Skip to Main Content

Disposal of Protected Health Information: How to Comply With HIPAA Regulations

By Tayla Holman October 14, 2015 Posted in: Your Practice , Article

Search our network of doctors and schedule your appointment today

Privacy is an integral aspect of any medical practice. If your patients don't trust that their personal and medical information is kept private, you're seriously compromising your business relationship with them. A key part of a patient's privacy is how you dispose of their medical records. When the time comes to destroy protected health information, it's important that covered entities do so in a way that complies with the Health Insurance Portability and Accountability Act (HIPAA).

Privacy 101

The HIPAA Privacy Rule requires that covered entities -- which include health plans, health care clearinghouses, and health care providers -- apply proper administrative, technical, and physical safeguards to secure patients' protected health information (PHI) in any form, including paper and electronic medical records. This requirement extends to the disposal of PHI, which may occur after a certain amount of time or if a health care provider converts patient information into electronic medical records (EMR).

The Privacy Rule does not include a requirement for medical record retention, but state laws generally specify how long medical records need to be retained. If there is no state or federal law, a medical board may provide a policy or recommendation.

Covered entities must also ensure that workforce members receive training on and follow the covered entity's disposal policies and procedures. Any workforce member who is directly involved in the disposal of PHI, or who supervises others who dispose of PHI, must receive this training.

While the Privacy Rule does not mandate a particular disposal method, covered entities should assess the risks to patient privacy when determining what procedures to put in place. PHI that contains patients' names, social security numbers, driver's license numbers, or debit/credit card information may require special attention during disposal because this information can result in identity theft. PHI containing diagnosis or treatment information should also be given special attention.

What to Do With Paper Records

In order to protect patient privacy, PHI in paper records may be disposed of by "shredding, burning, pulping, or pulverizing the records so that the PHI is unreadable or undecipherable and cannot be reconstructed," as the U.S. Department of Health & Human Services details.

Covered entities may not dispose of records in a dumpster or in other containers accessible by the public or unauthorized persons in general unless they have, again, been rendered unreadable and unable to be reconstructed. However, in certain cases, a covered entity may deposit patient records in locked dumpsters that are accessible only to authorized persons.

A covered entity may hire a business associate to dispose of PHI, but it must enter into an agreement or contract requiring the business associate to appropriately safeguard the PHI through the disposal process. The business associate may pick up the records from the covered entity, dispose of them, and then deposit them into a landfill or other appropriate area. Covered entities may also maintain PHI for disposal in a secure area until it is picked up by a disposal vendor for destruction.

Failure to dispose of protected health information in compliance with HIPAA can result in penalties and other fees. In January 2013, the former owners of a medical billing practice and four pathology groups in Massachusetts were forced to collectively pay $140,000 after medical records and billing information for approximately 67,000 patients were improperly disposed of at a public dump. The Office of the Attorney General in Massachusetts alleged that the groups violated HIPAA regulations by failing to implement the proper safeguards to protect patient PHI.

Obviously you're trying to avoid penalties, but above all you want your patients to feel confident that their private information is safe with you. Set up a structured means of disposal for electronic and physical records, and have that process on hand so you can make it clear to your patients that their privacy will always be preserved.

5 Questions Women Should Ask Their Primary Care Physician

MAR 01, 2023

Going to the doctor can be stressful. Whether for a general exam or a specific health problem, there is often so much information to process that we don't think to ask questions during our visit or simply feel embarrassed to ask.

Read More Additional information about Dignity Health | 5 Questions Women Should Ask Their Primary Care Physician

The Importance of Prenatal Vitamins

SEP 12, 2022

It's important to remember that vitamins and supplements cannot take the place of a healthy diet. For example, pregnant women should eat multiple servings of fresh green vegetables and foods rich in omega-3 fatty acids. Higher doses of certain vitami...

Read More Additional information about Dignity Health | *

Breastfeeding for Working Moms: 5 Tips to Guide You

SEP 12, 2022

It's often said that breastfeeding is a full-time job. And in those first few weeks of motherhood, when it feels like you're feeding constantly, it certainly can be. But what happens a few months later when you have to go back to work?

Read More Additional information about Dignity Health | How to Make Breastfeeding for Working Moms Easy