It might be tempting to toss documents containing medical information as if it were a paper cup or tongue depressor directly into a trashcan. But doing so with Personal Health Information (PHI) would be a violation of the Health Insurance Portability and Accountability Act (HIPAA). The HIPAA Privacy Rule requires that organizations implement appropriate administrative, technical, and physical safeguards to protect the privacy of PHI, including how they dispose of PHI.
While HIPAA does not include specific instructions for how an entity should dispose of PHI, it does require that the information be protected from unauthorized persons accessing it. Covered entities should review their own circumstances to determine the disposal of PHI. They should consider the methods that other prudent health care and health information professionals are using for disposal, as well as the type of information being disposed. For example, certain types of PHI such as name, social security number, financial records or diagnosis may warrant special attention when disposing because of identity theft risks.
Acceptable methods of disposal for paper records include shredding, burning, pulping, or pulverizing the records so that PHI is unreadable and cannot be reconstructed. Labeled prescription bottles and other PHI may be placed in opaque bags in a secure area and later destroyed by an authorized business associate. Electronic PHI may be deleted using software or by destroying the media (computer, smart phone, etc.) itself. DBAN is one example of software that will completely delete the contents of a hard disk.
Health care and health information professionals might also give their patients the option to take their PHI instead of having it destroyed. In fact, some states require that covered entities make the records available to patients and customers for a limited time after the dissolution of a business.
Regardless of how a covered entity decides to handle the disposal of PHI, they are required by HIPAA to implement policies and procedures for disposal. Employees must receive training on and follow the disposal policies and procedures. This includes off-site workforce members as well as volunteers. If an employee fails to comply with the disposal policies and procedures, the covered entity is responsible and required to apply appropriate sanctions.
Having access to PHI is a large responsibility for the covered entity. The information must be safeguarded from the moment it is attained to the moment it is completely destroyed. To avoid violations of the HIPAA Privacy Rule, organizations must fully understand their obligations, and implement policies and procedures to fulfill them.
For more information on the disposal of PHI, click here.