Getty Images
How to Properly Dispose of Paper Medical Records, Physical PHI Under HIPAA
HIPAA requires covered entities to implement appropriate administrative, technical, and physical safeguards to protect PHI at all times, even when disposing of it.
Improper disposal of protected health information (PHI) can result in HIPAA violations, Office for Civil Rights (OCR) investigations, and hefty fines.
For example, in August 2022, OCR settled a case with a Massachusetts-based dermatology practice after discovering that empty specimen containers with labels that included PHI were thrown away in an unsecured garbage bin in the practice’s parking lot.
The labels included patient names, birth dates, dates of sample collection, and the name of the provider who took the specimen. What’s more, a third-party security guard later found one specimen container with a label containing PHI in the parking lot.
“Improper disposal of protected health information creates an unnecessary risk to patient privacy,” OCR Director Melanie Fontes Rainer said at the time.
“HIPAA regulated entities should take every step to ensure that safeguards are in place when disposing of patient information to keep it from being accessible by the public.”
The practice paid $300,640 to OCR and agreed to implement a corrective action plan.
Fortunately, HHS maintains a great deal of guidance on the proper and improper ways to dispose of physical records and electronic PHI as required under the HIPAA Privacy and Security Rules.
Below, HealthITSecurity will dive into several key considerations for properly disposing of physical PHI, such as paper records. A future article will discuss the process of disposing of electronic PHI.
HIPAA Requirements
The HIPAA Privacy Rule “requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI), in any form,” HHS states in its FAQ about PHI disposal.
“This means that covered entities must implement reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI, including in connection with the disposal of such information.”
The HIPAA Security Rule requires covered entities to implement policies and procedures for the removal of electronic PHI from electronic media before that media can be re-used, in addition to policies for how electronic PHI is stored and deleted.
HIPAA also requires covered entities to train workforce members on the entity’s PHI disposal policies.
HIPAA is fairly flexible when it comes to organizations choosing what safeguards to implement to ensure that information is disposed of properly. Covered entities must assess their individual circumstances and make determinations about how to reasonably dispose of PHI.
“In determining what is reasonable, covered entities should assess potential risks to patient privacy, as well as consider such issues as the form, type, and amount of PHI to be disposed,” HHS continues.
“For instance, the disposal of certain types of PHI such as name, social security number, driver’s license number, debit or credit card number, diagnosis, treatment information, or other sensitive information may warrant more care due to the risk that inappropriate access to this information may result in identity theft, employment or other discrimination, or harm to an individual’s reputation.”
When it comes to paper records, HHS suggests “shredding, burning, pulping, or pulverizing the records” in order to ensure that the PHI is unreadable and cannot be reconstructed.
For prescription bottles with PHI, covered entities may consider placing the bottles in opaque bags and using a vendor to pick up and dispose of the PHI.
A Note On Dumpsters
As exemplified by OCR’s settlement, covered entities should not dispose of PHI in an unsecured dumpster unless it has been destroyed to the point that it is unreadable. If the improperly disposed of PHI ends up being exposed, it would be considered a data breach.
“In general, a covered entity may not dispose of PHI in paper records, labeled prescription bottles, hospital identification bracelets, PHI on electronic media, or other forms of PHI in dumpsters, recycling bins, garbage cans, or other trash receptacles generally accessible by the public or other unauthorized persons,” HHS maintains.
Luckily, covered entities have many other options for disposing of PHI. For example, the organization may put PHI in locked dumpsters that are only accessible to authorized personnel.
The Role of Business Associates
Additionally, covered entities can leverage business associates to shred and properly dispose of PHI.
“For example, a covered entity may hire an outside vendor to pick up PHI in paper records or on electronic media from its premises, shred, burn, pulp, or pulverize the PHI, or purge or destroy the electronic media, and deposit the deconstructed material in a landfill or other appropriate area,” HHS states.
However, covered entities must create and sign a business associate agreement (BAA) with the vendor in order to maintain HIPAA compliance.
Having a BAA in place ensures that business associates with access to PHI know how to properly safeguard the PHI it receives or handles on behalf of the covered entity. BAAs also ensure that business associates are subject to similar repercussions as HIPAA-covered entities should PHI become compromised.
HIPAA-covered entities are responsible for safeguarding PHI throughout its lifecycle, from the moment a record is created to the moment it gets shredded and disposed of. Refreshing the workforce on proper ways to dispose of PHI and regularly reviewing policies and procedures can help covered entities mitigate risk.