ultimately, pushing medical practitioners toward electronic medical records. The idea was that EMRs provide better continuity of care and are easier for patients to transfer information to different healthcare providers. The Privacy Rule applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.

Originally, the goal was to have complete adoption of EMR by 2020. That will not happen. What has evolved, then, is the same standards of reasonable and customary applications for electronic records are being applied to hard copy documents.

Do healthcare providers still use paper records? 

Yes. We estimate that 95% of practitioners will have startedthe conversion to electronic records. However, many patients have both hard copy and electronic records. Some practitioners who are close to retiring or closing a practice may never make the transition given the cost to convert to an electronic medical record system.

What standards should healthcare providers adhere to regarding physical records? What entities dictate these standards?

 Standards for management of records (in both physical and electronic formats) are dictated on a state level. Retention schedules also vary by the type of medical service or patient. Pediatric records, for example, have a much longer retention records than typical adult healthcare records.

These standards are enforced through the various accreditation bodies for healthcare providers. The sensitive nature of information held in medical record mandates high privacy standards. The Privacy Act simply strengthens the safeguards surrounding the records’ confidential information.

What constitutes a breach, and what are the penalties (fines, etc.) associated with non-compliance?

Unlike hospital accrediting bodies, HIPAA does not engage in any sort of audits, surprise or planned. Typically, a patient who reports his/her information has been exposed or a detected hack will initiate a complaint and investigation.

According to the U.S. Department of Health and Human Services, since 2003, the Office for Civil Rights (OCR) has investigated and resolved over 27,109 cases involving HIPAA-covered entities and their business associates.

When a breach is confirmed or there is a failure to notify of a breach, especially if the violation involves gross and willful negligence, severe fines are levied. The largest fine came in 2016 when OCR required Advocate Health Group to pay $5.5 million to settle multiple breaches.

Bottom line: if the records aren’t breached, nothing happens.However, providers shouldn’t let this fact lull them into a false sense of security. Accrediting bodies such as the American Hospital Association do engage in audits (both scheduled and surprised), and penalties for non-compliance include losing licensure and losing ability to file claims to be paid.

Information from accrediting bodies and regarding HIPAA violations are a matter of public record and can be found online.

How does this come into play with old records waiting to meet their retention or closing medical practices?

While abandonment itself isn’t a breach, unauthorized access (and loss) isa reportable breach. According to HIPAA Journal, unauthorized access is the second biggest cause of breaches. Therefore, legacy custodians inadvertently holding PHI need to be careful, as they are liable for any fines associated with breaches. For example, if a physician passes away and a breach occurs, the estate would be liable for any penalties or fines[1].

What burdens does juggling two systems create for healthcare providers and staff members? 

Based on what we have seen, the burden today is less than it was three years ago, because most practitioners have moved their current records to electronic. Many, however, do still maintain historic hard copy records for the duration of the retention period. Therefore, there is a financial component of storing hard copy and maintaining a cloud/EMR system. That financial hurdle is sometimes more difficult for smaller practices or physicians who are nearing retirement.

What are the risks to patient care when straddling paper and electronic records? How does this impact patient care?

Risks to or impacts on patient care come into play in more complex cases where lots of physicians and healthcare facilities are involved. The more records there are and the more types of records there are, the easier it is for something important to fall through the cracks. Many times, caregivers feel they must act as an advocate for the patient and keep their own records to ensure appropriate care is given and histories are accurately reported. The article “Paper Trails: Living and Dying With Fragmented Medical Records” illustrates the risks of these complex cases and really highlights ways those in the Record Management Industry can help.

What kinds of support do healthcare providers need to bridge the divide between hardcopy and digital?

Many healthcare providers feel that by adopting an EMR for their current records, they have checked the box, and they default to a “set it and forget it” mentality with historic records. This is a dangerous approach and could lead to a costly breach.

While the regulatory environment creates a lot of red tape for providers and those who handle EMRs, the intention – protecting patients’ sensitive data – is ultimately a good thing.  However, the undeniable truth is that it places additional work on already-overburdened professionals. Our industry is well-poised to bridge this gap to relieve the stresses on healthcare providers, lessen their liabilities, and improve patient care.

Christopher Powell Jones, SRS Chief Problem Solver, has walked many healthcare clients through similar situations. He adds:

Many healthcare providers assume that a document management company will simply scan all historic records, which would be prohibitively expensive and, ultimately, unnecessary. Instead, document management companies should present creative, cost-effective solutions that solve the issues at hand, even uncover certain risks that are not immediately apparent. For instance:

  • Keeping historical records longer than their retention requirement not only takes up valuable space and costs money to store, it also makes them discoverable in a lawsuit.
  • Slides, x-rays, and microfilm, microfiche all contain PHI and must be treated the same as an EHR.
  • If paper records are not properly stored and easily accessible to provide patient care when needed, it could constitute negligence and open a practice up to a lawsuit.
  • Exposing loved ones to penalties or fines via the estate if a breach occurs involving historic records after a physician passes away.
  • Storing records onsite in non-secure space, with uncontrolled access not only opens them up to breaches, but it exposes them during natural disasters, such as a hurricane. If damaged or destroyed, the practice would be responsible for recreating every record, an extremely costly and time-consuming task.
  • The inefficiency of managing records in small volumes onsite even if the space is relatively secure. From the time spent unnecessarily scanning or using a desktop shredder to the financial cost of storing it onsite, the main issue is that it’s a management problem not a storage one.

Understanding the struggles and hurdles nurses, doctors, physical therapists, etc. face and mitigating them allows healthcare providers to focus on patient care instead of getting bogged down in administrative tasks. Those in the record management industry need to cure the illness faced by healthcare practitioners instead of simply treating the symptoms. When this occurs and a true partnership is formed,the compliance and efficiencies created result in higher quality patient care and a better working environment.

[1] Any fines would be determined by damages or risks associated with a documented breach and/if willful negligence has occurred


What’s Challenging You?

Do you have a document management challenge that's been keeping you up at night? Whether it's a specific issue or a broader concern, our team loves a good challenge and we’re eager to hear from you.
Call an SRS Consultant today at
1-800-614-0856 or complete this form and let us put our expertise to work for you.

Start the Conversation

Start the Conversation