The Health Insurance Portability and Accountability Act (HIPAA) was enacted 25 years ago. The act was passed to improve the protection of patient information and health records defined as protected health information (PHI). It requires physical and electronic protections be set up by medical practices, insurance companies, and all business associates. Failing to comply with the requirements would result in significant fines.
It has been here for so many years that many people can’t recall a visit when they didn’t have to sign another HIPAA disclosure form each time they started a new doctor. But a form is just part of the act. Secondly it changed who the doctor is allowed to pass data to and by what form. Some people observed that it might now be more difficult to obtain private medical files.
The law had some additional changes in 2009 with the enactment of the Health Information Technology for Economic and Clinical Health (HITECH). This law was a part of what is commonly know as the stimulus law. It included rules for data breach notification and upped the fines for failing to meet the HIPAA privacy rule.
There has been a couple years to learn about HITECH and twenty six years to find out about HIPAA but there is still a significant amount of confusion about what exactly is mandated by the rule. It does not help that some businesses have started up with solutions and services specifically designed to service the HIPAA compliance field. To improve sales they can spout fear, uncertainty and doubt (FUD).
The HIPAA law is beyond the scope of this article but this will discuss one aspect: discarding of PHI. This part is referenced in section CFR 164.530(c) of the act. It mandates all covered entities to have “reasonable safeguards” to guard the privacy of PHI in every format. This covers the disposal of the files.
All health providers are required to maintain policies and processes for destroying of PHI on paper but also stored on computers. There should also be education for the workers, managers, or volunteers on the proper destruction of medical files. The rule is mentioned in sections CFR 164.306(a)(4), 164.308(a)(5), and 164.530(b) and (i).
There are some things that the act doesn’t specifically cover. It does does not specify one form of destruction. The covered entity is required to evaluate the level of PHI being destroyed and the possible threats. Files that might result in damage to the patient ithrough identity theft, discrimination, or hurt reputation should be cared for and destroyed of with increased sensitivity.
Since discarding the information in one piece in the trash is not allowed there are several other options that can be used. Some types of disposal that are allowed are shredding, burning, pulping, or pulverizing. So it is time to examine every method.
It is outside the law to burn papers in nearly every city so this isn’t an option for many doctors. Pulping is a complete solution and if the practice is near of a paper mill that would work perfectly. The issue is that paper mills are only near a small area of the nation. Pulverizing is simply a limited type of shredding so for the sake of this paper we will refer to them as one.
The most common process for destroying of medical records is shredding. HIPAA allows for shredding to be performed in house or to have the shredding with a vendor. There is no specification that the shredding be finished at your location. There are vendors who will to say this to inflate the price but it is just FUD. No matter which process you opt for make sure to either generate documentation of the shredding internally or receive it from your shredding service.
