Medical Record Destruction is Mandated by HIPAA

All kinds of businesses are required to maintain patient medical records.  However, these businesses are also required to dispose of those records in keeping with not only consumer privacy laws, but also the Health Insurance Portability and Accountability Act, or HIPAA, which has provision specifically associated with the privacy and protection of medical records and identifiable health information.

If your South Dakota business deals with medical records in any capacity, it’s important that you understand HIPAA mandated data destruction requirements, including what must be destroyed, when it should be destroyed, and how to go about legally disposing of data.  Here’s what you should know.

What to Destroy

Patients have rights when it comes to individually identifiable health information, or protected health information (PHI), and HIPAA spells out how those federal protections translate into data destruction.  If you deal with patient health information, you must secure certain pieces of data not only while they’re in use, but all the way through destruction.  PHI that must eventually be destroyed includes any form of media (electronic, paper, or oral) containing the following:

• Patient name
• Birth date (or other dates that are PHI)
• SSN
• Physical address, phone number, fax number, or other geographic identifiers
• Email or IP address or web URLs
• Medical record and account numbers
• Health plan beneficiary numbers
• Identifying images (full face or similar photos)
• Retinal scans, fingerprints, or other biometric identifiers
• Device serial numbers or other identifiers
• Vehicle identifiers (license plate, VIN, or other identifiers)
• Certificate or license numbers
• Other individual identifiers (numbers, codes, characteristics, etc.)

Individually identifiable health information could also include demographic information related to:

• A patient’s past, present, or future physical or mental health or condition
• The provision of health care to the patient
• Past, present, or future payment for the provision of health care

insomuch as the information could be used to identify the individual.

When to Destroy It

The HIPAA Privacy Rule actually specifies no requirements for retaining medical records, other than following the laws of your state governing the retention of medical records.  The HIPAA Privacy Rule does state, in 45 CFR 164.530(c), that “A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of health information”, and this includes not only during retention, but through the disposal process.

How to Destroy It

Under HIPAA regulations, there are several acceptable ways to dispose of PHI, including, but not limited to:

• Shredding, burning, pulping, or pulverizing paper records so that they cannot be reconstructed
• Clearing/overwriting, purging/degaussing, or physically destroying (shredding, pulverizing, melting, incinerating, or disintegrating) electronic media
• Using a disposal vendor to pick up and shred or otherwise destroy PHI

As a South Dakota business owner that works with PHI, you’ll find that your best bet is to partner with a reliable and certified ITAD service provider that understands and complies with HIPAA regulations on your behalf.  Contact the experts at SEAM today at 605-274-7326 (SEAM) or online to request a quote and learn more.