Though much of the medical world is attempting to move to digital documentation, the vast majority of medical records are still in paper form. Those documents contain a great deal of sensitive information about millions of people, so maintaining their security is of the utmost importance.
If your company chooses to go with an offsite records storage company, there are many that cater to the medical profession. This means that you can store patients' records, x-rays, lab results, etc. without being concerned that this information will be compromised.
Most companies store documents, including medical documents, in climate-controlled storage units that are under tight security; only employees of the facility may access the units, making the company itself liable in the event your records are somehow illegally accessed.
HIPAA laws state that Protected Health Information (PHI) must be kept for six years, or two years after a patient's death. This means that if a person comes in as your patient just once, you still must keep the record of that visit for six years before you are able to destroy it. Those files will build up quickly, which is why an offsite document storage facility is a good idea.
Some companies even offer you the ability to sign up for automatic notifications when your records may be legally destroyed. And if that same company also offers secure document destruction, the whole thing is done for you, from storage to destruction, all without you having to break a sweat.
It's probably best to use the services of a company that does this sort of destruction on a regular basis since HIPAA also provides rules on the means by which a medical facility can destroy records. HIPAA requires that facilities have a policy in place for how to destroy records, though does not specify a required disposal method. HIPAA does indicate that facilities may not just toss out private medical records, or place them in dumpsters or other trash receptacles that may be accessible by the public.
The Department of Health and Human Services answers questions about the destruction of sensitive medical records on its own website, and medical facilities are advised to read this and do other research to make sure they are compliant with the current law.