Under the HIPAA Privacy Rule, covered entities must create policies to safeguard all protected health information from the view of unauthorized individuals. The Security Rule requires covered entities to have policies in place specifically for the disposal of PHI and ePHI and to train all workforce members on those procedures. Violation of the HIPAA Security Rule would involve not having a policy that coincides with the requirements of the Privacy Rule, not having a policy at all, not training all employees on the policy or failing to abide by the outlined procedure and potentially exposing information to unauthorized individuals.
How HIPAA Help Center can assist with proper disposal of patient records
The Policies and Procedures module allows covered entities to create compliance procedures specific to their practices, including one for the disposal of PHI and ePHI. The application also provides a place for the policy to live, allowing workforce members to access guidelines when necessary.
The Training module provides covered entities with a Learning Management System that educates all workforce members on the practice’s policy for the disposal of patient records. Often, violations of this nature occur from careless mistakes. With assignment and tracking capabilities, authorized personnel will remain aware of any compliance gaps and ensure all workforce members are up-to-date on disposal policies and procedures.
Frequently asked questions about disposing patient records:
Do the HIPAA Privacy and Security Rules require covered entities to dispose of PHI and ePHI in a specific way?
No. The HIPAA Privacy and Security Rules do not provide step-by-step guidelines on how covered entities should dispose of PHI and ePHI. However, health providers must implement their own policies that ensure unauthorized individuals will not have access to this information even upon disposal. The U.S. Department of Health and Human Services did specifically note that disposing of PHI in receptacles that can be accessed by the public would constitute a violation.
What are examples of how to properly dispose of hard copies of PHI?
Paper records may be burned, shredded or destroyed in a manner by which the information is no longer readable and cannot be reconstructed.
What are examples of how to properly dispose of ePHI?
As with hard copies of PHI, information on electronic media must be destroyed in a manner in which the patient records cannot be read or reconstructed. This may be done by utilizing software that can permanently clear information, physically destroying the media in which the information is stored or degaussing it.