Why Dispose of PHI?
Covered entities are required to properly dispose of protect health information when it becomes useless. This might include when paper copies are scanned and converted to digital files.
The privacy rule requires that a covered entity implement “appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.”
What Are the Proper Guidelines for Disposing of PHI?
HIPAA requires all entities to undertake adequate measures to ensure PHI security when disposing of health records. Though “adequate measures” are required, HIPAA does not specifically state how entities should securely dispose of PHI. Guidelines simply state that measures must be appropriate for the specific conditions and should render documents completely unreadable.
Examples of Proper Disposal Methods:
For Paper Records: Shredding, burning, pulping or pulverizing records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.
For Electronic Media: Clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding).
Labeled Prescription Bottles: Maintaining labeled prescription bottles and other PHI in opaque bags in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI.
What Types of Documents Must be Properly Disposed of?
“Covered entities must review their own circumstances to determine what steps are reasonable to safeguard PHI through disposal and develop and implement policies and procedures to carry out those steps. In determining what is reasonable, covered entities should assess potential risks to patient privacy, as well as consider such issues as the form, type, and amount of PHI to be disposed,” HIPAA says. Any documents that include the following information should be securely disposed of.
- social security number
- driver’s license number
- debit or credit card number
- treatment information
- other sensitive information
May a covered entity dispose of protected health information in dumpsters accessible by the public?
“No, unless the protected health information (PHI) has been rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed prior to it being placed in a dumpster. In general, a covered entity may not dispose of PHI in paper records, labeled prescription bottles, hospital identification bracelets, PHI on electronic media, or other forms of PHI in dumpsters, recycling bins, garbage cans, or other trash receptacles generally accessible by the public or other unauthorized persons.”
Higher Information Group is HIPAA compliant.
We help many customers comply with the law and have policies in place to ensure that PHI is protected and secure at all times. If you’d like more information on working with a professional shredding company that has expertise in all of the necessary legal standards for your industry, reach out to us today.