Taking out the Trash – HIPAA Requirements
Parkview Health Systems, Inc. recently reached an agreement with HHS to pay $800,000 for potential HIPAA privacy violations. Parkview had left 71 cardboard boxes of medical records unattended on the driveway of a retiring physician. As we wrote last month, improper disposal of PHI represents approximately 5% of all reported breaches affecting 500 or more individuals. We have also described other specific examples involving improper disposal of PHI here and here .
HHS has published guidance on how it wants you to take out the trash when disposing of PHI. Here are some highlights:
1. Paper records need to be shredded, burned or otherwise rendered unreadable. Electronic media can (i) be physically rendered unreadable (by pulverizing incinerating, or shredding); (ii) be purged by exposure to a magnetic field; or (iii) be overwritten (not just deleted). Sarc on/ The IRS has recent experience with this process and may be able to provide some helpful tips. /sarc off
2. Keep PHI scheduled for disposal in a secure area.
3. Have a business associate agreement with any disposal vendor that will receive PHI.
4. Workforce members who use PHI off-site should be required to return all PHI to the covered entity for disposal.
Taking out the trash is never a welcome chore. But when the trash includes PHI, there is a steep cost for not handling it properly.