Important Considerations When Disposing of Physical PHI Records

Mar 7, 2023

Improperly disposing of patient health information is a serious HIPAA violation and can result in hefty fines for your organization. Therefore, if you handle sensitive public health information (PHI), safe disposal of these records is vital.

Aside from any related monetary fines, failure to properly dispose of PHI creates a risk for your patients and your business. It could lead to the information being made public, severely violating the patient’s right to privacy. For example, if you discard a sample container that has a patient’s name and address, it could potentially expose their personal information to unknown sources.

If your business falls under HIPAA’s purview, you must institute proper safeguards to ensure your patients’ private information is protected from the public.

HIPAA Requirements

HIPAA (The Health Insurance Portability and Accountability Act of 1996) has stringent requirements regarding storing and safely disposing of a patient’s personal information. Their privacy rule states that businesses handling sensitive personal data must “apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI), in any form.”

This means you must implement practices safeguarding patient information and limit your personnel’s access to private information. Failure to do so can result in steep fines, potential litigation, and reputational damage.

Follow the HIPAA Security Rules

In addition to prescribing safeguards for patient information stored in your facility, HIPAA has a security rule governing how sensitive electronic information should be stored and disposed of. This rule requires facilities to remove sensitive information from electronic media before that media can be reused. Additionally, this rule contains regulations governing how sensitive electronic information can be stored and deleted.

This rule also specifies that any employee with access to sensitive data must undergo proper PHI disposal training. Although the regulations themselves are understandably strict, HIPAA is somewhat flexible in regard to how an organization implements safeguards to ensure proper disposal.

When it comes to PHI printed on paper, HIPAA recommends disposing of records in such a manner that no one can reconstruct them. More specifically, they recommend the following methods:

  • Burning
  • Shredding
  • Pulping
  • Pulverizing

When it comes to hard drives and storage receptacles for electronic data, it’s recommended to use a secure facility that specializes in wiping and shredding hard drives.

Think Twice Before You Toss PHI in the Garbage Can

HIPAA’s safeguarding rules are the same in every state. So whether you are in North Dakota or South Dakota, you must take reasonable precautions when disposing of PHI.

It is not recommended to simply toss patient records in an unsecured dumpster unless they have been altered beyond recognition, to where they cannot be reconstructed. Failure to do so can be classified as a data breach, meaning your organization could incur penalties and reputational damage.

Need to Dispose of Your Data? Contact the Experts

If your business needs to dispose of sensitive information, contact Secure Enterprise Assessment Management (SEAM). We serve North Dakota and South Dakota and specialize in electronics recycling, secure data destruction, value recovery, and more. Get in touch with us today.

SEAM provides IT recycling and data destruction services including onsite shredding and hard drive wiping to South Dakota, North Dakota, Minnesota, Iowa, and Nebraska.

Schedule a pickup or contact us for more information.