How to Properly Dispose Protected Health Information (PHI)
HIPAA requires covered entities to properly dispose of Protected Health Information (PHI) in the following manner:
- Paper, film, or other hard copy media has been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed.
- Electronic media has been cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved.
The problem is that most of us are not computer gurus who can decipher all the technical requirements in the official Medial Sanitation guidelines. So the question becomes, "just what is acceptable and what is unacceptable?" To help address this problem, the U.S. Department of Health and Human Services, Office for Civil Rights has released an FAQ which answers the following questions:
- What do the HIPAA Privacy and Security Rules require of covered entities when they dispose of
protected health information? - May a covered entity dispose of protected health information in dumpsters accessible by the public?
- May a covered entity hire a business associate to dispose of protected health information?
- May a covered entity reuse or dispose of computers or other electronic media that store electronic protected health information?
- How should home health workers or other workforce members of a covered entity dispose of protected health information that they use off of the covered entity’s premises?
- Does the HIPAA Privacy Rule require covered entities to keep patients’ medical records for any period of time?
We strongly encourage all healthcare providers and their staff to read through their non-technical answers to ensure your practice is in compliance.
UPDATED STANDARDS
On February 2015, the NIST announced the first revision of the official Guidelines for Media Sanitization. This announcement explains that the new revision describes three types of media sanitization – Clear, Purge, and Destroy. There is a VERY helpful flowchart which shows when each type should be used.
We highly recommend all covered entities to review this announcement in a training session with all their staff. Print out the flowchart and post it where it can be seen as a reminder. Don't forget to record this training session in your Compliance Manual.
Also, don't forget to review your Policies and Procedures to ensure that they are updated to include this information. If you have an Information Technology (IT) department or service, be sure they review the technical specifications of the official Guidelines to ensure that you are in compliance. This IT department should also issue an official report which should be included in your Compliance Manual as well.