A Guide to HIPAA Compliant Medical Record Shredding

hipaa compliant medical records shredding services

Protecting the privacy of protected health information (PHI) and the security of medical records is a major priority for the healthcare industry. With data breaches on the rise, and laws like the Health Insurance Portability and Accountability Act (HIPAA), protecting your patients’ PHI is more important than ever. For physical documents, a HIPAA compliant medical records shredding service ensures you protect your practice and your patients’ sensitive information.

To help give you a clearer idea of what proper medical records shredding looks like and how it works, here you can find a guide filled with strategies and services to help your medical practice recognize what records need shredding, when they should be destroyed, and the benefits to utilizing a HIPAA compliant medical records shredding service.

When Medical Records Should Be Destroyed

medical record shredding with Shred Nations. Shredding medical records has never been easy and more secure. Observe any shredding medical records law to stay compliant.While there are differences in the specific information contained in medical records and other documents, the best security practices for all records involve secure document retention and destruction policies.

When it comes to HIPAA and medical records shredding, there are mandatory retention laws for documents that require medical records to be kept for a period of time. HIPAA requires medical records to be retained for six years from the date of its creation or last use—whichever comes later.

States generally have their own document retention laws as well. However, when they’re shorter than HIPAA’s, the six year retention period preempts State laws. If State laws require a longer retention period, these supersede HIPAA.

Either way, once a medical record’s retention period is up and the document no longer has a useful purpose, it should then be securely shredded. If kept longer, it just creates risk and extra liability for your practice.

What Types of Medical Records Need Shredding?

paper medical records shredding storage. What Types of Medical Records Need Shredding?The HIPAA Privacy Rule requires appropriate safeguards to protect medical records and PHI throughout the entire lifespan of the document—including its disposal.

According to the Department of Health and Human Services (HHS), a properly destroyed medical record or piece of PHI is defined as being rendered “unreadable, indecipherable, and otherwise unable to be reconstructed”.

The following 18 different types of medical records, documents, and information fall under PHI and HIPAA privacy laws:

  • Names
  • Dates
  • Geographic Identifiers
  • Phone Numbers
  • Fax Numbers
  • Email Addresses
  • Medical Record Numbers
  • Biometric Identifiers (i.e. fingerprint or retinal scan)
  • Full Face Photos and Comparable Images
  • Social Security Numbers
  • Health Plan Beneficiary Numbers
  • Account Numbers
  • Certificate/License Numbers
  • Vehicle Identifiers and Serial Numbers (including license plates)
  • Device Identifiers and Serial Numbers
  • Web URLs
  • Internet Protocol (IP) Address Numbers
  • Unique Identifying Numbers, Characteristics, or Codes

HIPAA’s privacy protection and destruction laws apply for medical records in all formats. Whether it’s an electronic health record or a paper one, make sure to take the proper steps when disposing and destroying any medical record to guarantee HIPAA compliance.

What It Means to Have HIPAA Compliant Shredding Services

confidential hipaa regulated medical records shredding guidelines for protection. What It Means to Have HIPAA Compliant medical record Shredding ServicesConsidering the HIPAA Privacy Rule’s requirement for the security of PHI throughout disposal, some of the best destruction strategies are medical records shredding services.

Covered entities are responsible for ensuring their business associates protect PHI during disposal. As a result, it’s critical they have secure processes in place for medical records shredding.

With a HIPAA compliant shredder, you can follow and monitor the process. These providers offer opportunities to witness the shredding, and use locked bins to secure the documents.

There are several different options available for shredding medical records and ensuring they’re properly destroyed in compliance with HIPAA, including:

Mobile Shredding

Mobile shredding remains the primary method for medical records shredding, and for good reason. A shredding truck equipped with an industrial shredder comes directly to your location to shred the documents. This allows you to witness the document destruction yourself. HIPAA compliant shredders will also offer a certificate of destruction, giving you liability protection.

Off Site Shredding

For a cost-efficient, but still secure, alternative, you can choose an off site shredding service. A truck comes to your location to pick up the medical records, before taking them to their facilities for destruction using an industrial shredder.

During transport, locked bins secure the documents. Once at the shredding location, it runs through a specific cross-cut shredding process. This meets HIPAA’s specific requirements for medical record destruction. Once complete, you will receive a certificate of destruction.

Both options provide security and assurance in the form of locked shredding bins and certificates of destruction. The choice comes down to cost, convenience, and personal preference.

The critical aspect for compliance in medical records shredding is the certificate of destruction. This certificate provides the documentation necessary for HIPAA compliance, and protects your practice in the event of a legal dispute. .

Besides documenting when and where the shredding took place, a certificate of destruction also details who completed the shredding.

Who Uses Medical Record Shredding Most?

Why you need a medical records shredding destruction log. Who Uses Medical Record Shredding Most?

Hospitals, medical practices, and other businesses and organizations use HIPAA compliant shredders the most frequently.

Some of the specific types of medical practices, departments, and businesses that use document destruction services include:

  • Assisted Living
  • Dental Practices
  • Emergency Medicine
  • Family Medicine
  • Internal Medicine
  • OB/GYN
  • Neurology
  • Pediatrics
  • Radiology
  • Covered Entities and Business Associates

Besides those listed here, any practice or organization who handles PHI can use and benefit from having a medical records shredding provider.

Need Shredding Services? Get Free Medical Record Shredding Quotes Today!

HIPAA compliant medical records shredding services ensure PHI is protected and unable to put your practice to risk. Shred Nations partners with a network of medical records shredding providers located throughout the nation. We can provide you with a secure and affordable mobile shredding or off-site option that keeps your medical records compliant with all state and federal laws. 

For more information on any of our available services or to begin comparing quotes from HIPAA compliant shredders in your area, just give us a call at (800) 747-3365, or simply fill out the form to get free and competitive medical records shredding quotes today!

Additional Medical Records Shredding Resources

Steps to Take Before Shredding Medical Files

Between HIPAA fines and PR disasters, the reasons for healthcare providers to shred medical records are many. However, just as important as the destruction itself is the preparation required. Use this article to get a step-by-step guide to creating and maintaining a document management and destruction plan for your practice’s medical records.

Do I Need a Medical Record Destruction Log?

It can be difficult to know what to keep and what to destroy. Keeping a detailed destruction log can help healthcare providers stay on top of retention schedules while remaining HIPAA compliant. Learn more about medical record destruction, the methods available, and what specific pieces of information need to be shredded securely.