- AAMFT+
- In Case of Fire: How to Handle Accidentally Destroyed Healthcare Records
In Case of Fire: How to Handle Accidentally Destroyed Healthcare Records
By AAMFT Legal and Ethics
Your client files are stored in a lockbox in a locked room in the middle of your locked practice. Your notes go straight into the lockbox after this session. Nobody without authorization can lay eyes on the Protected Health Information (PHI) sequestered within. Then, while you’re safe at home, a wildfire torches the office and transforms those files into charcoal and ash.
Despite your best efforts to protect your clients’ private healthcare records, sometimes a force of nature intervenes. As the changing climate leads to natural disasters becoming more common, it is becoming increasingly likely that clinicians will be faced with scenarios such as this. What do you do when your client files are lost?
Many clinicians may already be familiar with what to do in the event of a breach of privacy. Under HIPAA, a breach occurs when there has been an “acquisition, access, use, or disclosure of protected health information in a manner not permitted [by the statute] which compromises the security or privacy of the protected health information.” 45 CFR §§ 164.402. A breach occurs when, for instance, a clinician leaves a folder open on a table and an unauthorized person reads its contents; when a clinician shares non-anonymized clinical details on TikTok; or when a bad actor illegally accesses a cloud storage service containing healthcare records.
These examples illustrate that a breach can come from any number of vectors, from simple negligence to willful misbehavior by the therapist to intervention by unrelated third parties. The responsibility of the clinician is the same in all scenarios – clinicians must notify clients, pursuant to 45 CFR § 164.404; Department of Health and Human Services, pursuant to 45 CFR § 164.408; and, if the breach involves more than 500 people, the media, pursuant to 45 CFR § 164.406.
But what about when, instead of a breach – that is, unauthorized access – the clinician is faced with a loss? What about when records are destroyed by fire, flood, or other natural events? In the case of records which were destroyed with no chance of recovery by unauthorized people, there has been no breach. However, there may still be a need to take action. If your lost records were stored only in a physical format, such as in folders in that lockbox in the locked room in the locked clinic, best practices would be to notify all clients of the destruction.
State law imposes a minimum retention period for healthcare records, but does not generally mandate that records be destroyed after a certain point. As a result, clinicians sometimes maintain records for longer than they are required to by law. If records in that category are accidentally destroyed, then no notification is necessary as the client has no reasonable expectation that the records would still exist. Make sure to check your local rules and regulations for these requirements, and seek counsel with a locally licensed attorney if you need additional clarity.
Depending on your filing system, you may also have backups, either physical or digital. If you maintain multiple copies of your records, for instance if you use a cloud storage service as well as a physical filing system, you would not likely need to notify your clients if the physical filing system were destroyed in a natural disaster, as long as you are certain that they were destroyed in such a way as to prevent any unauthorized person from accessing them.
Essentially, your clients have certain rights to access their own healthcare information. These rights come from federal law through HIPAA as well as state law, which may grant additional rights. Part of the clinician’s responsibility is ensuring that the client is sufficiently informed so they can make appropriate decisions. Where there has been a change of circumstances that impacts your clients’ ability to exercise those rights, such as loss of records through natural disaster, your clients should be made aware. When such event does not impact those rights, such as where a copy of the record is destroyed but the clinician has a backup, or where the retention period has lapsed and the client has no expectation that the record would survive anyway, no notification is required.
If you have questions on this or other legal and ethics matters related to the practice of marriage and family therapy, AAMFT members can contact the Legal and Ethics team at ethics@aamft.org, or book a telephone consultation at https://www.aamft.org/Legal_Ethics/Consultations.aspx.
