It's not uncommon for hospitals to manage hundreds of thousands of patient files. And even smaller family care physicians may store thousands of patient files. So, when it comes time to destroy some of these files, the facility may seek to outsource the task to another company. Having to shred and/or incinerate thousands of files can be a tedious, time-consuming process to say the least, in which case it only makes sense to outsource the task to a third party.
But the Health Insurance Portability and Accountability Act (HIPAA) places strict rules on who can and cannot access the Protected Health Information (PHI) of patients. With a few exceptions (e.g. child abuse cases, facilitate medical treatment, etc.), a healthcare provider cannot legally disclose a patient's PHI without his or her consent through an authorization form. So, does this mean that covered entities are also unable to use the services of a third party to dispose of patient files?
If the patient files do not contain PHI, then it's perfectly fine for a covered entity to hire another company to dispose of them. The Department of Health and Human Services (HHS) defines PHI as being personally identifiable health information. This may include the patient's name, phone number, address, insurance number, diagnosis, treatment, billing information, etc. When in doubt, it's best to err on the side of caution by categorizing patient information as PHI.
If the patient files do contain PHI, then certain steps must be taken before the covered entity can outsource its disposal to another company. Because the files contain personally identifiable information, the company responsible for its disposal must act a business associate, which of course means that a Business Associates Agreement (BAA) is required. The BAA should require the third-party company to appropriately safeguard the covered entity's PHI through disposal. Suitable methods of disposal may include shredding, burning, incinerating, puling and pulverizing.
Unfortunately, many covered entities overlook the importance of proper PHI disposal. There have been numerous cases of patient files being recovered from trash cans and dumpsters, resulting in fines and other corrective actions taken by the covered entity. Whether you intend to dispose of PHI yourself or outsource the task to another company, make sure the PHI is completely destroyed.
To recap, covered entities may outsource the disposal of patient files containing PHI to other companies if they create a BAA. This agreement details the way in which the PHI will be used, while also placing restricts for its use by the business associate.