Proper Disposal of PHI In Accordance With HIPAA

Disposal of PHI is one of the things many people neglect when dealing with Protected Health Information. Let’s start with an example.

Not long ago, a company purchased used office furniture and discovered one of the cabinets contained hundreds of documents containing highly sensitive information. The prior owner of the desk – a health group in New Jersey – forgot to check the drawers of the furniture before selling it. Unknowingly, the owner left behind documents containing a treasure trove of information that included names, addresses, and even Social Security numbers and copies of passports. Luckily, the documents were found by a reputable company that notified the health group that generated the documents. Fortunately, the documents didn’t end up in the hands of identity thieves or other scammers.1

The reputation of your company is at risk of documents or other media containing Protected Health Information (PHI) aren’t disposed of properly.

If you’re a Covered Entity, Business Associate, or Business Associate Subcontractor, your job is to protect people’s PHI, but what, exactly, are your responsibilities surrounding PHI? How long do you have to keep a client’s PHI? Who is allowed to dispose of it, and how do you do it safely?

HIPAA Regulation Regarding PHI Disposal

The HIPAA Security Rule requires Covered Entities, Business Associates, and Business Associate Subcontractors to:

  • have policies in place specifically for the disposal of PHI and ePHI
  • train all workforce members on those procedures

Document PHI Disposal Policies and Procedures

HIPAA law requires that details regarding PHI disposal, including ePHI (electronic PHI), be documented. Your organization’s disposal policy should be included in your Security Policies and Procedures.

Below are some questions that will help you define guidelines for your policies and procedures.

1. What Types of Media Do You Use that Contain PHI?

Consider the types of media on which PHI is stored in your organization. Do you only use paper, only electronic files/media (hard drives, tablets, flash drives, fax machines, etc.), or both? Consider listing each type of paper document and/or electronic media, as each will likely have its own policies/procedures.

2. How Long Does Your Organization Retain Records that Contain PHI?

For each type of media, how long does your organization retain records containing PHI? HIPAA specifies six years. Some states require seven years. Make sure you check your state regulations to see if there are any requirements.

3. How Will You Destroy Media if it Becomes Obsolete?

If media becomes obsolete, is no longer required, or is no longer usable, how will you destroy each type?

Don’t assume that just because you don’t use that format anymore, that the information is not retrievable or that it has no value. Remember, HIPAA does mandate that unused media containing PHI be adequately destroyed, and not simply left behind or disposed of in a public receptacle.

Examples of destroying hard copy include, but are not limited to, burning, shredding, or pulverizing.

Methods of destruction for electronic media include, but are not limited to, clearing, purging, or otherwise destroying the media. Don’t forget that any Business Associate or Business Associate Subcontractor that is hired to destroy any media must be a trusted source from whom you have received a signed Business Associate Agreement.

Who you hire to recycle your computers or shred your hard copies, etc., and what they do with it after it leaves your building can have a big impact on whether you stay in compliance with HIPAA rules.

4. Where Will Media be Located While it Awaits Destruction?

Define where each type of media is to be located while it awaits destruction. For example, is there a depository labeled “for shredding” or a secure place to put old media while it awaits pickup?

5. How Will You Train Employees on PHI Disposal?

HIPAA law requires that you train your employees on how to dispose of PHI. Under HIPAA 45 CFR 164.306(a)(4), 164.308(a)(5), and 164.530(b) and (i), any workforce member involved in disposing of PHI, or who supervises others who dispose of PHI, must receive training on disposal. This includes any volunteers.2 As part of training, ensure your employees are aware of any depository or bin where media is to be placed while it awaits destruction.

Failure to abide by HIPAA rules regarding the disposal of PHI can result in hefty fines, not to mention patient lawsuits and bad publicity. Your reputation depends on how well you serve your clients. Make sure their Protected Health Information is safe while it’s in your hands.

Remember, your reputation is your most valuable asset. Protect it.

Table: HIPAA and Medical Records Retention Requirements by State

Please provide your name, email address, and company name to receive the table of each state’s medical records retention requirements for healthcare providers and insurance agents from Total HIPAA Compliance.


Sharing is caring!


Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.

Download Now

Let's keep in touch

Stay up to date on the latest HIPAA news, plus receive tons of free tools and info.

Navigating HIPAA Compliance in 2023

Watch the recording of this webinar to learn more about how you can become and stay HIPAA compliant!


Related Posts

What is Access Control in terms of HIPAA?

What is Access Control in terms of HIPAA?

Access control, in terms of cybersecurity, refers to the practice of managing and regulating who can access specific resources, systems, or data within an organization's network or information...

Comparing HIPAA and NIST

Comparing HIPAA and NIST

In the ever-evolving landscape of data security and privacy, two key frameworks have emerged as significant players: HIPAA and NIST. Both emphasize the importance of safeguarding sensitive...

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Your cart email sent successfully :)