A Guide to HIPAA Compliant Medical Records Shredding

hipaa compliant medical records shredding services

Protecting the privacy of protected health information (PHI) and the security of medical records is a major priority for the healthcare industry not just because of the rising numbers and impact of data breaches, but also because of laws like the Health Insurance Portability and Accountability Act (HIPAA) demand PHI protection and impose hefty fines for noncompliance.

With this in mind, hospitals, medical practices, and other businesses in the healthcare industry need to ensure they safeguard PHI throughout its disposal and follow HIPAA mandated requirements for the proper destruction of medical records. But this doesn’t mean throwing them in a dumpster however, so what actually is HIPAA compliant medical records shredding?

To help give you a clearer idea of what proper medical records shredding looks like and how it works, here you can find a guide filled with strategies and services to help your medical practice recognize what records need shredding, when they should be destroyed, and the benefits to utilizing a HIPAA compliant medical records shredding service.

When Medical Records Should Be Destroyed

Proper Medical Records ShreddingWhile there are differences in the specific information contained in medical records and other documents, the best security practices for all records involve secure document retention and destruction policies.

When it comes to HIPAA and medical records shredding, there are mandatory retention laws for documents that require medical records to be kept for a period of time. HIPAA requires medical records to be retained for six years from the date of its creation or last use—whichever comes later.

State laws also generally have document retention laws, however when they’re shorter than HIPAA’s, the six year retention period preempts State laws. If State laws require a longer retention period, these supersede HIPAA.

Either way, once a medical record’s retention period is up and the document no longer has a useful purpose, it should then be securely shredded as it does nothing more than increase the likelihood of accidental disclosure or a data breach.

What Types of Medical Records Need to Be Shredded?

paper medical records shredding storageThe HIPAA Privacy Rule requires appropriate safeguards to protect medical records and PHI throughout the entire lifespan of the document—including its disposal.

According to the Department of Health and Human Services (HHS), a properly destroyed medical record or piece of PHI is defined as being rendered “unreadable, indecipherable, and otherwise unable to be reconstructed”.

The following 18 different types of medical records, documents, and are defined as PHI and protected under HIPAA privacy laws:

  • Names
  • Dates
  • Geographic Identifiers
  • Phone Numbers
  • Fax Numbers
  • Email Addresses
  • Medical Record Numbers
  • Biometric Identifiers (i.e. fingerprint or retinal scan)
  • Full Face Photos and Comparable Images
  • Social Security Numbers
  • Health Plan Beneficiary Numbers
  • Account Numbers
  • Certificate/License Numbers
  • Vehicle Identifiers and Serial Numbers (including license plates)
  • Device Identifiers and Serial Numbers
  • Web URLs
  • Internet Protocol (IP) Address Numbers
  • Unique Identifying Numbers, Characteristics, or Codes

HIPAA’s privacy protection and destruction laws apply for medical records in all formats—whether it’s an electronic health record or a paper one, be sure to take the proper steps when disposing and destroying any medical record to ensure your HIPAA compliance.

What It Means to Have HIPAA Compliant Shredding Services

confidential hipaa regulated medical records shredding guidelines for protectionConsidering the HIPAA Privacy Rule’s requirement for the security of PHI throughout disposal, some of the best destruction strategies are medical records shredding services.

Covered entities are responsible for ensuring their business associates protect PHI during disposal, making it critical they have secure processes in place for medical records shredding.

With HIPAA compliant shredding services though, you have plenty of chances to be sure medical records are properly destroyed, as medical record shredding processes include opportunities like the ability to personally see the shredding and the use of locked shredding bins to secure documents.

There are several different options available for shredding medical records and ensuring they’re properly destroyed in compliance with HIPAA, including:

Mobile Shredding

The primary method for medical record shredding, with mobile services a shredding truck equipped with an industrial shredder comes directly to your location to shred the documents.

One of the greatest appeals to the convenient disposal option is the fact that healthcare providers can actually witness the destruction process themselves—providing additional assurance the medical records and PHI are properly destroyed.

Off Site Shredding

A cost-efficient alternative to mobile shredding, with off site shredding services a truck comes to your location to pick up the medical records before taking them to their facilities for destruction using an industrial shredder.

Locked bins are used to secure the documents during transport, and rather than traditional strip shredding, industrial shredders use cross-cut shredding to meet HIPAA’s specific requirements for properly destroyed medical records.

With both mobile as well as off site medical records shredding services, shredders provide you with locking shredding bins for storing the documents prior to shredding, and additionally will add another layer of security by providing a certificate of destruction once the shredding is complete.

Certificates of destruction are critical to ensuring the secure medical records shredding process, as they help to provide medical facilities with documentation for the destruction both for their own records as well as in the event of a legal dispute.

Besides documenting when and where the shredding took place, a certificate of destruction also details who completed the shredding and most importantly provides proof that your medical records shredding was HIPAA compliant.

Who Uses Medical Records Shredding Most?

Why you need a medical records shredding destruction logShred Nations helps to connect hospitals, medical practices, and other businesses and organizations working in the healthcare industry with shredding providers who are committed to HIPAA compliant medical record shredding.

Among others, some of the types of medical practices, departments, and businesses we frequently provide document destruction services for include:

  • Assisted Living
  • Dental Practices
  • Emergency Medicine
  • Family Medicine
  • Internal Medicine
  • OB/GYN
  • Neurology
  • Pediatrics
  • Radiology
  • Covered Entities and Business Associates

This is just a short list though—Besides just those listed here, Shred Nations also can help nearly any practice or organization who handles PHI to find secure and reliable medical records shredding providers.

Need Shredding Services? Get Free Medical Records Shredding Quotes Today!

HIPAA’s strict laws regarding privacy protection for patients demands consideration to the security of medical records from the moment they’re created to the moment they’re destroyed, however with the help of HIPAA compliant medical records shredding services, your can ensure PHI is protected and unable to put your practice to risk.

At Shred Nations we partner with a network of medical records shredding providers located throughout the nation—working to provide document destruction services like mobile and off site shredding in order to help the healthcare industry find secure strategies for disposing PHI.

For more information on any of our available services or to begin comparing quotes from HIPAA compliant shredding providers in your area, just give us a call at (800) 747-3365, or simply fill out the form at the right of your screen to get free and competitive medical records shredding quotes today!

Additional Medical Records Shredding Resources

Steps to Take Before Shredding Medical Files

Between HIPAA fines and PR disasters, the reasons for healthcare providers to shred medical records are many, however just as important as the destruction itself is the preparation required. Use this article to get a step-by-step guide to creating and maintaining a document management and destruction plan for your practice’s medical records.

Do I Need a Medical Record Destruction Log?

It can be difficult to know what to keep and what to destroy. Keeping a detailed destruction log can help healthcare providers stay on top of retention schedules while remaining HIPAA compliant. Learn more about medical record destruction, the methods available, and what specific pieces of information need to be shredded securely.