bertmcknight84

The Health Insurance Portability and Accountability Act (HIPAA) became law 25 years ago. The law was enacted to increase the security of private information and medical records defined as protected health information (PHI). HIPAA requires physical and digital safeguards be maintained by doctors offices, insurance companies, and all business associates. Failure to follow the rules could end up in large penalties.



It has been here for so long that some people do not remember a visit when they didn’t have to sign a HIPAA privacy form every time they visited a new doctor. But a form is only part of the law. It also altered who the health professional is allowed to transmit data to and by which form. Most people saw that it might now be more challenging to obtain private health information.

The act had several additional alterations in 2009 with the enactment of the Health Information Technology for Economic and Clinical Health (HITECH). This act was a part of what is usually referred to as the stimulus package. It included requirements for data breach notification and upped the fines for failing to meet the HIPAA privacy rule.

There has been three years to find out about HITECH and 26 years to comply with about HIPAA but there is still a significant amount of confusion about what exactly is required by the rule. It doesn’t help that some organizations have risen up with solutions and services specifically marketed to service the HIPAA compliance market. To improve their numbers they will preach fear, uncertainty and doubt (FUD).

The total law is beyond the scope of one article but we will address one aspect: disposal of medical records. This topic is covered in section CFR 164.530(c) of the law. It requires all health providers to implement “reasonable safeguards” to protect the confidentiality of PHI in every format. This includes the disposal of the files.

All covered entities need to maintain policies and processes for disposing of PHI on paper and also kept on computers. There must also be training for the employees, managers, or volunteers on the proper disposal of medical files. The specific guideline is covered in parts CFR 164.306(a)(4), 164.308(a)(5), and 164.530(b) and (i).

There are some specifics that the law doesn’t specifically delail. It does doesn’t specify a single form of disposal. The covered entity is required to evaluate the level of PHI being destroyed and any possible risks. Papers that might result in damage to the person in the form of identity theft, discrimination, or damaged reputation must be handled and disposed of with extra sensitivity.

Since leaving the records intact in the dumpster is not allowed there are several other options available. Some types of destruction that are acceptable are shredding, burning, pulping, or pulverizing. So lets examine each option.

It is outside the law to burn trash in nearly every town so this is not an option for many doctors. Pulping is a complete answer and if the covered entity is in the area of a paper mill that would comply perfectly. The problem is that fiber mills are only by a tiny area of the nation. Pulverizing is simply a limited type of shredding so for simplification this article we will refer to them as the same.

The most common process for destroying of medical records is shredding. HIPAA recognizes for shredding to be done internally or to have the work with a vendor. There isn’t a requirement that the work be done at the location. There are services who might to say this to increase the cost but that is simply FUD. Regardless what process you choose make sure to either generate documentation of the shredding internally or get it from the shredding service.