HomeKnowledge base › Home care and client records
Healthcare

Home care: destroying client records

A home care organisation's client records and care plans ready for confidential destruction

A home care organisation works with the most sensitive data there is: care records, care plans, medication overviews and notes about each client's health. Part of that literally travels to the client's home and sometimes sits on the table there for weeks. The care record has a long statutory retention period, but what may go should disappear confidentially. This guide shows, by part, what you keep, when it may go and how to keep the chain closed from the living room to the shredder.

The quick answer: you keep the care record for twenty years under the WGBO, counted from the last change. The financial administration falls under the tax seven years. Single working copies, schedules and drafts you keep no longer than necessary for the care. What may go disappears confidentially and with a certificate.

Two frameworks: WGBO and GDPR

In home care two things run together. The WGBO requires you to keep the care record for a long time, so the care stays traceable and a client or a subsequent carer can consult it later. The period is twenty years, counted from the last change to the record. Alongside this the GDPR applies, which requires not keeping personal data longer than necessary. The WGBO sets the floor for the record, the GDPR the ceiling for everything around it.

So treat the client data per type. The formal care record has a different status than a single working copy in the car or an expired schedule. How the twenty-year period works out in practice you can read in the practice of the WGBO 20-year retention period. If you make that distinction, you keep exactly what you must and clear out the rest on time.

Retention periods by part

The period differs per type of data. The overview below gives the main line. Count the WGBO period from the last change to the record and the tax period from the end of the financial year.

PartStarting pointPeriod
Care record and care planWGBO retention duty20 years
Medication overviewPart of the recordfollows the record
Financial administrationTax retention obligation7 years
Single working copies at the clientOnly during the careclear out at once
Schedules and route listsPurpose-boundas briefly as possible
Data carriers and tabletsEnd of lifewipe or destroy

Use this as a guideline, not a substitute for a concrete assessment per situation. When in doubt, consult your data protection officer or a privacy adviser. A broader overview is in the GDPR retention periods cheatsheet.

Files that travel to the client's home

What makes home care special is that the data leaves the building. A paper care folder sits on the client's table, a member of staff has a printout in the car and notes travel from home to home. Every handover is a moment when a file can go missing. So make sure of a closed chain, from the living room to the shredder. Take the paper fully back at the end of the care and leave nothing behind at the client that contains personal data.

Do not gather the returned paper with the ordinary waste paper, but in a sealed container at the office. That way it stays protected until destruction. Why every link matters you can read in chain of custody: from archive to shredder. The fewer hands a file passes through, the smaller the chance of a leak.

Medication overviews and care plans

Medication overviews and care plans belong to the care record and follow the same retention period. Even so, many single versions arise in practice: an outdated medication overview, an old care plan after a reassessment or a printout left behind after a team meeting. Those single copies have no retention ground of their own once they are processed into the current record. Clear them out confidentially instead of stockpiling them.

That way you avoid a shadow archive of outdated versions arising alongside the real record. That shadow archive is exactly what causes problems during an audit or data breach, because no one knows any more which version is the leading one.

Staff data carriers and tablets

Home care no longer works on paper alone. Staff report on a tablet or phone, use a USB stick or have a laptop with client data. Each of those devices is a data carrier. At the end of its life, on replacement or when a member of staff leaves, such a device is destroyed confidentially or wiped demonstrably. Handing it in through an ordinary trade-in or leaving it in a cupboard is no safe solution.

Think too of staff who report or view records from home. Paper and devices in the home setting call for the same care as at the office. Practical arrangements for this are in working from home with confidential documents.

How to handle it in 6 steps

  1. Split the data into care record, financial administration and single working copies.
  2. Keep the care record for the WGBO period of twenty years.
  3. Take paper at the client fully back at the end of the care.
  4. Clear out single copies once they are processed into the current record.
  5. Collect what may go in sealed containers, not with the waste paper.
  6. Have it destroyed confidentially with a certificate and record it in your register.

Destroy confidentially with a certificate

Client records are destroyed confidentially, because they contain health data and that is special-category personal data. The paper and any data carriers travel sealed and stay that way until destruction, so the chain is closed. An old office laptop, tablet or backup with client data belongs with it too. The approach is the same as for other care records, such as with destroying a physiotherapy client record.

Afterwards you receive a certificate of destruction with the date, quantity and level. That certificate is your proof towards the GDPR that you acted carefully. Record the destruction in your record of processing. We collect within 20 km of Amsterdam with no call-out charge, work nationwide through pooled collection rounds and charge a fixed price per box or roll container. Drop-off on site is not possible; it works by appointment through collection.

Client records to be destroyed?

Tell us what you have and you get a fixed price. We collect it sealed, destroy it at the right DIN level and you receive a certificate for your GDPR file. No call-out charge within 20 km of Amsterdam.

Request a quote

Common mistakes

  • Leaving paper behind at the client. Take everything back at the end of the care.
  • Stockpiling outdated versions. Single copies you clear out after processing into the record.
  • Forgetting tablets and phones. A data carrier with client data belongs with it.
  • Throwing away unshredded. A client record on the street is a reportable data breach.
  • Keeping no proof. Without a certificate you cannot demonstrate the destruction.

Frequently asked questions

How long must home care keep client records?

The care record falls under the WGBO retention period of twenty years, counted from the last change to the record. The financial administration falls under the tax seven years. Single working copies and drafts you keep no longer than necessary for the care.

What do I do with paper files kept at the client's home?

Take them back at the end of the care in a closed chain. The paper travels sealed and stays that way until destruction, so a file never ends up loose with the waste paper or is left behind with the client.

Do staff tablets and phones fall under this too?

Yes. A tablet, phone or USB stick with client data is a data carrier and at the end of its life is destroyed confidentially or wiped demonstrably, not simply handed in or thrown away.

How do I destroy client records in line with the GDPR?

Confidentially and with a certificate of destruction. Paper and data carriers travel sealed and the destruction is recorded in the record of processing.

Conclusion

Home care works with health data of every client, between the WGBO and the GDPR. Keep the care record for twenty years, keep the administration seven years and clear out single working copies once they are processed. Take paper at the client fully back and keep the chain closed from the living room to the shredder. Do not forget the tablets and phones of staff. What may go you have destroyed confidentially with a certificate as proof. That way you meet both frameworks and protect your clients' data.

Read also: occupational health services: destroying medical files, mental health institutions: destroying client records, allied health: treatment records and the WGBO and the GDPR retention periods cheatsheet.


Have client records collected? Request a quote via desnipperaar.nl. Within a few minutes you have a fixed price, including a certificate as proof.