All businesses have sensitive data to protect, but paper shredding is even more critically important for healthcare entities than virtually any other industry. For healthcare offices, protecting information from exposure is more than a matter of professional conduct. HIPAA compliance makes it a matter of law. And recent trends indicate that healthcare data is under more threat than ever before.
Healthcare data breaches have been steadily rising each year. The number of data breaches involving 500+ records occurring each year has doubled since 2018. The bulk of those breaches are related to hacking/IT incidents. Healthcare data is also lost or stolen from physical records every year as well, but these cases have steadily decreased over the last decade. It’s an indication that most healthcare offices have adopted stricter controls around things like paper shredding and other practices designed to keep physical data secure.
Most healthcare offices generate too much paper waste for their already-overstretched employees to shred. A lot of the sensitive data that healthcare offices handle is stored on things other than paper, which makes shredding difficult on the kind of machines small businesses own. So entrusting obsolete materials to a data destruction service for off-site paper shredding is typically the most efficient way for these businesses to manage their sensitive data.
Even if your healthcare office already works with a paper shredding service for disposing of its records, it’s still vulnerable to data breaches at any time. Make sure you’re following these best practices for keeping business data, employee data and patient data secure.
Shredding should be the standard disposal method for nearly every kind of data your office gets rid of.
Workers in the average healthcare office barely have time to stop for coffee. They can’t waste time sorting through stacks of paper, debating which documents contain protected health information or other sensitive data and which ones are safe to put in the recycling bin. Data destruction is easiest for a busy office when everything can be funneled to the same place for secure handling. That includes not just paper files but also X-rays, DVDs, obsolete employee ID badges, audio tapes, hard drives and other media that hold data. Data destruction services should be equipped to shred all these materials into pieces so small they can’t ever be reassembled.
Do paper shredding on both a scheduled and one-off basis.
Arranging for your data destruction service to make pickups on a regularly scheduled basis prevents collection bins from filling up, and takes one administrative task off of the plates of the office staff. Healthcare offices may also need to request supplemental pickups when culling old files from storage or doing other projects that generate a lot of things that need shredding. One-off pickups clear all that stuff out so it doesn’t take up valuable storage space while you’re waiting for your next scheduled pickup.
Maintain multiple levels of security with obsolete files and other to-be-shredded materials.
Up until your data destruction service securely loads your materials for off-site shredding, your healthcare office is responsible for protecting all that data. Healthcare offices typically have a lot of foot traffic. If a visitor walking through could grab some papers out of an open recycling bin while no one’s looking, that’s a security risk. Paper and other materials awaiting shredding should be collected in locked containers, and ideally those containers are kept in secure rooms that only approved staff can access.
Refresh data security and data disposal training with staff on a routine basis.
Healthcare office staff have a ton of things to think about every day, many of them relating directly to patient care. The office’s data security policies probably aren’t a high priority issue for these busy staffers, understandably. Managers have a responsibility to reinforce the office’s data policies routinely so everyone’s clear about best practices for protecting PHI and other sensitive data. It should become second nature for employees to drop obsolete documents and other materials into locked collection bins. And everyone should be clear about who’s the in-office point person for any questions or concerns about paper shredding, recycling and other data destruction matters.
Maintain complete records of paper shredding and other data disposal activities.
If the office is ever subject to a HIPAA audit—and every entity covered by HIPAA is eligible to be audited—having all your paperwork in order is going to be important. Healthcare offices must keep complete records of paper shredding and other data destruction activities as evidence of compliance with HIPAA. Get a Certificate of Destruction from your shredding service after every job, and keep these certificates along with your own notes about what specific records were destroyed.
Vet paper shredding and data destruction services thoroughly.
Your healthcare office’s PHI and other sensitive data is only as secure as the company that you trust to shred it. One way to verify that your paper shredding/data destruction service meets industry standards is to verify that it has AAA certification from NAID. Getting and maintaining this certification requires that all employees have been background checked and that the company has thorough security measures in place.
Northeast Data Destruction provides a full range of shredding services for healthcare offices and other businesses with stringent security requirements. We can provide locked bins for storing materials, arrange scheduled and one-time pickups, securely transport materials to our NAID AAA-certified facility and provide a Certificate of Destruction for your records. If you have any questions about paper shredding or data destruction, contact me today.