Why does HIPAA require healthcare providers to regularly shred documents with patient information? Here’s what you need to know.
The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers to regularly shred documents containing information on patient’s medical histories. This is one of the most explicitly outlined requirements in the 1996 law, and it’s all to prevent identity theft. It is imperative that any company collecting or holding medical records ensure that spare copies of those records are destroyed regularly.
The Privacy Rule requires a covered entity to implement “appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.” This general obligation is the same for hardcopy and electronic information, and encompasses the disposal of protected health information, or PHI.
What kinds of materials are covered under HIPAA shredding regulations? How do you know whether a piece of paperwork goes into the “to-be-shredded” pile or whether it’s okay to just toss in the trash? The general takeaway from HIPAA enforcement action is simple: be vigilant about everything that contains patient data.
Here’s a brief list of what kinds of forms and documents should be shredded under HIPAA law:
Anything with a social security number.
This is good practice not just for HIPAA, but as a general rule. SSNs are like gold to identity thieves — if you see a nine-digit number on a form, toss it in the shredder.
Anything with a name and address.
This might seem strange, since it’s just about the most easily accessible information out there. But what’s important here is keeping in compliance with HIPAA shredding rules — which dictate that anything with a name and address is considered “private information.”
Anything with a birthdate.
If it has a birthdate on it, chances are it’s got a name on it too, making it easy for identity thieves to match up someone’s name and birthday. Always assume that if a document features a name and at least one other piece of identifying information, it’s covered by HIPAA shredding rules.
Photographs and x-rays.
Many times, identity thieves will “steal” health care by pretending to be someone who is eligible for better insurance or free care. Often, photographs and x-rays won’t include faces, so it can be relatively easy for an identity thief to pretend to be the patient in question.
Electronically stored information — including voicemail.
HIPAA shredding rules include parameters for destroying information stored on hard drives and other digital media. Destruction must be by degaussing or total destruction, such as hard drive shredding. Often, this information is easier to access than paperwork, simply because protecting data on a computer is more complicated than tossing an insurance form in a shredding machine.
Prescription bottles count, too.
Practitioners should keep labeled prescription bottles in opaque bags in a secure area, and use a disposal vendor to pick up and shred the materials.
Legal Shred is HIPAA compliant and has the expertise to help you comply with the law and keep your patients’ PHI protected at all times.
- Guidelines for Medical Record Shredding
- Hospital Discharge Paper Shredding & Identity Protection
- Dermatology Practice Get Hits With Fine for Thumb Drive Breach