Taking out the Trash – HIPAA Requirements

Jamie Scott

Parkview Health Systems, Inc. recently reached an agreement with HHS to pay $800,000 for potential HIPAA privacy violations. Parkview had left 71 cardboard boxes of medical records unattended on the driveway of a retiring physician. As we wrote last month, improper disposal of PHI represents approximately 5% of all reported breaches affecting 500 or more individuals. We have also described other specific examples involving improper disposal of PHI here and here .

HHS has published guidance on how it wants you to take out the trash when disposing of PHI.  Here are some highlights:

1.  Paper records need to be shredded, burned or otherwise rendered unreadable.  Electronic media can (i) be physically rendered unreadable (by pulverizing incinerating, or shredding); (ii) be purged by exposure to a magnetic field; or (iii) be overwritten (not just deleted).   Sarc on/ The IRS has recent experience with this process and may be able to provide some helpful tips. /sarc off

2.  Keep PHI scheduled for disposal in a secure area.

3.  Have a business associate agreement with any disposal vendor that will receive PHI.

4.  Workforce members who use PHI off-site should be required to return all PHI to the covered entity for disposal.

Taking out the trash is never a welcome chore. But when the trash includes PHI, there is a steep cost for not handling it properly.