Even in the digital age, when electronic medical records are the norm, doctors, dentists and other healthcare professionals still handle and store paper documents that contain protected health information (PHI). With medical identity theft on the rise, tossing documents with PHI in a trash can or recycling bin should never be an option. In fact, it’s against the law to do so. The Health Information Portability and Accountability Act (HIPAA) levies stiff fines on healthcare providers who fail to dispose of PHI securely. In this blog, we describe HIPAA-compliant shredding.
What HIPAA Says
HIPAA states that health care organizations and their business associates should “maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information (PHI).” As a result, your document disposal methods must prevent unauthorized access to PHI. Fines for unauthorized disclosure range from $50,000 to $1,500,000.
Who HIPAA Applies To
HIPPA provisions not only apply to medical practitioners, but also to businesses offering services that involve access to PHI. As a result, if you’re a contractor or vendor to a healthcare organization, HIPAA rules and requirements apply to your business.
Outsourcing your shredding to a National Association of Information Destruction (NAID) AAA Certified partner is reliable way to ensure the routine, secure and documented shredding of PHI. NAID AAA Certified shredding companies must meet strict security regulations verified by an independent Certified Protection Professional (CPP), accredited by the American Society for Industrial Security International (ASIS). CPPs assess the following areas during scheduled and unannounced audits:
• Employee screening processes
• Operational practices
• Security procedures
NAID requires all paper to be destroyed with a cross-cutting shredding process that reduces it to a 5/8” particle size or less. These requirements significantly reduce privacy risks to PHI.
Locked collection containers are placed in your facility to facilitate secure, prompt disposal of documents and data. On a scheduled basis, a bonded, security cleared destruction professional collects the contents and destroys your information on-site with a mobile shredding vehicle. After shredding, you’re given a Certificate of Destruction noting the time and date of destruction.
If you have more questions about HIPAA or other state and federal privacy laws, please contact us by phone or complete the form on this page.