| |

How to Dispose of Paper Protected Health Information Under HIPAA

Disposing of paper protected heath information (PHI), such as medical records needs to be done in a HIPAA compliant way. It is important to implement and follow administrative, technical, and physical safeguards all the time, but especially when it comes to disposing of paper PHI. Improper disposal of PHI violates HIPAA, which can lead to an investigation by the Office of Civil Rights (OCR) and substantial civil money penalties.

In August of 2022, the OCR settled a case with a Massachusetts dermatology practice for $300,640 when it discovered the practice disposed of empty specimen containers that included labels with PHI thrown into an unsecured garbage bin in the practice’s parking lot. The PHI included patient names, dates of birth, dates of sample collection, and the name of the provider. Complicating the issue further, the containers were discovered by a third-party security guard.

In regards to this incident, Melanie Fontes Rainer, Director of the OCR stated, “Improper disposal of protected health information creates an unnecessary risk to patient privacy. HIPAA regulated entities should take every step to ensure that safeguards are in place when disposing of patient information to keep it from being accessible by the public.”

In addition to the $300,640 civil money penalty, the Massachusetts-based dermatology practice is also required to and agreed to a corrective action plan (CAP). A CAP is an aggressive enforcement action the Office for Civil Rights (OCR) takes in response to a HIPAA-covered entity or business associate that has egregiously violated HIPAA laws. It often requires your organization to perform a closely monitored security risk analysis and develop a risk management plan. OCR may also require you to hire a third party to monitor your compliance, adding an addition burden. CAPs can over several years, during which time, your organization must regularly report to OCR and undergo audits. Every step of the CAP has to be done according to the OCR’s strict timeline. If you fail to carry out the terms of a CAP, it’s a breach of the resolution agreement.

The Department of Health and Human Services provides guidance on the proper disposal of PHI, both physical records and electronic protected health information (ePHI).

HIPAA Requirements

The HIPAA Privacy Rule “requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI), in any form,” HHS states in its FAQ about PHI disposal.

“This means that covered entities must implement reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI, including in connection with the disposal of such information.”

The HIPAA Security Rule requires covered entities to implement policies and procedures for the removal of electronic PHI from electronic media before that media can be re-used, in addition to policies for how electronic PHI is stored and deleted.

Your organization is also required to provide HIPAA training for the entire workforce regarding the policy and procedure for the disposal of PHI.

HIPAA is fairly flexible when it comes to organizations choosing what safeguards to implement to ensure that information is disposed of properly. Organizations must assess their individual circumstances and make decisions about how to reasonably dispose of PHI.

“In determining what is reasonable, covered entities should assess potential risks to patient privacy, as well as consider such issues as the form, type, and amount of PHI to be disposed,” HHS continues.

“For instance, the disposal of certain types of PHI such as name, social security number, driver’s license number, debit or credit card number, diagnosis, treatment information, or other sensitive information may warrant more care due to the risk that inappropriate access to this information may result in identity theft, employment or other discrimination, or harm to an individual’s reputation.”

When it comes to paper records, HHS suggests “shredding, burning, pulping, or pulverizing the records” in order to ensure that the PHI is unreadable and cannot be reconstructed.

For prescription bottles with PHI, covered entities may consider placing the bottles in opaque bags and using a vendor to pick up and dispose of the PHI.

A NOTE ON DUMPSTERS

As represented by OCR’s settlement in the Massachusetts dermatology practice noted above, covered entities should not dispose of PHI in an unsecured dumpster unless it has been destroyed to the point that it is unreadable. If the improperly disposed of PHI ends up being exposed, it is HIPAA data breach.

The HHS states, “In general, a covered entity may not dispose of PHI in paper records, labeled prescription bottles, hospital identification bracelets, PHI on electronic media, or other forms of PHI in dumpsters, recycling bins, garbage cans, or other trash receptacles generally accessible by the public or other unauthorized persons.”

If a covered entity is going to use a dumpster, it should employ locked dumpsters that are only accessible to authorized personnel.

THE ROLE OF BUSINESS ASSOCIATES

Your organization can also use a business associates to shred and properly dispose of PHI.

HHS explains, “… a covered entity may hire an outside vendor to pick up PHI in paper records or on electronic media from its premises, shred, burn, pulp, or pulverize the PHI, or purge or destroy the electronic media, and deposit the deconstructed material in a landfill or other appropriate area.”

Using a third-party vendor requires you to have a signed business associate agreement (BAA) with the vendor to maintain HIPAA compliance.

A BAA is an assurance that the business associate agrees to and understands how to properly safeguard the PHI it receives or handles on behalf of your organization. BAAs also ensure that business associates are subject to similar consequences as HIPAA-covered entities should PHI become compromised.

Your organization is responsible for safeguarding PHI throughout its lifecycle, from the moment a record is created to the moment it gets shredded and disposed of. Reminding your workforce through regular training can help your organization mitigate risk of improper disposal of PHI.

Leave a Reply