best hipaa-compliant data destruction methods

HIPAA-Compliant Data Destruction Methods: What You Need to Know

What are the proper ways of disposing of medical records containing protected health information or PHI? The Office of Civil Rights (OCR) under the Department of Health and Human Resources (HHS) provides several guidelines to help healthcare providers comply with the strict standards of the Health Insurance Portability and Accountability Act (HIPAA). 

This article will cover some of the most vital aspects of HIPAA-compliant data destruction solutions.

HIPAA-Compliant Data Destruction Methods: What You Need to Know

HIPAA Privacy Rule Requirements on Data Destruction

HIPAA, as a federal law, exists to protect the privacy and security of patient health information, ensuring that covered entities follow stringent guidelines for data confidentiality and accessibility. The HIPAA Privacy Rule on data destruction is simple: apply administrative, physical, and technical safeguards outlined by the HHS to protect PHI privacy. 

Data destruction practices should cover both physical and electronic health information. The goal is to avoid the misuse and unauthorized disclosures of PHI at all times, covering the stages of data disposal. 

Healthcare providers should use HIPAA-compliant data disposal platforms and destruction methods so that all records, hardware, documents, and materials containing PHI cannot be read, reviewed, transmitted, or reconstructed in any way.

Top HIPAA-Compliant Data Destruction Methods

The HHS recommends HIPAA-compliant data destruction ways as mentioned in their FAQs About the Disposal of Protected Health Information

Disposing of paper records

You shred, burn, pulp, or pulverize paper records containing PHI. All of these are accepted methods, but they mean different things.

  • Shredding uses professional mechanical shredders (different from regular office shredders) to cut documents into confetti-like pieces. You can check out the best HIPAA-compliant shredder providers for this service.
  • Burning requires combusting paper documents, reducing them to ashes. Though a less common method than shredding, burning is equally effective in destroying data.
  • Pulping involves turning documents into pulp through mechanical or chemical processes. HIPAA-compliant data destruction platforms use this method in combination with recycling.
  • Pulverizing reduces documents to dust or powder through machines, making them unreadable.

HIPAA-Compliant Data Destruction Methods: What You Need to Know

Disposing of labeled prescriptions

Some healthcare staff must be made aware of how to properly dispose of labeled prescription bottles and other labeled materials containing PHI. Throwing them in trash bins can result in a HIPAA breach. Instead, put them in opaque bags in a secure location and use a HIPAA-compliant data destruction service to pick them up for proper disposal and destruction.

Disposing ePHI

Electronic media can be destroyed using the following methods:

  • Clearing means overwriting media with other non-sensitive data using software or hardware so the PHI cannot be retrieved.
  • Purging erases ePHI using degaussing (erasure), which removes all remnant magnetic traces of stored ePHI from media.
  • Disintegration breaks down hardware or media into small fragments. You can incinerate, melt, or shred it.
HIPAA-Compliant Data Destruction Methods: What You Need to Know

Legal Consequences of Improper Data Destruction in Healthcare

Despite the guidelines released by the HHS, some healthcare providers still fail to implement proper data destruction for HIPAA compliance. This negligence has resulted in HIPAA violations, corrective action, or legal consequences for healthcare organizations and their staff. 

In July 2022, the HHS released a Corrective Action Plan for the New England Dermatology and Laser Center (NEDLC), a covered entity under HIPAA. The healthcare provider filed a breach notification report in 2021 for improperly disposing of empty specimen containers in a dumpster on NEDLC’s parking lot. A third-party security guard found one of the specimen containers containing a patient’s name, birthday, collection date, and the healthcare provider’s name. 

The HHS investigation found that NEDLC did not follow adequate safeguards for data destruction and HIPAA compliance. In fact, the medical practice company stated that it regularly discarded specimen containers with labels in the dumpster without removing or altering PHI. Because of their carelessness in handling PHI, NEDLC agreed to pay a $300,640.00 resolution amount and implement the corrective action plan.

In a similar case, Parkview Health paid a $800,000 penalty to the HHS for improperly disposing of paper records. Parkview Health was assisting one of their doctors to transfer medical records to other providers. Around 5,000 to 8,000 medical records containing PHI were transferred to the doctor’s home. However, the doctor was not at home during delivery, leaving 71 cardboard boxes unattended and accessible to the public on the doctor’s driveway. 

Ensure Patient Safety With HIPAA-Compliant PHI Disposal

Healthcare facilities and their staff should prioritize using HIPAA-compliant data destruction methods to avoid potential breaches that could result in the unauthorized or accidental disclosure of PHI.

As discussed, negligence in handling PHI and ePHI extends to the methods used to discard and destroy physical records, hardware, and software containing protected health information.

Unfortunately, some staff are not adequately trained on the intricacies of HIPAA rules, which puts your organization at risk of facing significant violations. The good news is there are proven ways to address this, like having a HIPAA privacy officer on board to oversee the implementation and enforcement of your compliance protocols and security policies.

Kent Cañas

Kent is a content strategist currently specializing in HIPAA-compliant online fax. Her expertise in this field allows her to provide valuable insights to clients seeking a secure and efficient online fax solution.

More great articles
hipaa-compliant payment processing solutions
5 Best HIPAA-Compliant Payment Processing Solutions

Check out this list featuring the best HIPAA-compliant payment processing solutions.

Read Story
salesforce hipaa
Is Salesforce HIPAA-Compliant?

Is Salesforce HIPAA-compliant? Find out whether this popular CRM platform meets the compliance standards required for handling sensitive healthcare data.

Read Story
is signal hipaa-compliant
Is Signal HIPAA-Compliant?

Is Signal HIPAA-compliant? Find out whether you can use the private messaging app to send texts and other files with…

Read Story
Subscribe to iFax Newsletter
Get great content to your inbox every week. No spam.

    Only great content, we don’t share your email with third parties.