Covered entities must take extra steps to ensure patients' personal information is not accessed by unauthorized individuals. Throwing away a patient's file in a dumpster that's accessible by the public is a violation of the HIPAA Privacy Rule. Even if no one retrieves the file, it's still a violation since the covered entity failed to dispose of the patient's Protected Health Information (PHI) in an appropriate manner. So, what requirements does HIPAA have regarding the disposal of PHI?
The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule requires covered entities to dispose of PHI so it's no longer retrievable. If someone can still retrieve or otherwise access the PHI after its disposal, the respective method of disposal is not compliant with HIPAA. And with the Office for Civil Rights (OCR) increasing its enforcement efforts, this is something that all healthcare practitioners should seek to avoid.
Whether it's paper or electronic, all forms of PHI must be properly disposed of. For paper PHI, acceptable methods of disposal include shredding, burning, pulping and/or pulverizing. For Electronic Protected Health Information (ePHI), acceptable methods of disposal include clearing data, via software to overwrite media, purging with a high-powered magnet, or physically destroying the media.
Of course, there are just a few of the many acceptable methods in which PHI can be disposed. The HHS encourages covered entities to consider the steps that other healthcare practitioners are taking to protect patient privacy in regards to PHI disposal.
Additionally, however, covered entities must train their workforce members on the correct method for disposing PHI. “Further, covered entities must ensure that their workforce members receive training on and follow the disposal policies and procedures of the covered entity, as necessary and appropriate for each workforce member,” explained the Department of Health and Human Services (HHS).
If you aren't comfortable disposing of PHI yourself, you can always outsource this task to a third-party company. There are dozens of companies out there that specialize in safe, HIPAA-compliant disposal of PHI. They have both the tools and experience needed to safely dispose of PHI – paper and electronic – so that it doesn't constitute a HIPAA violation. Assuming you choose to do business with one of these service providers, however, you must create a Business Associates Agreement (BAA). BAAs are required whenever a third-party entity to PHI, even if the PHI is intended to be disposed.