The Health Insurance Portability and Accountability Act (HIPAA) became law in 1996. Part of that rule was Section II, the Standards for Privacy of Individually Identifiable Health Information that requires all entities dealing with Protected Health Information (PHI) to “apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information in any form.”
This means that your health organization has a legal obligation to control how—and with whom—you share protected information, as well as a responsibility to avoid inappropriate disclosure of PHI. That responsibility includes securely disposing of PHI and training your staff on policies and procedures.
How?
Medical records with PHI must be destroyed so they are “unreadable, indecipherable, and otherwise unable to be reconstructed.” PHI should never be thrown in the garbage or recycling without meeting this destruction requirement.
Although HIPAA doesn’t specify the information disposal method, shredding is considered a very effective method of document destruction. The important thing to note is that not all shredders will be able to render documents unreadable, indecipherable, and otherwise unable to be reconstructed. It is advisable to consider utilizing the expertise of a local, NAID AAA Certified shredding company to properly destroy and dispose of your protected information.
When?
HIPAA Privacy Rules do not include medical record retention requirements. State and federal privacy laws state how long you must store your paper documents and when to dispose of them. Until then, HIPAA dictates that covered entities must apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records and all other protected health information from creation to destruction, also known as, “cradle to grave.”
What?
HIPAA Privacy Rules require your organization to destroy any documents that contain PHI. This information includes:
- Name
- Birthdate
- Geographical Identifier
- Phone Number
- Fax Number
- Email Address
- Medical Records Number
- Biometric Identifier
- Photos of Face
- Social Security Number
- Health Plan Beneficiary Number
- Account Number
- Certificate or License Number
- Vehicle Identifier and License Plate Number
- Device Identifier
- Web URL
- IP Address
- Individual’s past, present, or future health information
Where?
No matter where or how you choose to destroy your documents, it is imperative that the information remains private and secure so your organization remains HIPAA compliant. Weak links in the chain of custody of your documents can include:
- The time following removal from file folders or file cabinets, often during a records purge. Do they sit in a pile, in boxes, or in an unlocked disposal bin?
- During handling by a shredding company
- After shredding if appropriate security measures are not taken
PHI requires protection no matter where they are in their lifecycle. The challenge of DIY shredding is that all staff must follow procedures when discarding documents. It only takes one employee to cause a data breach.
As mentioned, it is vital that the shredding equipment is adequate to render the documents unreadable and unable to be reconstructed. And finally, will your shredded documents become recycled or landfill? A reputable shredding company can help your business remain compliant by offering securely locked shred collection containers so that your documents are protected from when they are discarded to when they are destroyed. You can be sure that their industrial level shredders will completely destroy your documents. Upon completion, 100% of your shredded material will be recycled and a Certificate of Destruction will be provided as proof of compliancy.
Who?
If you are considering the wise decision of outsourcing your paper shredding, choose a NAID AAA Certified company so you know your documents will be handled and shredded with the highest security protocols in the industry.
Ask for locking shred collection containers so your employees can simply drop files and documents inside without worrying about what happens next.
Inquire about what happens to your shredded paper and make sure the shredding company you choose mixes your shredded paper with shredded paper from other sources, then recycles 100% of it. After all, we all need to work together to protect our natural resources.
Richards and Richards is Nashville’s oldest NAID AAA Certified shredding company. Our team is highly trained, background-screened, and knowledgeable about HIPAA-compliant document destruction. If you have questions or need service, simply give us a call at 615-242-9600 or complete the form on this page. Our friendly shredding experts are ready to help!