The Health Insurance Portability and Accountability Act (HIPAA) sets strict standards for the destruction of protected health information (PHI). PHI is any patient health information that can be used to identify an individual, and it includes everything from medical records to insurance claims. HIPAA requires covered entities – healthcare providers, health plans, and healthcare clearing houses – to take steps to ensure that PHI is destroyed in a way that will protect patient privacy. But what are the acceptable methods for destruction of PHI under HIPAA?
In this Article …
- What is Protected Health Information and why must it be destroyed?
- What does HIPAA say about the destruction of PHI?
- How can PHI be destroyed without compromising patient privacy or safety?
- What are the consequences of covered entities not properly destroying PHI?
- What should you do if you suspect that PHI has been improperly destroyed?
- So, what does all of this mean for you?
What is Protected Health Information and why must it be destroyed?
Protected Health Information, or PHI, is defined as any kind of information that could be used to identify an individual that is stored by a HIPAA-covered entity. This includes anything from a person’s name and address to their medical records and health insurance information. HIPAA regulations state that all PHI must be destroyed when it is no longer needed, in order to protect patient privacy.
What does HIPAA say about the destruction of PHI?
In 45 CFR § 164.530, HIPAA requires covered entities to implement reasonable safeguards to protect PHI from unauthorized use or disclosure. This includes physical, administrative, and technical safeguards. When it comes to medical record destruction or the destruction of any other PHI, HIPAA says that covered entities must take reasonable steps to protect against unauthorized access to or destruction of the information. This includes ensuring that PHI is properly disposed of when it is no longer needed.
As for determining when PHI is no longer needed, 45 CFR § 164.530 again acts as the source when it says, “A covered entity must retain the documentation required by paragraph (j)(1) of this section for six years from the date of its creation or the date when it last was in effect, whichever is later.” And 45 CFR § 164.306(a)(4), 164.308(a)(5), and 164.530(b) and (i) requires that covered entities train staff on the internal policies and procedures related to the retention period and the disposal of PHI.
How can PHI be destroyed without compromising patient privacy or safety?
The Privacy Rule doesn’t specifically require any particular disposal method, but it does set some general guidelines for the destruction process. For example, covered entities must ensure that PHI is not disposed of in a way that could allow it to be accessed or used by unauthorized individuals. The Department of Health and Human Services (HHS), in part of its Frequently Asked Questions (FAQ) section of its website, suggests the following disposal methods as some viable examples:
For PHI in paper records
These include all paper-based medical records and other business-related patient records that contain PHI.
Maintaining labeled prescription bottles and other PHI in opaque bags
These bags would need to be stored in a secure area and the intent would be for the covered entity to use a disposal vendor to pick up and destroy (by acceptable means) the PHI. In this case, the vendor would be considered a Business Associate and would be subject to the same HIPAA regulations as the covered entity. For that reason, it is important to have an executed Business Associate Agreement with the vendor that addresses each party’s responsibilities regarding the handling of PHI. If you don’t already have one in place, you can download our Business Associate Agreement template. It’s designed as a PDF fillable form that can be used again and again. It meets all the current HIPAA Rules and is easy to use.
For electronic protected health information (PHI on electronic media, electronic PHI – aka ePHI)
These include all electronic medical records (EHR) and other patient information stored digitally.
- Clearing (using software or hardware to overwrite media with non-sensitive data)
- Purging (degaussing – disrupting recorded magnetic domains by exposing media to a strong magnetic field)
- Destroying the electronic media (disintegration, pulverization, melting, incinerating, or shredding)
What are the consequences of covered entities not properly destroying PHI?
Covered entities that fail to carry out proper disposal of PHI in accordance with HIPAA can face civil and criminal penalties including fines, jail time, and exclusion from participation in federal healthcare programs. Furthermore, improper destruction of PHI can lead to reputational damage and a loss of consumer trust, so it is important for HIPAA-covered entities to take the necessary steps to ensure that all PHI is properly destroyed.
As part of HIPAA’s HITECH Act, the Secretary of HHS is required to post a list of data breaches that affect 500 or more individuals. Known formally as the Breach Notification Portal, and informally as the HIPAA Wall of Shame, the immediately visible list is of those parties that had such a breach in the preceding 24 months. After that period their names and information relating to the breach are archived. However, the archive is available for search by the general public.
As seen in the image below of Health and Human Services’ Breach Notification Portal, there are seven healthcare providers, as of the writing of this post, listed there because of improper disposal of protected health information in the past 24 months … that collectively affected 136,244 individuals.
What should you do if you suspect that PHI has been improperly destroyed?
If you suspect that PHI has been improperly destroyed, it is important to report the incident to the Compliance Officer at your organization. The Compliance Officer will lead an investigation with the help of a compliance committee and any other stakeholders as needed. If it is confirmed that PHI was not disposed of as per HIPAA regulations, then the incident must be reported to HHS’s Office for Civil Rights (OCR) as per the Breach Notification Rules. OCR will conduct an investigation to determine what HIPAA violations occurred, if any, and what corrective steps should be taken. It is noteworthy that, while OCR may take action in the form of fines or other penalties, it does not provide legal advice nor is it responsible for resolving disputes between covered entities and their Business Associates. In such cases, where perhaps a third-party vendor was involved, it is advisable to consult with an attorney specializing in HIPAA compliance.
An effective compliance plan is key to avoiding any missteps when it comes to disposing of PHI in accordance with HIPAA regulations. Through the development of policies and procedures, staff training, and ongoing monitoring, a culture of compliance is fostered. Whether the function is in-house or outsourced, having an effective compliance plan also helps to ensure that all stakeholders are aware of their responsibilities when it comes to PHI disposal (and much more!), and that violations can be quickly addressed.
So, what does all of this mean for you?
Basically, if you’re a HIPAA-covered entity, it’s important to take appropriate safeguards to protect PHI from unauthorized access or destruction. This includes making sure that your organization’s record disposal process is HIPAA compliant, and that PHI, whether in paper form, electronic media, or in some other medium, is not disposed of in a way that could allow it to be accessed or used by unauthorized persons. If you fail to do so, you could face civil and criminal penalties including fines, jail time, and exclusion from participation. Luckily, there are plenty of ways to safely dispose of PHI without putting your business at risk.
If you have any questions about what methods are acceptable for the destruction of PHI, or about any other facet of the HIPAA Privacy and Security Rules, please feel free to reach out as we’d be happy to help.