HIPAA Compliant Shredding: What You Need to Know

hipaa and Shredding Laws related to the Medical IndustryWith the 2016 HIPAA Phase 2 audits beginning to take effect, health care professionals are going to be looking for HIPAA compliant shredding services with more fervor now than ever before.

Under federal HIPAA regulation, any health care professional who’s involved in the creation of medical records containing protected health information (PHI)–that includes names, dates of birth, Social Security numbers, or other personally identifiable information–is considered a Covered Entity (CE). Doctors, hospitals, nursing homes, health care plans, health insurers, and health care clearinghouses are a few examples of organizations that qualify as a CE under HIPAA regulation.

Any company that a CE hires to handle PHI in any way is called a Business Associate (BA), and in this case, that includes shredding companies that provide their services to health care professionals or deal with the destruction of medical records or documents that contain PHI.

The HIPAA Omnibus Rule

After the HIPAA Omnibus Rule was enacted in 2013, BAs were required to be compliant with HIPAA going forward as well. The Omnibus Rule fundamentally changed liability and compliance so that any company that is hired to handle PHI in any way is beholden to the full extent of federal regulation. Further, without the proper Business Associate Agreements (BAA) in place, liability in the event of a breach falls equally upon the BA that breached the information, in addition to the health care entity that hired the BA in the first place.

Differentiating with HIPAA Compliance

HIPAA complianceHaving an effective BAA in place is not only essential to protecting your shredding company in the event of a security breach, it’s also a means of setting yourself apart from your competition when it comes to advertising your services to the health care community. Companies that have developed effective HIPAA compliance programs differentiate themselves while ensuring that they won’t expose their business to fines and litigation from OCR’s new efforts to combat non-compliance with their 2016 Phase Two audit program.

This article was written by Frank Sivilli, the Content and Marketing Manager for Compliancy Group.