Healthcare records management under HIPAA isn't just about locking the file room — it's about being able to demonstrate to an auditor exactly how every record was created, accessed, retained, and destroyed. This checklist captures the same workflow Reynolds engineers run on every HIPAA project across our 22+ Lehigh Valley healthcare clients.
Use this checklist alongside your facility's HIPAA Privacy & Security policies — not as a replacement. The legal scope of HIPAA varies by Covered Entity vs Business Associate; consult your compliance officer before adapting any of these steps.
Step 1: Retention Schedule Audit
Before any digitization or destruction work begins, you need a written retention schedule that covers every record type your facility produces. Most failed audits start here.
- Pull your existing retention policy (if any) and your state's medical-records retention law
- Confirm the longer of the two applies (federal HIPAA + state law — never the shorter)
- Cross-reference Joint Commission's record-retention guidance for the record types they inspect
- Document the rationale per record type — auditors ask
Pennsylvania medical record retention is 7 years past last patient visit OR 7 years past patient's 21st birthday for minors — whichever is longer. Reynolds maintains a state-by-state retention reference for our healthcare clients on request.
Step 2: Active vs Inactive Record Classification
Auditors expect to see a clear boundary between records in active use vs. those in retention storage. Mixing them is a top-5 finding in our audit-prep work.
| Status | Definition | Storage Location | Access Frequency |
|---|---|---|---|
| Active | Within current treatment episode or open billing period | On-floor / nurse-station file room | Daily |
| Recent-Inactive | 0–24 months past last activity | Secured records room, on-site | Weekly |
| Long-term Inactive | 24+ months past last activity through retention end | Off-site or scanned | Quarterly or audit-only |
| Pending Destruction | Retention period expired, destruction approved | Locked, separate area | Pre-destruction review only |
Step 3: Access Control & Audit Logging
HIPAA Security Rule §164.312(b) requires audit controls — meaning every record access must be traceable. If you use paper records, this is the step where Reynolds usually recommends scanning.
- Confirm every system that holds PHI has user-level audit logging enabled
- Confirm logs are retained for at least 6 years (HIPAA minimum)
- Confirm a documented log-review procedure exists (at least monthly)
- Confirm break-the-glass procedures are tested and logged
- For paper records: sign-in/sign-out log for every retrieval, retained 6 years
Joint Commission inspectors routinely test the audit trail by asking "show me who accessed patient X's record on date Y." If you cannot produce that within 5 minutes, you have a finding. Paper-based facilities consistently fail this question.
Step 4: Secure Destruction Documentation
Destruction without documentation is a HIPAA violation per §164.530(j). Every record destroyed needs a Certificate of Destruction (COD) with specific elements.
Required Certificate-of-Destruction Elements
- Date of destruction
- Method of destruction (shred / pulp / incinerate / data overwrite)
- Description of records destroyed (date ranges + record types — not patient names)
- Witness signature(s)
- Vendor name + DBA license # (for outsourced destruction)
- Chain-of-custody log from removal through destruction
Reynolds-provided CoDs for our healthcare clients include all 6 elements plus NAID AAA certification reference. Sample: "On 2025-11-14, 8 cu ft of records from Patient Records 2018-2019 were shredded on-site by NAID AAA-certified vendor Reynolds Business Systems (PA Lic #BPS-2741) via NSA/CSS 02-01 cross-cut shredder, witnessed by Janine Reynolds (Records Mgr) and J. Smith (Compliance Officer)."
Step 5: BAA Coverage for Service Providers
Every vendor that touches PHI — scanning, storage, destruction, IT — needs a signed Business Associate Agreement. Audit prep is the right time to verify yours are current.
# BAA Coverage Audit (run this query against your vendor list)
# For each vendor:
# 1. Does the vendor touch PHI? (Y/N)
# 2. Is there a signed BAA? (Y/N)
# 3. Is the BAA dated within 24 months? (Y/N)
# 4. Does the BAA name a specific facility / scope? (Y/N)
# 5. Has the vendor's compliance posture been re-verified in the last 12 months? (Y/N)
# Any "N" answer = gap to remediate before next audit.Step 6: Continuous Monitoring
HIPAA compliance isn't an event, it's a posture. Reynolds recommends a quarterly self-audit using the steps above plus the metrics in the spreadsheet linked below.
Watch: Reynolds Healthcare Records Workflow
Below is a 3-minute walkthrough of how Reynolds engineers run the audit-prep workflow for a healthcare client. It covers the steps above and shows the chain-of-custody documentation in practice.
Next Steps
If you've worked through this checklist and found gaps, Reynolds offers a free 90-minute HIPAA records assessment for healthcare facilities in PA, NJ, DE, and MD. Our compliance team will walk through your current state and produce a prioritized remediation plan within 5 business days.
Bring this checklist to your next Compliance Committee meeting. Most failed audits trace to one of the 6 gaps above — knowing which gap your facility owns is the fastest path to compliance.