Select Page

HIPAA Explained: How to Dispose of Protected Health Information

HIPAA, we all know what it means.  Vague rules and regulations designed with one purpose in mind, to drive every member of the healthcare industry insane.
With that in mind we’ll periodically present an explanation of one topic that falls under HIPAA.  Today’s topic?  How do you dispose of protected health information without violating any HIPAA regulations?
1. What do the HIPAA Privacy and Security Rules require of covered entities when they dispose of protected health information.
Covered entities must implement reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI, including in connection with the disposal
of such information.  In addition, the HIPAA Security Rule requires that covered entities implement policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored, as well as to implement procedures for removal of electronic PHI from electronic media before the media are made available for re-use.

  • Create a policy.
  • Train one person to implement the policy.
  • That person and only that person is responsible for the disposal of patient information.
  • No particular disposal method is required under these rules. It is required that the information cannot be reassembled.
    • Methods include:
      • Shredding
      • Burning
      • Pulping
      • Pulverizing
      • Software designed to overwrite electronic data
      • Purging of electronic data
      • Melting of electronic data

2. If a covered entity is closing up a business, the covered entity may wish to consider giving patients the opportunity to pick up their records prior to any disposition by the covered entity (and note that many states may impose requirements on covered entities to retain and make available for a limited time, as appropriate, medical records after dissolution of a business).
3. May a covered entity hire a business associate to dispose of protected health information?
Yes, a covered entity may, but is not required to, hire a business associate to appropriately dispose of protected health information (PHI) on its behalf.  In doing so, the covered entity must enter into a contract or other agreement with the business associate that requires the business associate, among other things, to appropriately safeguard the PHI through disposal.
4. May a covered entity reuse or dispose of computers or other electronic media that store electronic protected health information?
Yes, but only if certain steps have been taken to remove the electronic protected health information stored on the computers or other media before its disposal or reuse, or if the media itself is destroyed before its disposal.