Making Sure Your Medical Record Shredding Practices are HIPAA Compliant

The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 with the goal of protecting privileged individual health information, while still allowing necessary health information to be shared for the purposes of providing high quality health care.  This act sets very strict standards for how individual health information should be protected by those it is entrusted to, as well as how it may legally be used in the service of patient care.

As a South Dakota healthcare provider, you know how important it is to ensure patient privacy by complying not only with consumer privacy laws, but keeping sensitive patient health information secure, in compliance with strict HIPAA rules and regulations.  Of course, this encompasses a wide range of activities, from collecting and using data, to sharing and storing it, to data destruction.  How can you make sure that your medical record shredding practices are HIPAA compliant?

Document Retention

Before you destroy any patient health information (PHI), you must first make sure you understand the rules regarding document retention.  In truth, HIPAA does not have any specific regulations related to medical record retention periods.  Retention of business records, including patient medical records, is determined on a state-by-state basis, so you need to be aware of state laws relating to PHI to ensure compliance.

That said, HIPAA does specify that HIPAA-related documents should be retained for a minimum of six years, starting on the date the document was created, or alternately, the date when a policy was last in effect.  If a state law mandates a shorter retention period, the HIPAA requirement takes precedence.

Types of Data that Must be Destroyed

In determining which documents must be disposed of, you’ll want to focus on certain types of information.  For example, you must destroy any documents that contain personal information like the patient’s:

– Name

– Social Security Number

– Driver’s License Number

– Debit or Credit Card Information

– Diagnosis

– Treatment

– or other sensitive information

In essence, healthcare providers need to consider whether information could result in identity theft, discrimination (employment or other), or harm to a patient’s reputation if it were somehow made public.  If so, it must be properly destroyed.

Disposing of Patient Health Information

According to the Department of Health and Human Services (HHS), covered entities in possession of protected health information “must implement reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI, including in connection with the disposal of such information.”  While they do not require a particular method of disposal, suitable methods of destruction should render information unreadable, indecipherable, and impossible to reconstruct.

For paper records, this could include “shredding, burning, pulping, or pulverizing”.  Since most businesses don’t maintain furnaces for burning their records, and pulping and pulverizing are not generally readily available forms of destruction, this leaves shredding as the most convenient and effective option for compliance.

Of course, the mandate to ensure that data is unreadable, indecipherable, and so on is not very specific, leaving businesses to work out the parameters of shredding.  Luckily, you don’t have to go it alone.  Your certified ITAD service provider offers industrial shredding equipment designed to comply with all applicable rules, including consumer privacy laws and industry regulations.

If your South Dakota business is seeking a reliable and certified ITAD service provider for data destruction, contact the qualified professionals at SEAM today at 605-274-7326 (SEAM) or online to learn more.