If your practice has experienced an IT system failure, structural or flood damage as a result of the recent winter storms, please refer to these guidelines for recovering damaged medical records.
Report the loss to your general liability/property insurance carrier. Keep the documentation sent to and from your property insurance carrier verifying water damage or other event. In the event of a medical liability claim, this documentation could be important. Having the appropriate documents could protect you against an allegation of intentional “spoliation” of records.
If applicable, immediately contact your EHR vendor regarding recovery of data and back-up records.
If any records are salvageable, make efforts to preserve them. There are companies that specialize in digital and document remediation. Be sure to obtain a HIPAA Business Associate Agreement with any vendor (IT service, document restoration or destruction).
If the records are not salvageable and what’s left of them needs to be destroyed, be sure that your destruction (shredding, erasing of hard drives or servers, etc.) is complete and well documented. Keep a list of all patients whose records were destroyed, along with details of what happened, dates, etc.
Try to re-create records as best you can by requesting outside records such as lab reports, diagnostic testing, operative reports, and other records. It may also be worthwhile to upload information from practice management software and investigate recovery of any recorded or transcribed records from outside services or voice recognition software.
Any “re-created” records should be clearly labeled as such, with the current date. You may also wish to make a copy or photograph of the records.
The documentation should reflect what happened (water damage, record destroyed) and that the patient’s history is uncertain due to lost information as of (date), etc. At your discretion, you may consider whether to obtain new history forms and/or talk to the patient to gather additional history.
Conduct an assessment to evaluate the potential or actual breach of protected health information and determine whether patient notification is required.
Health insurance carriers may require attestation forms regarding lost/destroyed records. Check with your carriers about this.