What Materials Are Covered Under HIPAA Shredding?
Currently, the U.S. healthcare system relies on a set of codes to report diagnoses and inpatient procedures. The ICD-9 code set will soon be replaced by the more detailed ICD-10, with a deadline for the transition of October 1, 2015. Transitioning to ICD-10 is required by anyone covered by the Health Insurance Portability Accountability Act (HIPAA), including doctors, hospitals and health insurance companies, all of whom rely on these codes for diagnosing patients and billing for services.
With the deadline on the horizon, it’s a good reminder for practitioners and organizations to also consider their shredding needs and understand the rules governing medical information document destruction.
HIPAA requiring healthcare providers to regularly shred documents containing information on patient’s medical histories is one of the most explicitly outlined requirements in the 1996 law — to prevent identity theft. It is imperative that any company collecting or holding medical records ensure that spare copies of those records are destroyed regularly.
What kinds of materials are covered under HIPAA shredding regulations? How do you know whether a piece of paperwork goes into the “to-be-shredded” pile or whether it’s okay to just toss in the trash can?
A good rule here is “when in doubt, shred it.” If you can’t figure out whether a particular piece of paperwork is covered by HIPAA shredding regulations, it’s best to assume that it is and should therefore be destroyed. Here’s a brief list of what kinds of forms and document should be shredded under HIPAA shredding laws:
Anything with a social security number.
This is good practice not just for HIPAA, but as a general rule. SSNs are like gold to identity thieves — if you see a nine-digit number on a form, toss it in the shredder.
Anything with a name and address.
This might seem strange, since it’s just about the most easily accessible information out there. But what’s important here is keeping in compliance with HIPAA shredding rules — which dictate that anything with a name and address is considered “private information.”
Anything with a birthdate.
If it has a birthdate on it, chances are it’s got a name on it too, making it easy for identity thieves to match up someone’s name and birthday. Always assume that if a document features a name and at least one other piece of identifying information, it’s covered by HIPAA shredding rules.
Photographs and x-rays.
Many times, identity thieves will “steal” health care by pretending to be someone who is eligible for better insurance or free care. Often, photographs and x-rays won’t include faces, so it can be relatively easy for an identity thief to pretend to be the patient in question.
Electronically stored information — including voicemail.
HIPAA shredding rules include parameters for destroying information stored on hard drives and other digital media. Often, this information is easier to access than paperwork, simply because protecting data on a computer is more complicated than tossing an insurance form in a shredding machine.
Here at Legal Shred, we are ready and able to assist you regarding the appropriate handling of patient files and their secure destruction to maintain HIPAA compliance.
Call us for a quote today.