Running afoul of HIPAA can be a hugely expensive mistake. The Health Insurance Portability and Accountability Act was created in large part to protect patients’ rights to privacy, and violating HIPAA has ramifications beyond those of the typical workplace mistake. Committing a violation because of willful neglect carries a minimum $10,000 fine for the offending covered entity (the HIPAA term for organizations that are subject to its rules). And exposing protected health information (PHI) is a major HIPAA violation.
That’s why all covered entities, such as health insurance companies and medical offices, have to be extraordinarily careful and vigilant about destroying PHI. It doesn’t matter if 100 boxes of medical records are destroyed correctly if one single sheet of paper accidentally left intact. Because anyone can submit a HIPAA complaint, the covered entity that commits such a violation would likely be investigated.
Patient files, hospital bracelets, prescription bottles and other items that contain PHI can’t simply be tossed in the dumpster. They can’t be left anywhere that is accessible by the general public, including recycling bins. Both physical and electronic records of PHI must be destroyed to the point that it would be impossible to get any information from them.
How Does PHI Have to Be Destroyed?
The HIPAA Privacy and Security laws are very specific about destroying PHI. They don’t dictate the destruction method that a covered entity must use, but they do require that paper documents be destroyed so that they are “essentially unreadable, indecipherable, and otherwise cannot be reconstructed.” Likewise, electronic data must be completely destroyed so that it can’t be recovered. Other physical items that hold PHI must be held in opaque bags and transferred to a disposal vendor for destruction.
So what’s a covered entity to do? Running medical files through a standard office shredder isn’t enough to make them unreadable to the extent that HIPAA requires. Shipping stores and mobile shredding services may not be secure enough to be trusted with sensitive patient files. Getting rid of non-paper PHI can be even trickier. Boxes full of old hospital admission wristbands or thumb drives that contain patient information can be heavy, take up space and are hard to thoroughly destroy by hand.
Any covered entity concerned about HIPAA compliance has to consider one more hurdle: supervising and documenting the destruction of PHI. It’s not enough to simply shred or destroy files and other items that hold data. An employee of the covered entity is required to oversee the entire destruction process and should also keep detailed records about that process. At Northeast Data Destruction’s facility, an employee of the covered entity can observe the shredding and receive an NAID “AAA” Certificate of Destruction. (If the materials that are being destroyed have serial numbers or barcodes, NEDD can also scan those numbers and create a log for your records.)
Clearly, there are a lot of details that must be handled perfectly when destroying information that’s covered by HIPAA. That’s why covered entities should only trust this task to destruction companies that train their employees to understand compliance.
Northeast Data Destruction is experienced in helping covered entities meet HIPAA requirements. From locking collection bins to dedicated shredders for destroying hard drives, we have solutions for all your organization’s destruction needs. We’re happy to have a representative of your organization witness the process and can provide a Certificate of Destruction upon completing the job.
Don’t risk a violation when complying with the laws can be so easy. Contact Northeast Data Destruction today with any questions!
Sources:
https://www.ama-assn.org/practice-management/hipaa-violations-enforcement