A comprehensive guide "What Does HIPAA Require for Medical Record Disposal?"
- Definitions Before diving into the requirements, it is essential to understand some of the key terms related to HIPAA medical record disposal.
- Protected health information (PHI): Any individually identifiable health information that is created or received by a healthcare provider, health plan, employer, or healthcare clearinghouse.
- Covered entity: Any healthcare provider, health plan, employer, or healthcare clearinghouse that transmits PHI electronically.
- Business associate: Any individual or organization that performs functions or activities on behalf of a covered entity, such as a third-party billing company.
- Disposal Methods HIPAA does not mandate specific methods for disposing of medical records. However, it requires that covered entities and business associates implement reasonable and appropriate measures to protect against unauthorized access to and disclosure of PHI during disposal. Some acceptable disposal methods include shredding, burning, pulping, or pulverizing the PHI.
- Required Safeguards Covered entities and business associates must take reasonable steps to safeguard PHI during disposal. The following safeguards are required under HIPAA:
- Implementation of Policies and Procedures: Covered entities and business associates must implement written policies and procedures to ensure the proper disposal of PHI. These policies and procedures should identify the disposal methods that will be used, how PHI will be transported, and who will be responsible for overseeing the disposal process.
- Training: Covered entities and business associates must provide training to their workforce on the proper disposal of PHI. This training should include the organization's policies and procedures, as well as practical instruction on how to handle and dispose of PHI.
- Recordkeeping: Covered entities and business associates must maintain documentation of their disposal practices, including what PHI was disposed of, how it was disposed of, and who oversaw the disposal process. This documentation should be retained for at least six years.
- Destruction of Electronic PHI (ePHI) Covered entities and business associates must also ensure the secure disposal of ePHI. This includes any electronic media that contains PHI, such as hard drives, USB drives, and backup tapes. The following safeguards are required under HIPAA:
- Clearing: Electronic media must be cleared of all PHI before disposal. Clearing involves the use of software or hardware products to overwrite media with non-sensitive data, making it unrecoverable.
- Purging: If clearing is not possible, the media must be physically destroyed to the extent that the PHI cannot be retrieved. This can be done through methods such as degaussing or shredding.
- Disposal: Once ePHI has been cleared or purged, it can be disposed of using the same methods as non-electronic PHI.
- Contractual Obligations Covered entities must ensure that their business associates comply with HIPAA requirements for medical record disposal. This can be done through a contract that outlines the business associate's responsibilities for the proper disposal of PHI. The contract should also require the business associate to notify the covered entity of any breaches of PHI during the disposal process.
HIPAA requires covered entities and business associates to implement reasonable and appropriate measures to safeguard PHI during disposal. This includes the development of policies and procedures, workforce training, recordkeeping, and the proper disposal of electronic media containing PHI. Failure to comply with HIPAA requirements can result in significant fines and penalties, so it is crucial to ensure that your organization has a robust and compliant medical record disposal process in place.