What are the proper ways of disposing of medical records containing protected health information or PHI? The Office of Civil Rights (OCR) under the Department of Health and Human Resources (HHS) provides several guidelines to help healthcare providers comply with the strict standards of the Health Insurance Portability and Accountability Act (HIPAA).
This article will cover some of the most vital aspects of HIPAA-compliant data destruction solutions.
Table of Contents
HIPAA Privacy Rule Requirements on Data Destruction
HIPAA, as a federal law, exists to protect the privacy and security of patient health information, ensuring that covered entities follow stringent guidelines for data confidentiality and accessibility. The HIPAA Privacy Rule on data destruction is simple: apply administrative, physical, and technical safeguards outlined by the HHS to protect PHI privacy.
Data destruction practices should cover both physical and electronic health information. The goal is to avoid the misuse and unauthorized disclosures of PHI at all times, covering the stages of data disposal.
Healthcare providers should use HIPAA-compliant data disposal platforms and destruction methods so that all records, hardware, documents, and materials containing PHI cannot be read, reviewed, transmitted, or reconstructed in any way.
Top HIPAA-Compliant Data Destruction Methods
The HHS recommends HIPAA-compliant data destruction ways as mentioned in their FAQs About the Disposal of Protected Health Information:
Disposing of paper records
You shred, burn, pulp, or pulverize paper records containing PHI. All of these are accepted methods, but they mean different things.
- Shredding uses professional mechanical shredders (different from regular office shredders) to cut documents into confetti-like pieces. You can check out the best HIPAA-compliant shredder providers for this service.
- Burning requires combusting paper documents, reducing them to ashes. Though a less common method than shredding, burning is equally effective in destroying data.
- Pulping involves turning documents into pulp through mechanical or chemical processes. HIPAA-compliant data destruction platforms use this method in combination with recycling.
- Pulverizing reduces documents to dust or powder through machines, making them unreadable.
Disposing of labeled prescriptions
Some healthcare staff must be made aware of how to properly dispose of labeled prescription bottles and other labeled materials containing PHI. Throwing them in trash bins can result in a HIPAA breach. Instead, put them in opaque bags in a secure location and use a HIPAA-compliant data destruction service to pick them up for proper disposal and destruction.
Disposing ePHI
Electronic media can be destroyed using the following methods:
- Clearing means overwriting media with other non-sensitive data using software or hardware so the PHI cannot be retrieved.
- Purging erases ePHI using degaussing (erasure), which removes all remnant magnetic traces of stored ePHI from media.
- Disintegration breaks down hardware or media into small fragments. You can incinerate, melt, or shred it.
Legal Consequences of Improper Data Destruction in Healthcare
Despite the guidelines released by the HHS, some healthcare providers still fail to implement proper data destruction for HIPAA compliance. This negligence has resulted in HIPAA violations, corrective action, or legal consequences for healthcare organizations and their staff.
In July 2022, the HHS released a Corrective Action Plan for the New England Dermatology and Laser Center (NEDLC), a covered entity under HIPAA. The healthcare provider filed a breach notification report in 2021 for improperly disposing of empty specimen containers in a dumpster on NEDLC’s parking lot. A third-party security guard found one of the specimen containers containing a patient’s name, birthday, collection date, and the healthcare provider’s name.
The HHS investigation found that NEDLC did not follow adequate safeguards for data destruction and HIPAA compliance. In fact, the medical practice company stated that it regularly discarded specimen containers with labels in the dumpster without removing or altering PHI. Because of their carelessness in handling PHI, NEDLC agreed to pay a $300,640.00 resolution amount and implement the corrective action plan.
In a similar case, Parkview Health paid a $800,000 penalty to the HHS for improperly disposing of paper records. Parkview Health was assisting one of their doctors to transfer medical records to other providers. Around 5,000 to 8,000 medical records containing PHI were transferred to the doctor’s home. However, the doctor was not at home during delivery, leaving 71 cardboard boxes unattended and accessible to the public on the doctor’s driveway.
Ensure Patient Safety With HIPAA-Compliant PHI Disposal
Healthcare facilities and their staff should prioritize using HIPAA-compliant data destruction methods to avoid potential breaches that could result in the unauthorized or accidental disclosure of PHI.
As discussed, negligence in handling PHI and ePHI extends to the methods used to discard and destroy physical records, hardware, and software containing protected health information.
Unfortunately, some staff are not adequately trained on the intricacies of HIPAA rules, which puts your organization at risk of facing significant violations. The good news is there are proven ways to address this, like having a HIPAA privacy officer on board to oversee the implementation and enforcement of your compliance protocols and security policies.
