The Consequences of Improperly Disposing of Protected Health Information (PHI)

Nov 24, 2022

Patient privacy is a critical part of any healthcare practice. Patients place their trust in their medical providers to retain any personal and medical information confidential. Whenever you breach that trust, your practice’s reputation is not only on the line, but you risk severe consequences.

The disposal of medical records is a common practice in the healthcare world, but safe disposal requires compliance with federal standards. You can’t just throw a few hard drives in the trash and call it a day. The Health Insurance Portability and Compliance Act (HIPAA) oversees the various methods medical providers use to destroy protected information.

Protected Health Information

Under HIPAA guidelines, North Dakota medical providers must keep patient records for at least six years before disposing of them.

Paper healthcare records can generally be destroyed using industry-standard shredding methods. However, when it comes to electronically protected health information (ePHI), there are many elements to consider for safe disposal.

To wipe digital patient information, you must consider any combination of formats and mediums, including:

  • USB drives
  • External hard drives
  • Office tablets and phones
  • Laptops and desktops
  • Printers with storage capabilities
  • Servers
  • Medical equipment

Digital data can be easily recovered when it’s not properly wiped. This makes any device susceptible to a privacy breach. Effective ePHI can be done through:

  • Data Destruction
  • Disk wiping
  • Physical device destruction

Consulting with an experienced asset management service can help you determine the best way to dispose of your PHI securely.

HIPAA Penalties

The Department of Health and Human Services (HHS) oversees the enforcement of HIPAA privacy violations.

Any breach of federal privacy laws is a serious matter. Whenever your patient’s information becomes compromised as a result of your negligence, your medical practice risks several penalties.

Financial Sanctions

When a healthcare organization violates privacy standards, the Office for Civil Rights (OCR) has the ability to issue financial penalties.

The following are the minimum penalties based on the level of violation:

  • Tier 1: Lack of knowledge, $127
  • Tier 2: Reasonable cause, $1,280
  • Tier 3: Willful neglect, $12,794
  • Tier 4: Uncorrected neglect, $63,737

Many factors are weighed when determining sanctions, including the provider’s willingness to comply, any history of HIPAA violations, and the level of knowledge involved.

Criminal Sanctions

HIPAA violations may often cross the threshold of criminal activity.

Federal healthcare privacy laws set strict boundaries for employees, providers, and associates. Much like financial penalties, criminal charges for HIPAA violations are determined by the situation’s unique circumstances:

  • Lack of knowledge, maximum of one year in jail
  • Intentional deception, maximum of five years in jail
  • Malicious intent, up to ten years in jail

Privacy laws don’t beat around the bush, and even a minor mishap can often be enough to result in criminal prosecution.

Loss of Medicare

Medicare remains one of the largest healthcare providers in the United States. As such, it holds partners to high standards.

Whenever a HIPAA violation occurs, Medicare may choose to withhold payments. Medicare sanctions can result in thousands of dollars in losses for any medical practice.

Safe PHI Disposal in North and South Dakota

SEAM provides certified data disposal across North Dakota and South Dakota. From paper shredding to hard drive destruction, we can meet your needs. Call us today to learn more about how you can safely dispose of PHI.

SEAM provides IT recycling and data destruction services including onsite shredding and hard drive wiping to South Dakota, North Dakota, Minnesota, Iowa, and Nebraska.

Schedule a pickup or contact us for more information.