HIPAA Compliant Medical Document (PHI) Shredding Guide
Understanding Guidelines for Shredding Medical Records
If you’re in the healthcare industry, you are probably well acquainted with HIPAA regulations. Industry and federal privacy regulations are on the rise, and protecting people's privacy is becoming the norm. You and your practice cannot afford to get lax with following them or overlook opportunities for protected health information (PHI) to fall between the cracks. HIPAA compliance is required not only for healthcare providers but for any entity that transfers health data, according to the Department of Health and Human Services (HHS). If you are a health practitioner or manage a health organization and meet the criteria, it’s always a good idea to review the guidelines, especially those related to destroying or shredding medical records.
What Does HIPAA Require for Medical Record Disposal?
When HIPAA came into law in 1996, an important element was Section II, the Privacy Rule, also known as Standards for Privacy of Individually Identifiable Health Information. It requires entities handling PHI to “apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI), in any form.”
If you handle PHI, you have a duty to not only regulate how and with whom you share protected information, but you also need to avoid “incidental” disclosure of PHI, including during disposal. It is your responsibility to set forth policies and procedures that dictate how you dispose of electronic media containing PHI (ePHI). It is also your responsibility to train employees in these policies and procedures.
A properly destroyed medical record or piece of PHI is defined, according to HIPAA, as being rendered “unreadable, indecipherable, and otherwise unable to be reconstructed.” PHI cannot and should not be abandoned in dumpsters or public containers, including recycling bins. Although HIPAA doesn’t require a particular disposal method, shredding is listed as a proper method for disposing of PHI in the forms of both paper and electronic waste.
HIPAA Violations for Improper Records Disposal
In the case of HIPAA noncompliance, the entity has 30 days to make changes or face penalties. After 30 days, they can be charged with civil money penalties at an amount determined by the secretary of the HHS. HIPAA fines range from as low as $100 for an unknowingly committed violation, corrected within 30 days, to $50,000 for willful neglect.
Criminal charges are also a possibility for individuals and covered entities who violate HIPAA regulations. Penalties range to a $100,000 fine, with up to 5 years in prison, and even more if there was intent to use or sell the private information, as in identity theft.
Most HIPAA violations occur as a result of neglect or lack of awareness, not criminal intent. To avoid a violation, make sure to understand what is required of your company and that you’re correctly disposing of medical information.
When Should Medical Documents Be Destroyed?
HIPAA requires that you keep medical records for ten years from the date of their creation or last use, whichever comes later. States have additional requirements for record retention. If the state requires that you keep a record longer than six years, their law supersedes HIPAA. Conversely, HIPAA supersedes any state document retention laws of less than six years. After the allotted time, if you no longer need the record, properly destroy the information itself along with any electronic storage that houses it.
What Types of Medical Records Should Be Shredded?
The HIPAA Privacy Rule concerns protected health information in all formats, including paper and electronic forms.
You must destroy any documents that contain individually identifiable health information, which includes:
- Birth Dates
- Geographic Identifiers
- Phone Numbers
- Fax Numbers
- Email Addresses
- Medical Record Numbers
- Biometric Identifiers
- Photos of Faces
- Social Security Numbers
- Health Plan Beneficiary Numbers
- Account Numbers
- Certificate/License Numbers
- Vehicle Identifiers and License Plate Numbers
- Device Identifiers and Serial Numbers
- Web URLs
- IP Addresses
- Unique Identifying Numbers, Characteristics, or Codes
Also, shred any records relating to an individual’s past, present, or future health or condition, including:
- The provision of healthcare to the individual
- The past, present, or future payment for the provision of health care to the individual
- Information for which there is a reasonable basis to believe it can be used to identify the individual
How Should You Handle the Accidental Loss or Destruction of Medical Records?
Lost patient records, or lost medical records, can have an impact on your patients' right to privacy and can put your practice at risk of a HIPAA violation. It's important to check your company's data destruction and retention policies in light of such episodes. Additionally, data breaches, compared to a violation, require covered entities to submit a notice to different agencies, such as the United States Department of Health and Human Services (HHS).
For more information on how to handle this situation, check out this guide by Gazelle Consulting.
How Do HIPAA Compliant Shredding Services Work?
Secure document shredding makes sense in all industries and for personal use, but some shredding services specifically address HIPAA compliance.
There are three stages to medical record shredding.
Records can be disposed of at your employees’ convenience using on-site locked bins or consoles for medical documents.
Shredding can take place at your location or off-site. With on-site shredding, a mobile shred truck visits your location and shreds the documents there. They can visit for a one-time, single cleanout of sensitive documents or you can schedule regular pickups. With off-site shredding, a business can drop off documents at a central location.
The method of shredding matters for PHI. Cross-cut shredding is used to meet the HIPAA requirement of making the information irrecoverable.
It’s important to know what happens to your medical documents after shredding, both for environmental and compliance reasons. Typically, the shredded waste is recycled. A reputable medical record shredding company should provide you with a Certificate of Destruction (COD) to document the disposal for your compliance records.
Who Needs Medical Document Shredding?
Any “covered entity” that deals with medical information must comply with the HIPAA Privacy Rule. This includes:
- Nursing Homes
- Health insurance companies
- Company health plans
- Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs
These are entities that process nonstandard health information they receive from another entity into a standard (e.g., standard electronic format or data content), or vice versa.
Need HIPAA Compliant Shredding Services? Get A Free Quote Today
HIPAA standards are high. If you’re an entity subject to the Privacy Rule, you need a shredding service provider who understands all the ins and outs of medical record shredding. PROSHRED®️ Security has extensive experience with the destruction of personal health information in paper and electronic forms, including hard drive and product destruction. We are the only ISO 9001 certified secure on-site shredding company system in North America. Your HIPAA compliance and your patients’ privacy are our top priorities. Contact us today to arrange medical document shredding services for your business.
HIPAA compliant shredding requires you to shred documents and hard drives so that they are not only unreadable but also can't be recreated. That means using a professional service like ours, since home and office shredders don't achieve those goals.
Yes, to protect the privacy of your patients, documents containing PHI should be shredded, using a professional shredding service.