The primary focus of the federal Health Insurance Portability and Accountability Act (HIPAA) of 1996 is the establishment of standards that require covered entities to implement administrative, technical and physical safeguards to prevent unauthorized access of Protected Health Information (PHI). While most people are familiar with the basics of HIPAA, they often overlook the proper disposal of PHI.
The disposal of PHI is covered in the HIPAA Security Rule, which outlines policies and procedures for properly disposing of electronic PHI and hardware or electronic media.
“...the HIPAA Security Rule requires that covered entities implement policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored, as well as to implement procedures for removal of electronic PHI from electronic media before the media are made available for re-use,” wrote the Health and Human Services (HHS) on its website.
It's important to note that covered entities are responsible for ensuring that workers are trained on the proper disposal policies and procedures. As noted in 45 CFR 164.306(a)(4), 164.308(a)(5), and 164.530(b) and (I), workers who dispose of PHI must also receive additional training on its disposal. Whether the person disposing of your practice's PHI is a paid worker, third-party associate, or even a volunteer, it's your responsibility to train them on the correct disposal techniques.
Here are some of the proper disposal methods that may be acceptable under the HIPAA Security Rule:
- Shredding or burning paper records to the point where the PHI is no longer readable or decipherable – assuming it cannot be reconstructed.
- Maintaining PHI in a secure area until a third-party vendor – acting as a business associate – picks it up for disposal.
- In some cases, PHI may be disposed of in locked dumpsters that are only accessible by authorized individuals and personnel.
- PHI on electronic media such as disks, USB flash drives, external storage drives, etc. should be cleared using software or hardware products to overwrite the existing data, purged by exposing the device to a strong magnetic filed, or completely destroyed/pulverized.
Of course, the exact method of disposal will vary depending on the covered entity's circumstances. This is why it's important for covered entities to familiarize themselves with the HIPAA Rules, as this will allow them to choose the method that's best suited for their needs.