What’s the proper way to dispose of
PHI?
Covered
entities are not permitted to simply abandon PHI or dispose of it in dumpsters
or other containers that are accessible by the public or other unauthorized
persons. However, the Privacy and Security Rules do not require a particular
disposal method. Covered entities must review their own circumstances to
determine what steps are reasonable to safeguard PHI through disposal, and
develop and implement policies and procedures to carry out those steps. In
determining what is reasonable, covered entities should assess potential risks
to patient privacy, as well as consider such issues as the form, type, and
amount of PHI to be disposed. For instance, the disposal of certain types of
PHI such as name, social security number, driver’s license number, debit or
credit card number, diagnosis, treatment information, or other sensitive
information may warrant more care due to the risk that inappropriate access to
this information may result in identity theft, employment or other
discrimination, or harm to an individual’s reputation.
In general, examples of proper disposal methods may include, but are not limited to:
In general, examples of proper disposal methods may include, but are not limited to:
·
For PHI
in paper records, shredding, burning, pulping, or pulverizing the records so
that PHI is rendered essentially unreadable, indecipherable, and otherwise
cannot be reconstructed.
·
Maintaining
labeled prescription bottles and other PHI in opaque bags in a secure area and
using a disposal vendor as a business associate to pick up and shred or
otherwise destroy the PHI.
·
For PHI
on electronic media, clearing (using software or hardware products to overwrite
media with non-sensitive data), purging (degaussing or exposing the media to a
strong magnetic field in order to disrupt the recorded magnetic domains), or
destroying the media (disintegration, pulverization, melting, incinerating, or
shredding).
Other methods of disposal also may be appropriate, depending
on the circumstances. Covered entities are encouraged to consider the steps
that other prudent health care and health information professionals are taking
to protect patient privacy in connection with record disposal. In addition, if
a covered entity is winding up a business, the covered entity may wish to
consider giving patients the opportunity to pick up their records prior to any
disposition by the covered entity (and note that many states may impose
requirements on covered entities to retain and make available for a limited
time, as appropriate, medical records after dissolution of a business).