Personal Health Information (PHI) has been protected since the Health Insurance Portability and Accountability Act (HIPAA) became law in 1996. The security requirements are covered in the Privacy Rule that was finalized in 2000 then modified in 2002 and the Security Rule that was finalized in 2003.
The requirements were then modified as part of the Health Information Technology for Economic and Clinical Health Act (HITECH). Collectively these requirements are overseen by the Office of Civil Rights in the Department of Health and Human Services.
All the various laws and a decade of history have introduced a great deal of fear, uncertainty, and doubt about what the law requires your practice to do. So it is time to demystify medical records shredding and whom is covered.
Going straight to the law it states, “covered entities must implement reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI, including in connection with the disposal of such information.” [source]
The people who need to shred PHI are covered entities and their business associates. To make it simpler, if you are collecting any health information then you need to make sure it is properly destroyed. If you give anyone else access to the information then they need to make sure it is properly destroyed.
So what is properly destroyed? It is clear from the guidance of HHS that leaving the documents in the dumpster is not acceptable. If paper it must be “rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.”
The most popular way to do that is through paper shredding since it is an efficient solution. What it does not say is whom must do the shredding. HHS does mention using a shredding vendor keeps a practice with HIPAA requirements. The law also does not require shredding to be done on-site.
One step every practice should follow is storing the PHI securely before it is destroyed. This would mean a locked bin or in a locked room. We will places locked bins in your office for free when we provide you with shredding. After each visit you will get a certificate of destruction to prove compliance with the HIPAA destruction requirements.
Are you looking for a HIPAA compliant shredding company? Our experts can help! Fill out the form to the right, or give us a call at (800) 747-3365. Within minutes, you will get free quotes from a secure shredding company in your area.