The Health Information Portability and Accountability Act (HIPAA) requires health care organizations and their business associates to “maintain reasonable and appropriate, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information (PHI).” Although the law was signed into effect over twenty years ago, there is still confusion about what constitutes HIPAA compliant destruction. In this blog, we offer clarification to help your organization comply with the law.
The Specifics of HIPAA
You may be surprised to learn that the physical destruction of documents and data are not specifically mentioned in HIPAA. However, a key amendment to the law enacted in 2009—The Health Information Technology for Economic and Clinical Health (HITECH) Act—states that improperly discarded documents and data are considered a security breach. For example, if a medical record is discarded into a trash or recycling bin and a patient’s PHI is breached, your organization can be fined by the Department of Health and Human Services (DHS) Office of Civil Rights (OCR). Discarding PHI without first destroying it, is one of the violations specifically referenced as qualifying for the highest level of HIPAA fines, ranging from $50,000 to $1,500,000.
How to Ensure HIPAA Compliant Destruction
So what is the most reliable and cost-effective way to ensure your information disposal practices comply with HIPAA? Outsourcing your PHI disposal and destruction to a National Association of Information Destruction (NAID) AAA certified partner is a start. Locked collection containers are placed in your facility to facilitate secure, prompt disposal of documents and data. On a scheduled basis, a bonded, security cleared destruction professional collects the contents and destroys your information on-site with a mobile shredding vehicle. Then you are given a Certificate of Destruction documenting the time and date of destruction.
A qualified information destruction provider can also offer a formal medical practice training program to reduce HIPAA non-compliance risks. First, your information destruction partner provides your organization with a customizable Information Destruction Manual and Policy Statement. Next, HIPAA educational pamphlets are distributed to your staff. Third, an acknowledgment form documents each employee’s acceptance and completion of data destruction procedures training. Finally, you are given a Data Safe counter stand to notify and reassure patients that your practice values the protection of their private health information.
Now that you know what you need to do to comply with HIPAA, make sure your information disposal practices align with the law.
American Document Securities offers HIPAA compliant shredding services for businesses in Atlanta and Northeast Georgia. For more information, please contact us by phone or complete the form on this page.