What is HIPAA-Compliant Destruction?

The Health Insurance Portability and Accountability Act (HIPAA) enacted in1996 requires healthcare providers and their business associates to implement physical, administrative and technical safeguards for protected health information (PHI). Twenty years later, the law retains its significant impact on the way businesses handle, transmit and dispose of medical records and data. In this blog, we focus on the latter—discussing the meaning and importance of HIPAA-compliant destruction.

It’s the Law

A key amendment to HIPAA enacted in 2009, The Health Information Technology for Economic and Clinical Health (HITECH) Act, states that improperly-discarded documents and data are considered a security breach. This means that if you discard a medical record in a trashcan, for instance, and it results in a breach of PII, your organization can be fined by the Department of Health and Human Services (DHS) Office of Civil Rights (OCR). It’s worth noting that recently, OCR has begun enforcing HIPAA violations more aggressively.

It Requires Prompt Disposal

A major problem with in-house shredding is that it’s time-consuming. Using a standard paper shredder is a multi-step process:

  1. Remove paperclips, staples and sticky notes
  2. Separate files into easily-shredded portions
  3. Clear paper jams from the machine when they occur
  4. Empty the shredding receptacle
  5. Clean up any spilled shredded material
  6. Discard the shredded material in a dumpster

Because this is such a tedious process, PII may sit on desktops or in a copy room for days or weeks. And the longer it takes to destroy confidential medical information, the more likely it will be compromised. In order to avoid a HIPAA non-compliance fine, expired medical records should be secured immediately.

With a document shredding service, prompt disposal is guaranteed. Locked document collection containers are placed in your facility free of charge so PII can be disposed of quickly and confidentially. The contents of the containers are then regularly collected and destroyed by a shredding technician who should be background-screened and trained in chain of custody and security procedures. 

It Means Verified Destruction

While HIPAA does not require a formal information destruction verification process, if you are audited by OCR, it may be helpful to have written documentation of your shredding practices. A document shredding service issues a Certificate of Destruction each time your documents are destroyed. This document, which notes the time and date of destruction, can be helpful when called upon to prove your due diligence.

By using a HIPAA-compliant shredding company, your organization will be well on your way to HIPAA compliance as well as other state and federal privacy laws.

Records Management Center provides professional shredding and destruction solutions for businesses throughout Augusta, Evans, Thomson, and Martinez, GA, and Aiken, SC and the Central Savannah River Area.

For more information, please contact us by phone or complete the form on this page.