For healthcare offices in Tennessee, document destruction is not optional — it is a federal requirement.
The Health Insurance Portability and Accountability Act (HIPAA) sets specific standards for how protected health information must be handled at the end of its useful life. Getting it wrong is not just an administrative issue. It can result in regulatory penalties, breach notification obligations, and lasting damage to your practice’s reputation.
With recent updates to the HIPAA Security Rule drawing renewed attention to data protection obligations, now is the right time for Tennessee healthcare offices to review their document and media destruction processes.
What HIPAA Requires for Document Destruction
HIPAA’s Privacy Rule requires that covered entities — including medical offices, dental practices, hospitals, and their business associates — implement reasonable safeguards to protect protected health information (PHI) when disposing of it.
The key standard is that PHI must be rendered unreadable, indecipherable, and otherwise cannot be reconstructed. For paper documents, this means cross-cut or micro-cut shredding that cannot be reassembled. For electronic media, this means physical destruction or degaussing that permanently eliminates the data.
Simply throwing documents in a recycling bin, placing them in an unlocked dumpster, or deleting files from a hard drive without physical destruction does not meet this standard.
What Counts as Protected Health Information?
PHI includes any information that can be used to identify a patient and relates to their health condition, treatment, or payment. In a healthcare office, this covers a wide range of documents:
Electronic PHI — stored on hard drives, USB drives, imaging equipment, and old computers — carries the same destruction obligations as paper records.
HIPAA Retention Requirements for Tennessee Healthcare Offices
HIPAA itself does not set a specific retention period for most medical records — it defers to state law. In Tennessee, adult patient medical records must generally be retained for ten years from the date of last treatment. Pediatric records must be kept until the patient turns 19 or for ten years from the last treatment, whichever is longer.
Once those retention periods have passed, keeping records longer than necessary actually increases your risk. Every record you retain beyond its required period is a record that could be compromised in a breach. A systematic destruction schedule reduces your exposure.
The Business Associate Agreement and Your Shredding Provider
One detail that many healthcare offices overlook: your document destruction vendor is a business associate under HIPAA. That means you are required to have a signed Business Associate Agreement (BAA) in place before they handle any PHI on your behalf.
A reputable, NAID AAA-certified shredding provider will be familiar with this requirement and prepared to execute a BAA as part of the service agreement. If your current provider has never mentioned a BAA, that is a compliance gap worth addressing.
Richards & Richards works with healthcare offices throughout Middle Tennessee and is equipped to support your HIPAA compliance documentation requirements, including the certificate of destruction that should accompany every shredding service.
Physical Destruction vs. Digital Deletion: Why It Matters for Medical Equipment
Modern healthcare offices replace computers, imaging equipment, and electronic health record systems on a regular cycle. When that equipment leaves your facility, the PHI stored on it does not automatically disappear.
Software-based data wiping does not meet the HIPAA standard for electronic media destruction in most circumstances — particularly for hard drives that may have bad sectors where data was never overwritten. Physical destruction — shredding or crushing the drive — is the only method that definitively eliminates the data.
Richards & Richards provides on-site hard drive and media destruction for healthcare offices, with a certificate of destruction documenting each device destroyed. This gives you an auditable record if your disposal practices are ever reviewed.
Building a Destruction Schedule Into Your Practice Operations
The most effective way to stay compliant is to treat document destruction as a routine operational process rather than a periodic cleanup project. Practical steps include:
Recurring scheduled service eliminates the accumulation problem. Documents are destroyed consistently, the certificate trail stays current, and your staff does not have to manage the process manually.
Richards & Richards Supports Tennessee Healthcare Offices
Richards & Richards is a NAID AAA Certified secure destruction provider serving medical practices, dental offices, and healthcare organizations throughout Nashville and Middle Tennessee. We provide on-site mobile shredding, hard drive destruction, and a certificate of destruction for every service.
