Are Your Shredding Procedures HIPAA Compliant?

The Health Insurance Portability and Accountability Act of 1996, commonly referred to as HIPAA, was created in order to safeguard the privacy of patients.  Not only that, but with medical data breach on the rise, there’s even more emphasis placed on the privacy of patients’ medical records.


The law itself goes to great lengths to identify whom the privacy rules cover and what is and is not allowable as far as disclosures are concerned. It even requires medical facilities, large or small, to have patients sign documentation explain their rights whenever treatment is given or received.


Protected health information, or PHI, has many rules and regulations regarding its safe treatment. These rules also include rules governing the proper disposal of information in order to maintain patient privacy.


Why is Shredding Necessary?


The problem with PHI is that there is simply so much of it. In the past, there were huge file rooms and storage facilities devoted to the care and storage of private medical information. Depending on the health and medical histories of some patients, medical records and the health history of one patient can occupy multiple shelves. Storing and caring for these documents is a time consuming and costly practice. It’s not all about the space required however. It’s also about the labor that’s required to tend to these documents on a regular basis as well.


Eliminating these records once the patient has passed away or is no longer an active patient saves time, money, and valuable shelf space. Many medical centers are also making the move to digital records by scanning the original documents and storing them on computer servers. These original documents, once scanned, must be properly eliminated in a manner that doesn’t compromise patient privacy. Medical practitioners who fail to comply with HIPAA regulations face civil as well as criminal penalties that go far beyond mere slaps on the wrists.


How Should Medical Information be Shredded?


According to HIPAA rules, “For PHI in paper records, shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.”


If the medical facility lacks the proper equipment or resources to devote to properly destroying these paper records, it is possible to hire an outside service to either shred the documents for you onsite or remove them to their facility in order to shred the documents. However, proper storage and transfer procedures must be met in the conditions and the outsourced facility must also meet the same standards (destroying in a manner that the documents cannot be reconstructed) as if your facility was destroying the records.


A few other regulations regarding the storage and destruction of PHI include the following:


  • PHI cannot be stored in dumpsters that are accessible to the public.
  • Computer equipment is also covered by HIPAA and the information stored on computers, while not always physically shredded, must be eliminated according to HIPAA standards. They including purging, exposing computer to a strong magnetic field, melting, clearing (using specific software to overwrite the media with data or information that isn’t PHI, incinerating, or pulverizing the electronic media.
  • Labeled prescription bottles and paper PHI may be stored in opaque back while awaiting disposal provided it is stored in a secure area.


As a small business that handles medical records, if you carefully follow HIPAA standards, you shouldn’t have any major problems that will land you in civil or criminal hot water. However, mistakes happen at times, no matter how cautious you happen to be. That’s why it’s essential to have proper business insurance, to cover any mistakes with HIPAA compliance that may arise.