How to Properly Dispose of Documents with Protected Health Information
August 15, 2018

Proper documentation in your facility is vital to a practice’s compliance with HIPAA rules. But what happens if you have documents that are no longer needed? What is the proper HIPAA compliant way to dispose of documents containing sensitive patient records?

Paper Records

As the name suggests, these are documents containing PHI which have a paper trail or were printed on a piece of paper/pieces of paper. Examples of these documents are forms, memos, charts, labels on patient care items, photos/images, graphics, etc.

Now, how do we dispose of these sensitive documents containing PHI while s abiding by the rules set forth by the Health Insurance Portability and Accountability Act (HIPAA)? In our latest e-newsletter, we have discussed about the following methods:

1. Shredding
2. Burning
3. Pulverizing
4. Disposal Vendors
5. Media Sanitization

The important thing here is that your facility or practice to make sure that the protected health information on these printed or digitized forms are rendered unusable and/or inaccessible.

Electronic Records or e-files

These are mostly computer-based records and digital copies of the paper records. Most facilities or practices are moving into this kind of documentation because of ease in storing them, space saver and convenience in transmitting and sharing the information. These records can be email messages, SMS or text messages, video recordings, file downloads, and more. But with these comforts come with the risks as well. Electronic medical records are more prone to cyber-attacks. HIPAA’s Security Rule establishes the administrative, physical, and technical safeguards that covered entities and business associates must put in place in order to secure electronic protected health information (ePHI) as they are created, received, maintained, or transmitted.

Here are some questions you may want to ask to find out if you are complying with the HIPAA PHI/ePHI Disposal Standards:

✓ Are policies and procedures developed and implemented that govern the receipt and removal of hardware and electronic media that contain EPHI, into and out of a facility, and the movement of these items within the facility?
✓ Do the policies and procedures identify the types of hardware and electronic media that must be tracked?
✓ Have all types of hardware and electronic media that must be tracked been identified, such as, hard drives, magnetic tapes or disks, optical disks or digital memory cards?
✓ Are policies and procedures developed and implemented that address disposal of EPHI, and/or the hardware or electronic media on which it is stored?
✓ Do the policies and procedures specify the process for making EPHI, and/or the hardware or electronic media, unusable and inaccessible?
✓ Do the policies and procedures specify the use of a technology, such as software or a specialized piece of hardware, to make EPHI, and/or the hardware or electronic media, unusable and inaccessible?
✓ Are the procedures used by personnel authorized to dispose of EPHI, and/or the hardware or electronic media?

Please visit this link from HHS.gov for more information: https://www.hhs.gov/hipaa/for-professionals/faq/disposal-of-protected-health-information/index.html

Share Us on: