Proper Disposal of Protected Health Information

Proper disposal of phi featured image

Privacy and protecting personal information have become a priority for the medical industry. Although some practices have converted to Electronic Health Records, there are still thousands of practices and facilities that rely on hard-copy medical records, and proper disposal of Protected Health Information (PHI) is important to stay in compliance with HIPAA and other regulations.

When it comes time to dispose of these records, there are a few things that you need to do, and a few procedures you need to follow. This article will discuss PHI- what it is, the proper ways to dispose of it, and the consequences of not taking care of your patient’s personal information.

Disposal of Protected Health Information (PHI) vs Company Documents and Files

Although there are specific differences between medical files that contain Protected Health Information and any traditional documents that should be shredded, the best practice is to treat every document and/or record you have with the same type of security and procedures.  By doing this, you don’t have to worry about what documents need to be ‘properly’ destroyed after their useful life.

One of the easiest ways to ensure this type of security is to implement a shred-all policy with consideration for appropriate retention times.  That way, any hard-copy information that could become a data breach is already handled properly. Keep in mind that there are some different procedures and retention times for medical documents- we’ll touch on that later in this article.

What is PHI, and What Items Does It Include?

Protected Health Information, or PHI, is any information that links to an individual. It could include information and payments for health care, or even an individual’s health status. Essentially, any information that links to anyone’s medical record or payment history is protected by law and needs to be handled with care.

types of phi that need proper disposal. Shred Nations can help you dispose of them.

Here’s a list of the 18 identifiers that HIPAA protects and defines as PHI:

  • Names
  • Geographic data
  • All elements of dates
  • Telephone numbers
  • FAX numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers including license plates
  • Device identifiers and serial numbers
  • Web URLs
  • Internet protocol addresses
  • Biometric identifiers (i.e. retinal scan, fingerprints)
  • Full-face photos and comparable images
  • Any unique identifying number, characteristic, or code

This information is not limited to paper records- be sure that you’re protecting your electronic health records software with proper encryption and security to ensure that you’re not putting your patient’s information at risk with a data breach.

Disposing of Protected Health Information

Shred Nations can help you with the proper disposal of protected health informationThe people who need proper disposal of Protected Health Information (PHI) are covered entities and their business associates.  Any company or medical facility that collects health information needs to properly destroy it. In addition, any time anyone in the company receives access to any file or record containing health information, you also have to properly destroy it.

However, properly destroying a document is not leaving the documents in the dumpster.  The HHS specifically defines properly destroyed as “rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.”

Therefore, one of the best ways to ensure proper destruction is to shred those documents.  There are several ways to destroy your documents:

Mobile Shredding: Where a shredding truck comes to your location and shreds all your documents right before your eyes.  This ensures the proper disposal of any PHI, and it saves you the time and hassle of transferring all your documents to a different location to shred them.

Off-Site Shredding: You can also have a shredding truck come to your site and transport your documents to a secure off-site shredding plant for destruction.  This is great for large amounts of shredding.  You should store any documents containing PHI in locked containers and then destroy them in a large industrial shredder.

One step that every practice should follow is storing any records that contain PHI securely in a locked bin or locked room.  Whether you choose mobile shredding or offsite shredding, you’ll receive a certificate of destruction to prove compliance with the HIPAA destruction requirements every time.


Furthermore, if you’re looking for recommendations from another credible source, the Department of Health and Human Services (HHS) has a section dedicated to frequently asked questions on the disposal of PHI.  They answer questions about:

  • Requirements for disposing of PHI in HIPAA Privacy and Security rules
  • How to properly dispose of PHI
  • If you can hire a company to dispose of your PHI
  • Retention Requirements
  • Re-using or disposing of computers and electronic media containing PHI
  • How Home Health Workers should dispose of PHI

Click here to read the details, or here to access HHS’s FAQ on HIPAA

What Are the Consequences of Improper Disposal of PHI?

Disposing of PHI properly will save your practice headaches- and huge fines.  HHS is handing down hefty fines for data breaches involving PHI. The biggest takeaway is that you can still receive fines even if you did not know about the breach.

Here’s a list of the different levels of severity, and the fines for each violation:

fines without proper disposal of phi. Avoid them with Shred Nations


As you can see, there isn’t a whole lot of leeway if you happen to expose your patients to a PHI breach.  Here are just a few of the examples of some fines that were handed down in recent years:

  • Former owners of a medical billing practice and four pathology groups in Massachusetts will collectively pay $140,000 to settle potential HIPAA allegations after medical records and billing information for some 67,000 patients were improperly disposed of at a public dump.
  • In 2014, an $800,000 HIPAA settlement between the Department of Health and Human Services and an Indiana community health system for an incident involving paper records dumping.
  • In 2015, The OCR announced that it had reached a settlement for $125,000 with a Denver-based healthcare provider, Cornell Pharmacy, following the improper disposal of patient health records.

Protect Your PHI With Shred Nations Today!

Shred Nations can help protect your practice from a potential PHI data breach.  Our network of HIPAA-compliant shredding providers will quickly dispose of your medical records.

At Shred Nations we can get you a quote for all of the medical records shredding you need within minutes.  To start, fill out the form, use the live chat, or give us a call at (800) 747-3365.