Disposal of PHI is one of the things many people neglect when dealing with Protected Health Information. Let’s start with an example.
Not long ago, a company purchased used office furniture and discovered one of the cabinets contained hundreds of documents containing highly sensitive information. The prior owner of the desk – a health group in New Jersey – forgot to check the drawers of the furniture before selling it. Unknowingly, the owner left behind documents containing a treasure trove of information that included names, addresses, and even Social Security numbers and copies of passports. Luckily, the documents were found by a reputable company that notified the health group that generated the documents. Fortunately, the documents didn’t end up in the hands of identity thieves or other scammers.1
The reputation of your company is at risk of documents or other media containing Protected Health Information (PHI) aren’t disposed of properly.
If you’re a Covered Entity, Business Associate, or Business Associate Subcontractor, your job is to protect people’s PHI, but what, exactly, are your responsibilities surrounding PHI? How long do you have to keep a client’s PHI? Who is allowed to dispose of it, and how do you do it safely?
HIPAA Regulation Regarding PHI Disposal
The HIPAA Security Rule requires Covered Entities, Business Associates, and Business Associate Subcontractors to:
- have policies in place specifically for the disposal of PHI and ePHI
- train all workforce members on those procedures
Document PHI Disposal Policies and Procedures
HIPAA law requires that details regarding PHI disposal, including ePHI (electronic PHI), be documented. Your organization’s disposal policy should be included in your Security Policies and Procedures.
Below are some questions that will help you define guidelines for your policies and procedures.
1. What Types of Media Do You Use that Contain PHI?
Consider the types of media on which PHI is stored in your organization. Do you only use paper, only electronic files/media (hard drives, tablets, flash drives, fax machines, etc.), or both? Consider listing each type of paper document and/or electronic media, as each will likely have its own policies/procedures.
2. How Long Does Your Organization Retain Records that Contain PHI?
For each type of media, how long does your organization retain records containing PHI? HIPAA specifies six years. Some states require seven years. Make sure you check your state regulations to see if there are any requirements.
3. How Will You Destroy Media if it Becomes Obsolete?
If media becomes obsolete, is no longer required, or is no longer usable, how will you destroy each type?
Don’t assume that just because you don’t use that format anymore, that the information is not retrievable or that it has no value. Remember, HIPAA does mandate that unused media containing PHI be adequately destroyed, and not simply left behind or disposed of in a public receptacle.
Examples of destroying hard copy include, but are not limited to, burning, shredding, or pulverizing.
Methods of destruction for electronic media include, but are not limited to, clearing, purging, or otherwise destroying the media. Don’t forget that any Business Associate or Business Associate Subcontractor that is hired to destroy any media must be a trusted source from whom you have received a signed Business Associate Agreement.
Who you hire to recycle your computers or shred your hard copies, etc., and what they do with it after it leaves your building can have a big impact on whether you stay in compliance with HIPAA rules.
4. Where Will Media be Located While it Awaits Destruction?
Define where each type of media is to be located while it awaits destruction. For example, is there a depository labeled “for shredding” or a secure place to put old media while it awaits pickup?
5. How Will You Train Employees on PHI Disposal?
HIPAA law requires that you train your employees on how to dispose of PHI. Under HIPAA 45 CFR 164.306(a)(4), 164.308(a)(5), and 164.530(b) and (i), any workforce member involved in disposing of PHI, or who supervises others who dispose of PHI, must receive training on disposal. This includes any volunteers.2 As part of training, ensure your employees are aware of any depository or bin where media is to be placed while it awaits destruction.
Failure to abide by HIPAA rules regarding the disposal of PHI can result in hefty fines, not to mention patient lawsuits and bad publicity. Your reputation depends on how well you serve your clients. Make sure their Protected Health Information is safe while it’s in your hands.
Remember, your reputation is your most valuable asset. Protect it.