How to Properly Dispose of Protected Health Information

Safely Discard Paper and Electronic PHI

protected health information
Epoxydude/Getty Images

There are several ways to properly dispose of protected health information. Proper disposal of protected health information (PHI) and other confidential information whether paper or electronic format is a requirement of HIPAA. Any facility defined by HIPAA as a covered entity has the responsibility to ensure the privacy and security of its patient’s information as well as maintaining the confidentiality of their PHI.

There are a number of solutions your medical office can establish in order to properly dispose of PHI when the information is no longer needed.

Proper Disposal of Paper PHI

Paper PHI should never be thrown in the regular trash. Placing PHI in trash bins or dumpsters is not a secure method of disposing of PHI. Trash bins and dumpsters are accessible by the public and there is no way to protect documents from being obtained and their contents exposed. Companies have been fined for illegally discarding PHI in dumpsters complete with patient names, birth dates, social security numbers and other protected health information.

Before PHI can be thrown out it should be made indecipherable by shredding or burning. The surest way is to hire a reputable company to destroy the records. Help your employees comply with these procedures:

  • Place small bins at each workstation clearly labeled “PHI FOR PROPER DISPOSAL ONLY – DO NOT TRASH”. This will prevent information from accidentally ending up in the trash.
  • Be sure to monitor both secure and non-secure areas where trash is disposed of as a precaution for any PHI that a patient might throw away. For example, in the waiting area and the restrooms.
  • Keep in mind that certain information may need extra protections such as social security numbers, patient diagnosis, and credit card numbers.
  • Make it a policy that all paper documents be placed in a recycling bin, whether there is PHI on it or not, to avoid any confusion.
  • Make random inspections to make sure everyone is compliant.

Proper Disposal of Electronic PHI

Electronic PHI is less likely to require disposal. However, if your office uses any type of removable or portable electronic media such as floppy disks, CDs, or flash drives, be sure to erase, delete or reformat any information that is no longer needed. The best way is to avoid usage whenever possible.

If it is necessary to dispose of electronic PHI, use clearing software or hardware to overwrite sensitive data with nonsensitive data.  Other options include purging, which requires a strong magnetic field to destroy the data, or destroy the device using methods such as incinerating, shredding, and melting. Companies that provide secure paper PHI disposal may also provide safe electronic PHI disposal.

Be sure to remove information from the hard drive of computers that are no longer in use or being sold in such a way that prevents the data from being recovered. Stay up-to-date on HIPAA compliance to ensure that you are following the most recent guidelines.

Continue Reading