General Surgery Coding Alert

Question: Do we need to follow specific rules regarding records disposal under HIPAA, and if so, where do we find the rules?

Texas Subscriber

Answer: Although the HIPAA Privacy and Security Rules do not specify a particular disposal method, the HHS Office for Civil Rights (OCR) provides specific examples on the proper way to dispose of patients’ protected health information (PHI).

Check out these examples on the proper way to dispose of PHI in various media, according to OCR guidance:

• Paper records: Use shredding, burning, pulping, or pulverizing so PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed. The best practice is on-site destruction to reduce the chance of accidental disclosure during transport.
• Electronic media: Use clearing (using software or hardware products to overwrite media with nonsensitive data), purging (degaussing or exposing the media to a strong magnetic field to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulveri­zation, melting, incinerating, or shredding).
• Prescription bottles: Maintain labeled prescription bottles in opaque bags in a secure area and use a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI.

Consider this: If you think that improperly disposing of patients’ PHI isn’t breachworthy, think again. OCR is currently investigating three separate cases of healthcare providers who improperly disposed of their patients’ data, according to the OCR breach portal.

Bottom line: “Covered entities must review their own circumstances to determine what steps are reasonable to safeguard PHI through disposal, and develop and implement policies and procedures to carry out those steps,” OCR cautions. “In determining what is reasonable, covered entities should assess potential risks to patient privacy, as well as consider such issues as the form, type, and amount of PHI to be disposed of.”