How to Store Paper Medical Records Securely

By: Lisa Morris on December 2, 2019

It’s a tale as old as time—well, if “time” only extends back to the 1960s when the first electronic medical records were developed.

I’m talking of course about the age-old battle between paper medical records and EHRs.

Since federal regulations began incentivizing the switch from paper medical records to electronic storage options, doctors have struggled to adopt this new software into their practices, despite the fact that EHRs offer a variety of built-in features that paper records don’t.



Paper records

Charting/Patient records

Coding assistance


ONC-ATCB certification


Audit trails


Password protection


Date encryption


Decision support


Billing, PM, and patient portal integration


But while there are plenty of benefits to EHRs, many still find themselves asking, “Can we keep using paper medical records and stay HIPAA-compliant?”

The answer is yes, but it comes with a caveat: Storing paper records securely requires a lot more work, physical space, and effort than EHRs—and even after all that, the risk of HIPAA violations is still higher with paper records.

If you still want to learn how to store paper medical records securely despite the extra work and risk, we’ve got you covered.

Follow these guidelines for properly organizing paper medical records:

Always follow the “double lock” rule

Limit your “incidental disclosure”

Use a logging system to track physical records

Always follow the “double lock” rule

In any conversation about how to store your paper medical records, the place to start is best practices for the physical location you’ll keep your records in.

In order to maintain HIPAA compliance with your paper record storage, you need to think about physical safeguards.

What are physical safeguards?

Physical safeguards are defined in the HIPAA Security Series as “physical measures, policies, and procedures to protect a covered entity’s…systems and related building and equipment from natural and environmental hazards, and unauthorized intrusion.”

Essentially, this rule says you’re responsible for physically monitoring your patients’ protected health information (PHI) and ensuring the storage environment in which it is kept is secure against any potentially damaging circumstances—from floods to accidental disclosure.

To achieve this, you’ll want to start with the double lock rule. To follow this rule, you just need to make sure that anyone who attempts to access physical medical records in your practice must get through two locks before doing so. For example, you could keep your records in a locked filing cabinet, and that filing cabinet is stored in a locked room.

Limit your “incidental disclosure”

The double lock rule and other physical safeguards are all designed to help you avoid incidental disclosure of PHI.

What is incidental disclosure?

Incidental disclosure is defined by the HIPAA Privacy Rule as any “incidental” or “secondary” use of PHI “that cannot reasonably be prevented, is limited in nature, and that occurs as a result of another use or disclosure that is permitted by the Rule.”

Incidental disclosure can include things like having a patient see another patients’ information on a sign-in sheet or overhearing a conversation between a doctor and a patient in which PHI is discussed.

As you can imagine, it’s really difficult to completely eradicate these instances. So, rather than trying to do that, the Privacy Rule aims to minimize them by requiring medical entities to enact physical safeguards, such as having a physical barrier between the patient waiting area and the administrative area.

In addition to “physical safeguards” are “reasonable safeguards,” which can be thought of as other strategies and best practices used for limiting disclosure of PHI. These include things like speaking quietly and avoiding the use of identifying information when discussing PHI with authorized individuals in public areas.

Use a logging system to track physical records

Finally, after you’ve taken the necessary precautions to store your paper medical records in a double-locked area and minimize incidental disclosure to the best of your abilities, you should think about establishing a logging system that will continually protect your PHI.

User error is one of the biggest reasons for HIPAA violations, and it’s also one of the easiest to prevent. By creating a firm process for accessing and handling paper medical records, and communicating that process clearly and regularly to your staff, you can avoid mishandling of medical information.

This system could be as simple as a written sign-in/out sheet that your staff signs and dates when accessing files—whatever works in your office to hold employees accountable for patient records when in use.

Once you decide on a logging system that works for you, have your employees train on that system before authorizing them to handle patient charts.

Consider switching to an EHR

One last piece of advice; even if you’re still convinced paper records are your best option, you should at least look into EHR systems.

Not only do EHRs improve patient care, they also come with built-in security measures to protect you from HIPAA violations.

Implementing a new software system is not an easy process, I know, but when you compare the disadvantages of EHRs to the disadvantages of paper medical records, you’ll see that a switch really is in your practice’s best interests.