Posts Tagged: HIPAA

Creating a Medical Record Retention Policy

medical record retention policy

Compliance with medical record retention isn’t a choice. It’s the law. Every healthcare organization, from hospitals to pharmacies, must abide by state and federal laws. To ensure your organization complies, you’ll need to develop a medical record retention policy. Such a policy will protect PHI (protected health information) and provide accessibility for documents for patient, payer, and auditor inquiries. 

5 Tips to Develop Your Medical Record Retention Policy

With these tips, you’ll be able to create a policy that’s compliant and streamlined. 

Determine the Length in Which You Need to Keep Records

The amount of time you need to store records varies. HIPAA dictates that records are retainable for six years from the date of creation or the date it was last in effect. 

Other states and agencies may require a longer period of time. provides a table of laws by state. A majority of these states mandate a longer retention time than six years. AHIMA also offers a table of record retention standards by agency

For pharmacy, CMS requires all pharmacies filling Medicare Part D prescriptions to maintain records for 10 years. Additionally, there are rules regarding types of records. 

Document Your Policy

A policy isn’t implantable or sustainable without documentation. Documenting your policy ensures that all employees have access to the process. It should clarify what regulations apply to your records and also include how and when you archive medical records. Finally, it should also define how users can access old records in the case of an audit or inquiry. 

Choose a Powerful, Easy to Use Archiving Tool

Most likely, you don’t want to keep all patient records in your EHR or pharmacy software system. Too much data in these platforms can impact performance. Archiving records keeps you compliant with retention laws. They simply move data, documents, and images to a secure storage area. Ideally, you’ll want a cloud-based system, so it’s accessible anywhere. 

When choosing a legacy data provider, be sure that their system has the functionality and security you need. There are a series of questions you can ask a prospective archiving provider. Find them here

Review Your Policy with Legal Counsel

If you recently established a policy or have had one for some time, it’s always good to have a legal eye on it. You can share it with in-house counsel if available. If not, you’ll want to find an attorney with in-depth knowledge of medical record retention policies.

Train Employees on Retention and Access

medical record retention policy training

The last part of your medical record retention policy is to share it and execute it. This implementation should include training for employees on:

  • The retention requirements for your records.
  • What type of records you’ll retain.
  • Where you’ll store archived records.
  • How to access archived records for reporting.

Need Help with Medical Record Retention?

We provide healthcare and pharmacy with a robust and intuitive medical record archiving tool. It’s easy to use, meets all medical record retention requirements, and is secure. It’s a web-based, turnkey solution that supports compliance.

Check out how ViewMaster works today by watching our video!

Security Must-Haves for Your Healthcare Data Management Provider: Key Questions to Ask

healthcare data management provider

Healthcare organizations always have to be vigilant about data security. In fact, most approach it with a security-first mindset, internally. You should extend that same perspective to all your business partners, especially your healthcare data management provider. You need to have the utmost confidence in their security measures. Here’s how you can accurately assess them.

Assessing a Healthcare Data Management Provider

When seeking out a healthcare data management provider, there are specific security questions you should ask. Performing this due diligence should satisfy any concerns over compliance and safety protocols. 

healthcare data management provider questions

Critical Questions to Ask:

  • Have you ever had a PHI (protect healthcare information breach)? 
  • Do you use HIPAA business associate agreements (BAA)?
  • How are your processes HIPAA compliant?
  • What encryption do you use? Is data encrypted during transit, rest, or both?
  • Do your employees complete annual HIPAA compliance training?
  • Does the provider use a data colocation provider with certifications? Is the data center have physical security 24/7?

What Are the “Right” Answers?

  • PHI data breaches: Of course, you want this to be a no. However, should a provider have a breach in its history, you should ask for all applicable information regarding notifications, fines, and corrective measures.
  • HIPAA BAA: These are mandatory when you share PHI. Before beginning any work, a vendor should provide this. It’s a big red flag if they don’t!
  • HIPAA compliant processes and data security: The vendor should have rigorous and detailed security protocols relating to encryption, cybersecurity, data centers, adherence to HITRUST, two-factor authentication, and business continuity.
  • Encryption: PHI should be encrypted during transit and at rest using 256-bit standards.
  • HIPAA training: Every employee in a healthcare data management company should have annual training and certify their understanding of HIPAA through a scored test. 
  • Data center details: Providers should use a top-tier colocation center that has a long list of certifications. The data center should be HIPAA and HITRUST compliant. Additionally, such an entity should have SOC 1, 2, & 3 Type 2 certifications. Finally, the location should have 24/7 physical security.

As you compare providers, create a matrix to check off their answers to these questions. Then you can accurately evaluate them. It should be a crucial part of your screening process. 

Dedicated to Security

We are proud to say we’ve never experienced a data breach in our over two decades of business. Pharmacies and healthcare organizations trust us with their PHI every day, and we have strong, consistent protocols in place. We also use one of the most reputable colocation companies, Flexential

Acquisition Analytics Reports: Third-Party, Unbiased Reviews Before You Buy

acquisition analytics

For any person that considers investing in or buying a business, you want to do your due diligence. Ultimately, you need to know if what you’re buying is and can be profitable. In healthcare, much of what buyers want to quantify is the probability of patient retention. To make this assessment, you can ask for data to gauge this, but it could contain omissions or inaccuracies. With acquisition analytics, you receive a third-party, unbiased review, helping you make the best decision. 

What Is an Acquisition Analytics Report?

An acquisition analytics report is a business intelligence assessment of a pharmacy’s or healthcare practice’s financials and patient data. It typically covers the past two years. An analytics provider retrieves the data directly from a pharmacy software system or health information system (HIS). It’s a redacted report with no PHI (protected healthcare information) containing various data elements.

Data elements that make up a report:

  • Average weekly scripts, volume, or patient visits
  • Percentage of new vs. returning patients 
  • Prescriber information (pharmacy)
  • Number of “high value” patients (patients with a large number of scripts or visits)
  • Patient location
  • Payer information (private and public)
  • Percent of controlled scripts (pharmacy) to discern if there’s any risk

The report presents this information to you with comparisons of year over year. From this, you can spot trends and patterns. You’ll gather insights on profits, volume, and more. 

Why Request an Acquisition Analytics Report?

Having access to such a report provides transparency in the process. The provider of the report is pulling real, live data with no manipulation. It’s one of the best approaches to sizing up an investment. Just as you wouldn’t buy a house without an inspection or appraisal, the same goes for buying a pharmacy or healthcare practice.

It’s an integral part of the decision-making process. It complements your other valuation efforts and gives you a broad picture of future profitability. 

How to Choose a Report Provider

Many firms specialize in acquisition analytics. They commonly provide reports in mergers and acquisitions. However, most don’t have healthcare-specific expertise. So, while a company may have years of experience in business intelligence, healthcare is different. 

Here’s why:

  • PHI: Any healthcare report must meet compliance factors regarding PHI. Not all organizations will understand or have processes in place to remain HIPAA compliant.
  • Pharmacy systems and HIS: If a company is going to provide this kind of report, they need to have great familiarity with how such systems work. It’s not the same as a balance sheet or other financial evaluations. 

Thus, it’s a good idea to tap an analytics partner that routinely provides these kinds of reports. They should be able to give you a sample and discuss how they protect PHI. Asking these questions gives you peace of mind that the information is accurate and unbiased.

Make the Best Decision with the Best Data

good decision

Every potential business buyer wants to have as much information as possible to make the best decision. A clear and impartial report on the health of the business is critical for you to move ahead with confidence. 

If you’d like to learn more about our acquisition analytics solutions, contact us today. We also offer a turnkey approach to pharmacy transitions for buyers. Download our product sheet to see all we offer.