Burn it, shred it, pound it, erase it — just don’t get lazy when it comes to the disposal of documents containing protected health information or you’ll be inviting a host of privacy violations and complaints.
Covered entities that need to destroy medical records or other papers containing PHI must take several precautions and measures to ensure that the disposal process doesn’t create privacy breaches.
First and foremost, entities must make certain that the records they intend to destroy are, in fact, appropriate candidates for destruction, says Gwen Hughes, a consultant with Chicago-based Care Communications.
“The most important thing,” advises Hughes, is for the entity to produce “a retention schedule that’s been approved by legal counsel, the administration and the medical staff.”
A thorough retention schedule will help organizations to determine that “whatever they’re thinking about destroying has past the required statute of limitations,” Hughes proposes.
“There are multiple standards about records retention that [entities] need to be mindful of,” cautions attorney Steve Bernstein with McDermott, Will & Emery in Boston. While HIPAA generally requires that documents be held for six years, there are numerous other federal and state laws to consider, he says. Most state requirements for medical records — especially for records maintained by hospitals — mandate retention periods that are anywhere between 10 and 30 years, Bernstein reports.
Is That For Here Or To Go?
Once your entity has identified those PHIladen documents that are suitable for disposal, the next step is to decide whether the destruction will take place at your facility or off-site.
“A very important thing to remember is the uninterrupted responsibility that a provider has for protection of the PHI for the life of the record — from creation to the point of destruction,” states Beth Hjort, a professional practice manager with the Chicago-based American Health Information Management Association. Therefore, on-site destruction is preferable, she notes, because it provides entities with better control by allowing them to oversee the actual disposal process.
Oftentimes, however, cost and time will necessitate the hiring of an outside vendor to dispose of these documents. When destruction is an outsourced function, entities must take special care to obtain the most appropriate protection for its sensitive information, Hjort tells Eli.
In an ideal world, Hjort adds, entities should strive to make such documents unreadable before sending them off-site to be pulped, shredded or incinerated.
Hughes urges entities relying on outside disposal services to do their homework on any vendors before handing patients’ PHI over to them. Ask colleagues, get references and even do some periodic spot-checking on their disposal practices, she counsels.
And don’t let your organization or vendor get lax, especially when it comes to transporting your documents to the final destruction site. “You’re still the one that gets bad publicity if your records have blown around the railroad tracks or somewhere in town,” reminds Hughes.
Get It In Writing
When hiring an outside disposal service, be sure that you have “an adequate contract in place with an indemnity provision” to protect yourself from any violations incurred by the vendor, stresses Robyn Meinhardt, an attorney with Foley & Lardner in Denver.
Bernstein reports that many document destruction companies that are eager to retain and recruit clients are volunteering to be business associates of covered entities. These vendors, he observes, are submitting to certifications which state that they understand what PHI is and how it “must be destroyed appropriately such that it de-identifies the material.”
An additional option for entities looking to limit their liability is to require some type of documentation from the disposal company that certifies the proper obliteration of the PHI. Meinhardt points out that while HIPAA doesn’t require entities to obtain certifications of records destruction, it’s not a particularly onerous activity to practice.
Hughes directs organizations to maintain these certificates permanently as evidence that they have uniformly followed their own polices and procedures regarding records retention and destruction.