Appendix 1: Retention and disposal of records
The HPCSA offers the following guidance on the retention of medical records:
- Records should be kept for at least 6 years after they become dormant.
- The records of minors should be kept until their 21st birthday.
- The records of patients who are mentally impaired should be kept until the patient’s death.
- Records pertaining to illness or accident arising from a person’s occupation should be kept for 20 years after treatment has ended.
- Records kept in provincial hospitals and clinics should only be destroyed with the authorisation of the Deputy Director-General concerned.
- Retention periods should be extended if there are reasons for doing so, such as when a patient has been exposed to conditions that might manifest in a slow-developing disease, such as asbestosis. In these circumstances, the HPCSA recommends keeping the records for at least 25 years.
- In terms of section 14 of the Protection of Personal Information Act 4 of 2013 records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected and processed. Records should not be retained randomly on an indefinite basis.
- Statutory and regulatory obligations to keep certain types of records for specific periods must be complied with.
HPCSA, Guidelines on the Keeping of Patient Records (2008), para 9.
An efficient records management system should include arrangements for archiving or destroying dormant records in order to make space available for new records, particularly in the case of paper records. Records held electronically are covered by the Electronic Communications and Transactions Act, which specifies that personal information must be deleted or destroyed when it becomes obsolete.17
A policy for disposal of records should include clear guidelines on record retention and procedures for identifying records due for disposal. The records should be examined first to ensure that they are suitable for disposal and an authority to dispose should be signed by a designated member of staff.
The records must be stored or destroyed in a safe, secure manner.
If records are to be destroyed, paper records should be shredded or incinerated. CDs, DVDs, hard disks and other forms of electronic storage should be overwritten with random data or physically destroyed.
Be wary of selling or donating second-hand computers – “deleted” information can often still be recovered from a computer’s hard-drive.
If you use an outside contractor to dispose of patient-identifiable information, it is crucial that you have a confidentiality agreement in place and that the contractor provide you with certification that the files have been destroyed.
You should keep a register of all healthcare records that have been destroyed or otherwise disposed of. The register should include the reference number (if any), the patient’s name, address and date of birth, the start and end dates of the record’s contents, the date of disposal and the name and signature of the person carrying out or arranging for the disposal.