Don't throw privacy rule compliance out with the trash!
Wondering how to dispose of PHI without finding yourself with a HIPAA violation? Eli's experts give you the scoop on trashing both physical and electronic PHI.
Electronic Files
"Electronic is easy -- you just take out the hard drive and break it with a hammer," says Barry Herrin, an attorney in the Atlanta, GA office of Smith Moore. While many people spend lots of time and money on degaussing or electronic erasure, the cost of replacing the hard drive is minimal, he says.
Tip: If you have a large network, develop policies and procedures that keep users from storing files locally, Herrin explains. With information moving to and from the central server rather than the hard drive, there's no risk because PHI isn't stored on the computer, he notes.
Paper Files
"If you choose to shred, have appropriate policies and procedures around the location and use of the shredder," including appropriate explanation of what will happen in the event of a HIPAA violation, warns Suzy Buckovich, a managing consultant with IBM Business Consulting in Bethesda, MD.
Debating between cross-cut and strip shredding? "Cross-cut shredding is fine because it turns PHI into confetti and then it's blended," Herrin explains. Strip shredding is more risky because PHI can always be pieced back together, he warns.
Facilities can also rely on mobile shredding vendors, experts agree. "Destruction companies are for large volumes, but day-to-day in-office shredding can also be done," Herrin explains. The everyday consumables should be shredded each day and can then be bagged up and tossed like regular garbage, he adds.
Business Associates
However, if you contract with vendors for your PHI disposal, "their function is that of a business associate and you better make sure you've got a very tight contractual arrangement with them that includes all the business associate functions," cautions Tom Schroeder, an attorney in Minneapolis, MN-based Faegre & Benson.
"Use a business associate agreement to make the company accountable for the PHI they come in contact with," Buckovich suggests. This will cut down on the risk that PHI winds up in a dumpster somewhere, Schroeder agrees.
The Bottom Line: Always consult your state's guidelines before trashing any PHI, Buckovich reminds. Of course, "to be able to hold the document while it's burning is always the safest assurance that it's gone," but contractual obligations can work to prevent any HIPAA violations brought by negligent vendors, Schroeder says.
For e-PHI, Herrin invokes the spirit of MasterCard: "Replace your hard drive? $100. A sledgehammer? $10. Peace of mind? Priceless."