How to Ensure HIPAA Compliance During PHI Disposal
Sep 5, 2014
Healthcare industry generates an enormous amount of waste, and this waste comes in many forms and falls under many regulations. You have to worry about proper disposal of anything from masks, gloves and syringes to organs and old equipment. But there is one type of medical waste that often gets overlooked—medical records.
Medical records also come in many forms and media, but print and digital files are the two prevailing formats. As you know, you are required to retain medical records for a certain period of time, depending on where your practice is located. In Maryland, for example, the length of medical record retention (with a few exceptions) is 5 years or until the patient is 21 years old. So what happens with all this expired paperwork?
The paper waste produced by your practice or hospital may fall under the Health Insurance Portability and Accountability Act (HIPAA). It was enacted in 1996, among other things, to “protect the privacy of individually identifiable health information.” This personal health information (PHI) can be written, printed, oral, digital or maintained in some other medium. Your patient’s medical record is comprised of documents that contain PHI, such as:
- demographic information
- payment history
- test and lab results
- hospital ID bracelets
- insurance information
HIPAA has established a list of 18 identifiers that, when either one is listed on a document, connect it to a specific person. As a healthcare provider, you have limited rights as to what information you can collect from your patients and who it is shared with. You also have certain responsibilities when it comes to maintaining PHI privacy and its proper disposal.
Disposal of PHI
As you might have guessed, you can’t just throw your patients’ medical records in a trashcan and be done with it. Imagine how many people from the cleaning lady to the garbage man can access those documents on their way to the dump, where they are not safe either.
While HIPAA doesn’t require you to follow a specific method of PHI disposal, you should use your best judgment to make sure that your selected disposal procedure leaves no chance for information recovery and patient identification. If you are dealing with digital records, overwriting, purging or destroying the storage media often gets the job done. Here are some of the disposal methods you can try for PHI in paper form:
It’s easier if you select a local disposal vendor to take care of your Maryland HIPAA waste on an ongoing basis. Because you are responsible for the PHI waste until the moment it’s destroyed, you need a vendor you can trust. At BWS, we go as far as providing you with a certificate of destruction upon the job completion.
Educate Your Staff About PHI
In many cases, the disclosure of PHI and violation of HIPAA are the products of human error. If you have a large practice that generates a huge amount of PHI documents, it’s easy for someone to make a mistake. Take the time to train your nurses, medical assistants and other personnel on HIPAA compliance. Make sure they can identify PHI documents, understand their responsibilities and follow the established disposal procedures.
If a PHI breach occurs, you are required to submit a breach notification to the U.S. Department of Health and Human Service. And if your patient has a reason to believe that their HIPAA rights were violated, they can also file a complaint with the Office for Civil Rights. In case of a HIPAA violation, not only do you face a fine and potential criminal penalties, but you may be putting your patients at risk of identity theft. If you haven’t partnered with a trusted Maryland HIPAA waste removal provider yet, be sure to give us a call. We are local, highly trained and we stay up to date on all the latest changes in waste removal regulations to make sure we always comply.
"I’ve been using Biomedical Waste Services, Inc. for nearly 20 years! I’ve had superior customer service since day one with no surprises on our invoices."
- Dr. Kim