Proper disposal of protected health information (PHI) and other confidential information whether paper or electronic format is a requirement of HIPAA. Any facility defined by HIPAA as a covered-entity has the responsibility to ensure the privacy and security of its patient’s information as well as maintaining the confidentiality of their PHI.
There are a number of solutions your medical office can establish in order to properly dispose of PHI when it is no longer needed.Disposal of Paper PHI
Paper PHI should never be thrown in the regular trash. Placing PHI in trash bins or dumpsters are not a secure method of disposing of PHI. Companies have been fined for illegally discarding PHI in dumpsters complete with patient names, birth dates, social security numbers and other protected health information.
Before PHI can be thrown out it should be made indecipherable by shredding or burning. The surest way is to hire a reputable company to destroy the records. Help your employees comply by:
- Placing small bins at each work station clearly labeled “PHI FOR PROPER DISPOSAL ONLY – DO NOT TRASH”. This will prevent information from accidentally ending up in the trash.
- Making it a policy that all paper documents be placed in a recycling bin, whether there is PHI on it or not, to avoid any confusion.
- Make random inspections to make sure everyone is compliant.
Electronic PHI is less likely to require disposal. However, if your office uses any type of removable or portable electronic media such as floppy disks, CD’s or flash drives, be sure to erase, delete or reformat any information that is no longer needed. The best way is to avoid usage whenever possible.
Be sure to remove information from the hard drive of computers that are no longer in use or being sold in such a way that prevents the data from being recovered.