All healthcare providers and their business associates have an ethical and legal obligation to follow the provisions under The Health Insurance Portability and Accountability Act (HIPAA). Passed by Congress in 1996, the standards detailed in 45 CFR 160, 162, and 164 are designed to safeguard patients’ private, sensitive information from misuse. HIPAA rules went into effect in 2003. Since then, they have undergone two major modifications in order to keep up with the transition to electronic medical records and digital communications.
HIPAA prohibits both incidental and intentional disclosure of individually identifiable health information in any format, including during disposal. When it comes to medical waste, disposal and destruction of any Protected Health Information (PHI) in document or specimen form must comply with HIPAA regulations.
When and How Are Medical Records Destroyed?
Healthcare providers, like hospitals, nursing homes, pharmacies, dentists, etc., have tons of medical records that need disposal. Medical records contain PHI like the data below, plus much more:
- Social security numbers
- Health plan information
According to HIPAA rules, such records must be retained for at least six years after the date of creation or the date when last in effect (with some state laws requiring even longer retention periods).
Once ready for disposal, documents intended for destruction should be housed in secure, lockable collection containers that are strategically located in the building. In addition to such physical safeguards, providers and business associates must also implement various administrative and technical policies and procedures for their staff to ensure such documents are properly secured until shredding to prevent, detect, contain, and correct any security violations.
Document destruction vendors should supply a Business Associate Agreement detailing security measures and safeguarding practices while the PHI is in transit. Proof of destruction, usually in the form of a “Certificate of Destruction,” should be retained in case of a HIPAA audit or any other legal need. This certificate is usually supplied after destruction and details the following information:
- Chain of custody
- Method of destruction
- Various conditions, terms, and/or policies related to sensitive material processing
PHI on Medical Waste
PHI can also be found on medical waste like specimen cups, vacutainers, centrifuge tubes, suction canisters, glass slides, tissue cassettes, IV bags, prescription medication packaging, and many other items. PHI may be affixed directly to such items or via a removable label.
Proper disposal of these items depends on a number of factors, including the following:
- Level of contamination (if potentially infectious)
- Classification of the type of prescription medication
Medical waste that meets the criteria under OSHA’s Bloodborne Pathogens Standard must be managed by a regulated waste provider, and any PHI affixed to such wastes should be destroyed according to standard processes. Medical wastes affixed with PHI that don’t meet OSHA’s criteria for regulation, such as items which are just minimally soiled or only contaminated with non-regulated fluids, should still be managed in a conservative fashion to ensure sensitive information is properly destroyed.
HIPAA Violations and Training
HIPAA is primarily enforced by the Department of Health and Human Services’ Office for Civil Rights (OCR) as well as state attorneys. Violations can arise from periodic audits, compliance reviews, or even complaint investigations. Lack of staff awareness around HIPAA rules is a common cause of violations. The Office of Inspector General recommends entities provide their staff with robust training and education because violations can fetch civil penalties up to $50,000 per violation
Though there is no single standardized program appropriate for training all employees of all types of entities on HIPAA requirements, the U.S. Department of Health and Human Services has developed a number of resources, such as training videos and infographics, to help them comply. Sharps Compliance’s ComplianceTrac online training platform offers convenient, accessible HIPAA training and auditing tools that can help employers understand areas in their practice in need of attention.
The OCR generally issues guidance to help entities keep up with changes in the legal environment due to newer forms of digital PHI or other issues. But state or other federal rules may supersede HIPAA with more stringent safeguards for patient information, so compliance can often seem like a complex or confusing matter.
When it comes to HIPAA-compliant shredding, it is important that entities select a document destruction vendor that can ensure all PHI is rendered unreadable, indecipherable, and incapable of being reconstructed. Call Sharps Compliance today for more information on our secure information destruction services.