Proper Protected Health Information Disposal

Proper Protected Health Information DisposalPrivacy and protecting personal information has become a priority for the medical industry.

More and more practices and hospital systems are having to do a better job protecting their patients’ Protected Health information, or PHI.

Although some practices have converted to Electronic Health Records, there’s still thousands of practices and facilities that rely on hard-copy medical records.

When it comes time to dispose of these records, what do you need to do?  Are there certain procedures you need to follow?

This article will discuss PHI- what it is, proper ways to dispose of it, and the consequences of not taking care of your patient’s personal information.

Disposing of PHI vs Company Documents and Files

Although there are specific differences in medical files that contain Protected Health Information and any traditional documents that should be shredded, the best practice is to treat every document and/or record you have with the same type of security and procedures.  By doing this, you don’t have to worry about what documents need to be ‘properly’ destroyed after their useful life.

One of the easiest ways to ensure this type of security is to implement a shred-all policy with a consideration for appropriate retention times.  That way, any hard-copy information that could become a data breach is already handled properly.

Keep in mind that there are some different procedures and retention times for medical documents- we’ll touch on that later in this article.

What is PHI, and What Items are Included In it?

Protected Health Information, or PHI, is any information that can be linked to an individual.  It could include information and payments for health care, or even an individual’s health status.

Essentially, any information that’s linked to anyone’s medical record or payment history is protected by law and needs to be handled with care.

Here’s a list of the 18 identifiers that are protected under HIPAA and are defined as PHI:

  • Names
  • Geographic data
  • All elements of dates
  • Telephone numbers
  • FAX numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers including license plates
  • Device identifiers and serial numbers
  • Web URLs
  • Internet protocol addresses
  • Biometric identifiers (i.e. retinal scan, fingerprints)
  • Full face photos and comparable images
  • Any unique identifying number, characteristic or code

This information is not limited to paper records- be sure that you’re protecting your electronic heath records software with proper encryption and security to ensure that you’re not putting your patient’s information at risk with a data breach.

Disposing of Protected Health Information

What are the proper ways to dispose of PHI?The people who need to dispose of PHI are covered entities and their business associates.  Any company or medical facility that collects health information needs to ensure it’s properly destroyed.

In addition, any time anyone in the company is granted access to any file or record containing health information, it also has to be properly destroyed.

Properly destroyed is not leaving the documents in the dumpster.  The HHS specifically defines properly destroyed as “rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.”

One of the best ways to ensure proper destruction is to shred those documents.  There’s several ways to ensure your documents are destroyed:

Mobile Shredding: Where a shredding truck comes to your location and shreds all your documents right before your eyes.  This makes sure that any PHI is properly disposed of, and it saves you the time and hassle of transferring all your documents to a different location to be shredded.

Off-Site Shredding: You can also have a shredding truck come to your site and transport your documents to a secure off site shredding plant for destruction.  This is great for large amounts of shredding.  Any documents containing PHI are stored in locked containers then destroyed in a large industrial shredder.

One step that every practice should follow is storing any records that contain PHI securely in a locked bin or locked room.  Whether you choose mobile shredding or offsite shredding, you’ll receive a certificate of destruction to prove compliance with the HIPAA destruction requirements every time.

If you’re looking for recommendations from another credible source, the Department of Health and Human Services (HHS) has a section dedicated to frequently asked questions on the disposal of PHI.  They answer questions about:

  • Requirements for disposing of PHI in HIPAA Privacy and Security rules
  • How to properly dispose of PHI
  • If you can hire a company to dispose of your PHI
  • Retention Requirements
  • Re-using or disposing of computers and electronic media containing PHI
  • How Home Health Workers should dispose of PHI

Click here to read the details, or here to access HHS’s FAQ on HIPAA

What Are the Consequences of Improperly Disposing of PHI?

Disposing of PHI properly will save your practice headaches- and huge fines.  HHS is handing down hefty fines for data breaches involving PHI.

The biggest takeaway is that you can still be fined even if you had no knowledge of the breach.

Here’s a list of the different levels of severity, and the fines for each violation:

Violation category—Section 1176(a)(1) Each violation All such violations of an identical provision in a calendar year
(A) Did Not Know $100-$50,000 $1,500,000
(B) Reasonable Cause $1,000-$50,000 1,500,000
(C)(i) Willful Neglect -Corrected $10,000-$50,000 1,500,000
(C)(ii) Willful Neglect -Not Corrected $50,000 1,500,000


What are the consequences of disposing PHI improperly?As you can see, there isn’t a whole lot of leeway if you happen to expose your patients to a PHI breach.  Here’s just a few of the examples of some fines that were handed down in recent years:

  • Former owners of a medical billing practice and four pathology groups in Massachusetts will collectively pay $140,000 to settle potential HIPAA allegations after medical records and billing information for some 67,000 patients were improperly disposed of at a public dump.
  • In 2014, an $800,000 HIPAA settlement between the Department of Health and Human Services and an Indiana community health system for an incident involving paper records dumping.
  • In 2015, The OCR announced that it has reached a settlement for $125,000 with a Denver-based healthcare provider, Cornell Pharmacy, following the improper disposal of patient health records.

Get Free, No-Hassle Quotes on Medical Records Shredding Today

Shred Nations can help protect your practice from a potential PHI data breach.  Our network of HIPAA-compliant shredding providers will quickly dispose of your medical records.  We shred records for the following types of practices (and more):

  • Family Medicine
  • Emergency Medicine
  • Internal Medicine
  • OB/GYN
  • Neurology
  • Pediatrics
  • Covered Entities
  • Business Associates

At Shred Nations we can get you a quote for all of the medical records shredding you need within minutes.  To get started, fill out the form on the right hand side of this page, or give us a call at (800) 747-3365.