Recent guidance from the U.S. Department of Health and Human Services in the form of six frequently asked questions reminds providers to properly dispose of Protected Health Information in compliance with HIPAA. So this is a good time to review how your organization handles PHI and update your policies. If you don’t have policies in place already, you need to fix this right away. Here is the gist of what DHHS has to say. Everyone who handles PHI should know this.
- Disposal Methods. HIPAA does not require any particular method for disposing of PHI, but every method must be reasonably designed to keep PHI away from the public and unauthorized persons. Keep PHI securely out of sight until is it obliterated. Burn, shred or pulp paper. Overwrite, degauss or physically destroy electronic media. Make sure PHI cannot be read, recovered or reconstituted.
- Dumpsters. The ordinary Dumpster is not secure. However unlikely it may seem that a plastic trash bag full of PHI will spill out of the Dumpster, that is an unacceptable risk. Before PHI goes into the Dumpster, it needs to be made indecipherable. If that’s not a reasonable option, then the Dumpster needs to be locked and the disposal workers need to understand their duty to safeguard the PHI in it while they carry it to its ultimate destruction. DHHS is making a point about Dumpsters, so it must believe providers still put lots of PHI in the trash.
- Business Associates. A provider can contract with a business associate to dispose of PHI.
- Recycled Electronics. A provider can recycle electronic media and devices that once held PHI, but only if the PHI is first made inaccessible to others.
- Off-Site Staff. The provider’s staff must be trained to handle PHI, and staff who work off-premises must be trained in the special problems that arise when carrying PHI off-site. Off-site workers may destroy PHI off-site if that is a reasonable way to handle it.
- Storage Times. HIPAA does not specify how long a provider has to keep PHI. That is a matter for other laws, rules and provider policies.
For the full text of "Frequently Asked Questions About the Disposal of Protected Health Information," see www.hhs.gov/ocr/privacy/hipaa/ enforcement/examples/disposalfaqs.pdf.