Most doctors, nurses, chiropractors, dentists and other covered entities are fully aware of the importance of maintaining patient privacy. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 lays out several rules in regards to patient privacy. Among these Rules includes requirements on how to properly dispose of Protected Health Information (PHI), both paper and digital formats.
Can I Dispose of PHI in a Dumpster?
In most circumstances, the answer is no. If the dumpster is accessible to the general public, or anyone who doesn't have the patient's authorization to access his or her records, the covered entity may not use it to dispose of PHI.
“In general, a covered entity may not dispose of PHI in paper records, labeled prescription bottles, hospital identification bracelets, PHI on electronic media, or other forms of PHI in dumpsters, recycling bins, garbage cans, or other trash receptacles generally accessible by the public or other unauthorized persons,” wrote the Department of Health and Human Services (HHS).
Disposing of Paper Records
For paper records, covered entities must dispose of them in a manner that makes them unreadable and indecipherable. Simply tossing the records in the trash isn't going to work. Sure, the trash company may pick them up and haul them off to the landfill without any problems. But there's always the possibility of someone “dumpster diving” and acquiring the records. When this occurs, the covered entity may be held accountable for failure to properly dispose of patient records. Acceptable methods of disposal for paper PHI may include shredding, burning, pumping, and/or pulverizing.
Disposing of Digital Records
Of course, disposing of PHI on electronic devices such as hard drives, USB flash drives, CDs, DVDs, etc. requires a bit more effort. The HHS recommends covered entities either use software to overwrite data, purge the data by exposing it to a strong magnetic field, or destroy the data by disintegration, melting, incinerating, or shredding.
To recap, covered entities should use caution when disposing of Protected Health Information to ensure it cannot be reconstructed or otherwise deciphered by anyone. Dozens of healthcare practices have been fined in the past for failure to dispose of PHI. Thankfully, these violations are easily avoided by following the steps listed above.