Over the past few years, physician practices have implemented many policies and procedures to protect their patients' privacy in an effort to comply with the Privacy and Security Rule under HIPAA.
They have adopted compliance plans and procedures to protect their patients' privacy in the transmission and storage and use of their protected health information (“PHI”). The need to protect the privacy and security of this information does not end when the medical record is no longer needed by the practice. Failing to implement reasonable safeguards to protect PHI in connection with disposal of your medical records could result in impermissible disclosures of PHI with the same risks and penalties as the disclosure of information from active medical records. In addition to the policies that your office has in place to secure its active medical records, every medical office should have developed a HIPAA compliant policy to dispose of medical records that are no longer part of a patients active medical file. This is particularly important in the age of electronic records. Any procedures for the proper disposal of medical records should specifically address the disposition of electronic PHI and the hardware or electronic media, such as PCs, hard drives, and disks, on which it is stored.
A physician’s office may not simply abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons. However, the Privacy and Security Rules do not provide any particular disposal method for PHI that will guarantee compliance. Instead, a practice should determine what is reasonable for their office and consider a methods potential risks to patient privacy, keeping in mind the form, type, and amount of PHI to be disposed of. For instance, the disposal of certain types of PHI such as name, social security number, driver’s license number, debit or credit card number, diagnosis, treatment information, or other sensitive information may warrant more care due to the risk that inappropriate access to this information may result in identity theft, employment or other discrimination, or harm to an individual’s reputation.
The Office of Civil Rights provides some guidance for disposing of PHI. Depending on the circumstances, proper disposal methods may include (but are not limited to):
• Shredding or otherwise destroying PHI in paper records so that the PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed prior to it being placed in a dumpster or other trash receptacle;
• Maintaining PHI for disposal in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI;
• In justifiable cases, based on the size and the type of the covered entity, and the nature of the PHI, depositing PHI in locked dumpsters that are accessible only by authorized persons, such as appropriate refuse workers;
• For PHI on electronic media, clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding).
There are also outside vendors who can assist a medical practice to appropriately dispose of PHI on its behalf.