HIPAA Guidelines for Electronic Medical Records

HIPAA Professional doctor use computer and medical equipment all around desktop top viewCongress enacted the Health Insurance Portability and Accountability Act in 1996 to mandate how personally identifiable information (PII) maintained by the healthcare industry is protected from fraud and theft. Since then, technology has transformed the healthcare industry. Medical records that in the past were handwritten and stored on paper are now created and stored electronically. In this blog, we discuss HIPAA guidelines for electronic medical records (EMR) and offer tips for complying with the law.


Under HIPAA, healthcare organizations must maintain the security and integrity of electronic medical records they produce, store, receive, or send. Covered entities must have physical, administrative, and technical safeguards to prevent unauthorized access to protected health information (PHI). A medical data management provider can help your healthcare organization manage the cost and accessibility challenges of complying with HIPAA requirements by providing off-site storage and tracking of your electronic medical records.

Data Backup and Recovery

HIPAA covered entities must have written data backup and recovery procedures. As a result, your organization should have a data protection solution. A media storage and rotation provider can make sure your electronic medical records are backed up frequently and protected from access by unauthorized entities. They can also “implement procedures for periodic testing and revision of contingency plans,” per HIPAA requirements.

Final Disposition

The HIPAA Security Rule requires covered entities, and business associates of covered entities, to implement policies and procedures for ensuring secure final disposition of EMR and/or the hardware or electronic media on which they are stored. In a July 2018 Cybersecurity Newsletter, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reminded HIPAA covered entities that “Devices or media that need to be replaced should be decommissioned and disposed of securely to ensure that either the devices or media are destroyed, or any confidential or sensitive information stored on such devices or media has been removed.”

OCR highlights the following method for the disposal of electronic devices with ePHI:

  • Electronic media must be cleared, purged, or destroyed consistent with National Institute of Standard and Technology (NIST) Special Publication 800-88 Revision 1, Guidelines for Media Sanitization such that the PHI cannot be retrieved.

A hard drive and media destruction service that meets NIST and Department of Defense (DoD) requirements can make sure your healthcare organization meets the Security Rule specifications. Your provider can bring locked collection containers to your facility so employees can discard obsolete hard drives and solid-state drives (SSDs) inside for destruction. These tamper-resistant containers are scanned and tracked through transport and destruction, offering a detailed audit trail that includes the manufacturer identification information, model, and serial number of your destroyed hard drives. Your provider adds this information to your Certificate of Destruction for proof of compliance with the HIPAA Security Rule.

Docusafe serves businesses in New Jersey, New York, and Pennsylvania with medical data management solutions.

For more information about our services, please call us at (888) 264-7367 or complete the form on this page.

Request Your Quote

When You're Ready, Let's Talk!