ED Coding and Reimbursement Alert

Reader Question:

Find out What to Do With PHI

Question: We are moving to a different location, and staff members are purging old patient records. What's the best legal way to dispose of records of patients no longer living or no longer part of our practice?

Codify Subscriber

Answer: According to the Health and Human Services' Office for Civil Rights website, anyone who is charged with disposing protected health information (PHI) must be trained, including volunteers. There are a few different options, as the Privacy and Security Rules do not specify a particular disposal method. However, covered entities cannot dispose of PHI in dumpsters or other places where the public or other unauthorized persons could get to it. »

"Covered entities must review their own circumstances to determine what steps are reasonable to safeguard PHI through disposal, and develop and implement policies and procedures to carry out those steps. In determining what is reasonable, covered entities should assess potential risks to patient privacy, as well as consider such issues as the form, type, and amount of PHI to be disposed. For instance, the disposal of certain types of PHI such as name, social security number, driver's license number, debit or credit card number, diagnosis, treatment information, or other sensitive information may warrant more care due to the risk that inappropriate access to this information may result in identity theft, employment or other discrimination, or harm to an individual's reputation.

"In general, examples of proper disposal methods may include, but are not limited to:

  • "For PHI in paper records, shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.
  • "Maintaining labeled prescription bottles and other PHI in opaque bags in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI.
  • "For PHI on electronic media, clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding)."  


Other Articles in this issue of

ED Coding and Reimbursement Alert

View All