Protecting the privacy of protected health information (PHI) and the security of medical records is a major priority for the healthcare industry. With data breaches on the rise, and laws like the Health Insurance Portability and Accountability Act (HIPAA), protecting your patients’ PHI is more important than ever. For physical documents, a HIPAA compliant medical records shredding service ensures you protect your practice and your patients’ sensitive information.
To help give you a clearer idea of what proper medical records shredding looks like and how it works, here you can find a guide filled with strategies and services to help your medical practice recognize what records need shredding, when they should be destroyed, and the benefits to utilizing a HIPAA compliant medical records shredding service.
When Medical Records Should Be Destroyed
While there are differences in the specific information contained in medical records and other documents, the best security practices for all records involve secure document retention and destruction policies.
When it comes to HIPAA and medical records shredding, there are mandatory retention laws for documents that require medical records to be kept for a period of time. HIPAA requires medical records to be retained for six years from the date of its creation or last use — whichever comes later.
States generally have their own document retention laws as well. However, when they’re shorter than HIPAA’s, the six year retention period preempts State laws. If State laws require a longer retention period, these supersede HIPAA.
Either way, once a medical record’s retention period is up and the document no longer has a useful purpose, it should then be securely shredded. If kept longer, it just creates risk and extra liability for your practice.
What Types of Medical Records Need Shredding?
The HIPAA Privacy Rule requires appropriate safeguards to protect medical records and PHI throughout the entire lifespan of the document—including its disposal.
According to the Department of Health and Human Services (HHS), a properly destroyed medical record or piece of PHI is defined as being rendered “unreadable, indecipherable, and otherwise unable to be reconstructed”.
The following 18 different types of medical records, documents, and information fall under PHI and HIPAA privacy laws:
| PHI Identifier | Description |
| Personal Identifiers | Names Dates Social Security Numbers |
| Contact Information | Phone Numbers Fax Numbers Email Addresses |
| Location & Online Identifiers | Geographic Identifiers Web URLs Internet Protocol (IP) Address Numbers |
| Medical & Health-Related Identifiers | Medical Record Numbers Health Plan Beneficiary Numbers |
| Financial & Account Identifiers | Account Numbers Certificate/License Numbers |
| Device & Asset Identifiers | Vehicle Identifiers and Serial Numbers (including license plates) Device Identifiers and Serial Numbers |
| Biometric & Visual Identifiers | Biometric Identifiers (e.g., fingerprint, retinal scan) Full Face Photos and Comparable Images |
| Other Unique Identifiers | Unique Identifying Numbers, Characteristics, or Codes |
HIPAA’s privacy protection and destruction laws apply for medical records in all formats. Whether it’s an electronic health record or a paper one, make sure to take the proper steps when disposing and destroying any medical record to guarantee HIPAA compliance.
What It Means to Have HIPAA Compliant Shredding Services
Considering the HIPAA Privacy Rule’s requirement for the security of PHI throughout disposal, some of the best destruction strategies are medical records shredding services.
Covered entities are responsible for ensuring their business associates protect PHI during disposal. As a result, it’s critical they have secure processes in place for medical records shredding.
With a HIPAA compliant shredder, you can follow and monitor the process. These providers offer opportunities to witness the shredding, and use locked bins to secure the documents.
There are several different options available for shredding medical records and ensuring they’re properly destroyed in compliance with HIPAA, including:
Mobile Shredding
Mobile shredding remains the primary method for medical records shredding, and for good reason. A shredding truck equipped with an industrial shredder comes directly to your location to shred the documents. This allows you to witness the document destruction yourself. HIPAA compliant shredders will also offer a certificate of destruction, giving you liability protection.
Off-Site Shredding
For a cost-efficient, but still secure, alternative, you can choose an off-site shredding service. A truck comes to your location to pick up the medical records, before taking them to their facilities for destruction using an industrial shredder.
During transport, locked bins secure the documents. Once at the shredding location, it runs through a specific cross-cut shredding process. This meets HIPAA’s specific requirements for medical record destruction. Once complete, you will receive a certificate of destruction.
Both options provide security and assurance in the form of locked shredding bins and certificates of destruction. The choice comes down to cost, convenience, and personal preference.
The critical aspect for compliance in medical records shredding is the certificate of destruction. This certificate provides the documentation necessary for HIPAA compliance, and protects your practice in the event of a legal dispute. .
Besides documenting when and where the shredding took place, a certificate of destruction also details who completed the shredding.
Who Uses Medical Record Shredding Most?
Hospitals, medical practices, and other businesses and organizations use HIPAA compliant shredders the most frequently. Some of the specific types of medical practices, departments, and businesses that use document destruction services include:
- Assisted Living
- Dental Practices
- Emergency Medicine
- Family Medicine
- Internal Medicine
- OB/GYN
- Neurology
- Pediatrics
- Radiology
- Covered Entities and Business Associates
Besides those listed here, any practice or organization who handles PHI can use and benefit from having a medical records shredding provider.
Need Shredding Services? Get Free Medical Record Shredding Quotes Today!
HIPAA compliant medical records shredding services ensure PHI is protected and unable to put your practice to risk. Shred Nations partners with a network of medical records shredding providers located throughout the nation. We can provide you with a secure and affordable mobile shredding or off-site option that keeps your medical records compliant with all state and federal laws.
For more information on any of our available services or to begin comparing quotes from HIPAA compliant shredders in your area, just give us a call at (800) 747-3365, or simply fill out the form to get free and competitive medical records shredding quotes today!
