Disposal of Protected Health Information: How to Comply With HIPAA Regulations

Privacy is an integral aspect of any medical practice. If your patients don't trust that their personal and medical information is kept private, you're seriously compromising your business relationship with them. A key part of a patient's privacy is how you dispose of their medical records. When the time comes to destroy protected health information, it's important that covered entities do so in a way that complies with the Health Insurance Portability and Accountability Act (HIPAA).

Privacy 101

The HIPAA Privacy Rule requires that covered entities -- which include health plans, health care clearinghouses, and health care providers -- apply proper administrative, technical, and physical safeguards to secure patients' protected health information (PHI) in any form, including paper and electronic medical records. This requirement extends to the disposal of PHI, which may occur after a certain amount of time or if a health care provider converts patient information into electronic medical records (EMR).

The Privacy Rule does not include a requirement for medical record retention, but state laws generally specify how long medical records need to be retained. If there is no state or federal law, a medical board may provide a policy or recommendation.

Covered entities must also ensure that workforce members receive training on and follow the covered entity's disposal policies and procedures. Any workforce member who is directly involved in the disposal of PHI, or who supervises others who dispose of PHI, must receive this training.

While the Privacy Rule does not mandate a particular disposal method, covered entities should assess the risks to patient privacy when determining what procedures to put in place. PHI that contains patients' names, social security numbers, driver's license numbers, or debit/credit card information may require special attention during disposal because this information can result in identity theft. PHI containing diagnosis or treatment information should also be given special attention.

What to Do With Paper Records

In order to protect patient privacy, PHI in paper records may be disposed of by "shredding, burning, pulping, or pulverizing the records so that the PHI is unreadable or undecipherable and cannot be reconstructed," as the U.S. Department of Health & Human Services details.

Covered entities may not dispose of records in a dumpster or in other containers accessible by the public or unauthorized persons in general unless they have, again, been rendered unreadable and unable to be reconstructed. However, in certain cases, a covered entity may deposit patient records in locked dumpsters that are accessible only to authorized persons.

A covered entity may hire a business associate to dispose of PHI, but it must enter into an agreement or contract requiring the business associate to appropriately safeguard the PHI through the disposal process. The business associate may pick up the records from the covered entity, dispose of them, and then deposit them into a landfill or other appropriate area. Covered entities may also maintain PHI for disposal in a secure area until it is picked up by a disposal vendor for destruction.

Failure to dispose of protected health information in compliance with HIPAA can result in penalties and other fees. In January 2013, the former owners of a medical billing practice and four pathology groups in Massachusetts were forced to collectively pay $140,000 after medical records and billing information for approximately 67,000 patients were improperly disposed of at a public dump. The Office of the Attorney General in Massachusetts alleged that the groups violated HIPAA regulations by failing to implement the proper safeguards to protect patient PHI.

Obviously you're trying to avoid penalties, but above all you want your patients to feel confident that their private information is safe with you. Set up a structured means of disposal for electronic and physical records, and have that process on hand so you can make it clear to your patients that their privacy will always be preserved.