A recent study demonstrated how problematic health record disposal is. The Privacy and Security Rules of the Health Insurance Portability and Accountability Act (HIPAA) make it clear how to properly get rid of health records while maintaining the confidentiality of patients and protecting their rights. The study indicates that poor disposal of records occurs frequently and is a strong area to target if you want to bolster your defenses against HIPAA violations. Along with a concern with paper PHI in an era when it can get overlooked, it is crucial to have strong protections for the increasing volume of electronic records as well.
HIPAA rules for disposal
Under HIPAA, healthcare practices, plans, and data clearinghouses are called covered entities. The three safeguards required of covered entities – technical, administrative, and physical – must be maintained when handling protected health information (PHI), as indicated by the Department of Health and Human Services (HHS). In order for organizations to prevent any unauthorized use or disclosure, they must be careful about the way that disposal of records occurs. The Security Rule necessitates that organizations must adopt practices, as outlined in their policies and procedures, that guard against violations by properly controlling how electronic PHI (ePHI) and the equipment or media used for its storage are removed from service. Plus, the Security Rule dictates that there should be practices in place to get the ePHI completely cleared off of the media before it can be reused.
Along with having policies and procedures that address disposal of records and data, covered entities must provide training for their staff so that everyone knows how to get rid of records without breaking federal law. Anyone who ever disposes of protected health information must be trained, as must anyone who manages personnel who are involved with disposal. Volunteers must receive this training as well.
Since these policies and procedures must govern any disposal of records, tossing out records in a dumpster or in any other type of container that might be accessible to people who are not permitted to see the information is unacceptable. While that is true, there is no specific method of disposal that is needed to meet the Privacy or Security Rules. Instead, disposal must be analyzed by each covered entity so that they can create a step-by-step plan, which they must then organize into formal policies and procedures.
To decide how you should reasonably dispose of your records, the HHS recommends looking at the threats to HIPAA compliance that are present, as well as considering the volume, category, and format of records that must be discarded. The HHS gives the example that the disposal of certain highly sensitive information – such as name, payment card information, social security number, driver license number, and treatment details – could require greater consideration and protections because there is a legitimate risk of loss of credibility, discrimination, or identity theft.
Best practices for HIPAA-compliant disposal, per the HHS, may include:
- Paper document pre-disposal – Any PHI that you have on-hand and has not been discarded yet, including labeled prescription bottles, should be kept in a spot that is secure, contained within opaque bags; then a business associate that disposes of records can collect them for proper disposal/destruction.
- Paper document disposal – You need it to be impossible for someone to read the records or be able to recompose them before you discard them. Typically that is achieved through shredding; however, the agency points out other methods that can work are pulping, pulverizing, and burning.
- Electronic media disposal – Techniques that can be used include destruction (as with shredding, incinerating, disintegrating, pulverizing, or incinerating), clearing (implementing technological solutions to write over media with data that is not sensitive), and purging (introducing a significant magnetic field to the media to allow disruption of its recorded magnetic domains, or degaussing).
Recycling audit: improper paper disposal high
A study conducted in Canada looked at the recycling bins of five different hospitals to determine the amount of sensitive data that was contained in them. The findings suggest the importance of considering paper document disposal related to security and compliance, even in an era of increasing digitization of records.
The researchers behind the study, conducted by St. Michael’s Hospital in Toronto, audited the recycling of the facilities and discovered nearly 3000 instances of sensitive information that had not been properly discarded – although not all of it was health-related. A total count of 2687 papers were found that included personally identifiable information (PII). A total of 1885 items specifically contained personal health information (notably not the protected health information of HIPAA since it’s Canadian patients/facilities).
The collection of recycling took place from November 2014 through May 2016.
All of the hospitals that participated in the study had policies for treatment of personal health information. They all had secure shredding containers for confidential information, as well as garbage and recycling bins intended for less sensitive data and other refuse. For four weeks, the research team collected all the recycling from each of the facilities, at least three times weekly over that period. The places where they collected the recycling material were diverse, including doctor’s offices, emergency rooms, intensive care departments, outpatient clinics, and inpatient wards.
The study authors found that the personal health information that was in the recycling was of broad types: diagnostic test results were on 340 documents; billing details were on 345 of them; and patient identifiers and labels were on 385.
The researchers noted that healthcare facilities in Ontario are guided by legislation just as is true of facilities in the United States. They also commented that because of the rise of ePHI, there is less attention being paid to hard copies – leading to this great amount of improperly discarded information. The disposal of such a large quantity of confidential health data means that the patients of these hospitals are not being properly protected from improper disclosure.
Senior study author Dr. Nancy Baxter also noted that the number of paper records has expanded quite a bit since a couple decades ago. Back then, when a test result came in by paper, it would be added to the patient’s file as the only paper copy. Today it has become common for printing to occur repeatedly, as needed, for greater convenience. The vast majority of these papers end up in the secure shredding containers. However, some of them end up in the improper containers – the trash or recycling.
Dr. Baxter explained that the areas of hospitals in which chaos tends to arise are not the only locations that have issues with improper record disposal. Actually, the most problems were found in the doctor’s offices. That is troubling, said Baxter, because those offices “should get as close to 100 percent appropriate shredding as possible.”
HIPAA-compliant hosting for your ePHI
While the risk of unauthorized disclosure with paper health records is high, as indicated by the Canadian study, it is also critical to ensure that your ePHI is safeguarded adequately as well – avoiding violations both in physical and electronic form. HIPAA Compliant Database Hosting by Atlantic.Net is SSAE 18 SOC 1 & SOC 2 certified and HIPAA & HITECH audited, designed to secure and protect critical data and records. See our HIPAA compliant hosting solutions.