An Office Conversation about HIPAA Misconceptions
(Philip stands at the office shredder holding a shredded piece of paper up to the light. Harvey walks by.)
Harvey: You realize there is no eclipse with the office lighting, right?
Philip: Ha ha. You’re hilarious. I’m trying to determine if this shredded paper is small enough to meet HIPAA standards. Diane was worried that the shredder wasn’t shredding it into small enough pieces. You wouldn’t happen to know the particle size required to be compliant, would you?
Harvey: Yeh. There is none.
Philip: What? There must be, otherwise, how would we know if…
Harvey: It’s true! HIPAA does not require a specific shred size. What it does say is that PHI; personal health information, must be unreadable and impossible to reconstruct before it is disposed of. In fact, HIPAA doesn’t even say it has to be shredded. You could chew it up if you wanted to, but that would be weird, and it would still probably be readable or able to be reconstructed.
Philip: Well, I doubt anyone would want to read it after I chewed it up.
Harvey: You would be surprised to what lengths a dumpster diver would go to steal your information. Nothing—and I mean nothing—deters a data thief!
Philip: So, we just follow that one simple HIPAA law and we’re good to go?
Harvey: Unless the state laws require something stricter.
Philip: Seriously? So, we need to know both federal and state laws and follow whichever has the tighter requirements?
Harvey: You got it.
Philip: So, all this time, we have likely been guilty of breaching personal health information?
Harvey: Not necessarily. Not all improper uses of PHI are breaches. Each instance needs to be evaluated to determine if information was actually viewed, or could have been viewed, by someone who isn’t authorized to see it. The government is more interested in encouraging medical entities to implement HIPAA without penalizing providers’ compliance breaches. Instead, complaints of improper data information disclosures are filed with HHS, the Department of Health and Human Services. These get resolved through proper resolution and voluntary compliance. It’s when someone intentionally and knowingly violates HIPAA that fines are considered.
Philip: So, I’m still not sure if this shredder is doing the job or not.
Harvey: It’s a great reason to consider outsourcing our PHI to a reputable shredding company. That way, we don’t have to worry about whether or not it is properly destroyed and which laws to focus on.
Philip: But does HIPAA allow an outside company to handle our PHI?
Harvey: Yes, if we enter into an agreement to appropriately safeguard the PHI through proper and compliant disposal. It’s always wise to use a company that provides a Certificate of Destruction that documents the procedure and proves the destruction of information has been properly done.
Philip: That sounds like a great idea. I will go through all of our records, remove what we’ve had for six years, and have them destroyed by a professional shredding company.
Harvey: Actually, even though HIPAA requires maintaining documents for six years from the time they were created, before we dispose of anything, we must check the retention periods for medical records that are covered by state laws first.
Philip: Right! Well, I say let’s ditch the shredder, and set up a scheduled shredding service and that will help clear up a lot of these misconceptions. I guess we need to choose one that recycles their shredded paper?
Harvey: Although HIPAA doesn’t mandate shredding, we both know it’s the most secure and environmentally responsible thing to do, so, yes, that’s a great idea. Let’s choose a company that will send the shredded material to a recycler, which keeps it out of the landfill and puts recycled products on shelves.
Philip: Now we have the task of finding a reputable company…
Richards & Richards in Nashville provides secure, NAID AAA Certified shredding to destroy your PHI in compliance with HIPAA. We will help you with a one-time document purge to get your records up to date and then set up a service to shred documents on a regular basis to keep you HIPAA and state law compliant. Call us at 615-242-9600 or complete the form on this page. We’ll clear up any myths you might have about HIPAA rules.