Patient privacy and confidentiality are huge issues in healthcare. Cybercrime is a growing concern, particularly as more providers adopt electronic health records. For example, there were twice as many reported data breaches during the first five months of 2022 than in the same period in 2021.
Although cybercrime gets a lot of attention, patient privacy is often compromised the old-fashioned way by improper disposal of paper documents containing patients’ protected health information (PHI). Any documents that have PHI should be stored securely before shredding/destruction and never mixed in with regular trash or recycling.
Sharps Compliance offers secure, HIPAA-compliant document shredding and destruction services in select markets to help ensure providers comply with HIPAA regulations and protect patients’ health data and privacy.
HIPAA Regulations and Healthcare Providers
In 1996, Congress passed HIPAA, the Health Insurance Portability and Accountability Act, and the rules went into effect in 2003. The law was designed to “improve the efficiency and effectiveness of the health care system” and enact “federal privacy protections for individually identifiable health information.”
The HIPAA Privacy Rule “requires appropriate safeguards to protect the privacy of protected health information and sets limits and conditions on the uses and disclosures that may be made of such information without an ‘individual’s authorization.”
All healthcare providers and clearinghouses, health plans, and other covered entities must dispose of patients’ health information in a HIPAA-compliant manner.
HHS suggested disposal/destruction methods include:
- For PHI in paper records, shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.
- Maintaining labeled prescription bottles and other PHI in opaque bags in a secure area and using a disposal vendor, who is considered a business associate and held to the same confidentiality standards, to pick up and shred or otherwise destroy the PHI in a way meeting the required standard.
HIPAA Violations Can Be Costly
HIPAA-compliant document management and disposal protect your patients’ privacy and your organization’s financial bottom line. Failure to comply with HIPAA can result in both civil and criminal penalties. The fines escalate quickly for repeat violators.
- Fines can range from $100-$50,000 (per record) based on the level of negligence.
- The maximum penalty is $1.5 million annually for violations of identical provision.
- Violations can also result in jail time if the entity has been cited but did nothing to correct the issues (willful neglect). Fines increase with the number of patients and amount of neglect.
In addition to the regulatory costs, bad publicity for the hospital or practice may erode patient trust and confidence.
For example, in 2019, New York City reporters found boxes containing hundreds of medical files piled on the street outside an office building. The files included “patient names, social security numbers and sensitive medical diagnoses.” The medical practice responsible said the documents were “waiting to be picked up by the shredding company” and that the records had been “thrown out inadvertently.”
In 2018, HHS fined a medical records maintenance, storage, and delivery services provider $100,000 after an anonymous tip led investigators to a parking lot where they found over 2,000 medical records in an unsecured company truck.
Know the Rules and Train Your Employees
An HHS fact sheet is clear about the generator’s responsibility to provide proper employee training:
“Covered entities must ensure that their workforce members receive training on and follow the disposal policies and procedures of the covered entity, as necessary and appropriate for each workforce member.”
Many organizations have specific disposal containers for different waste streams:
- Secure containers for sharps and regulated medical wastes
- Pharmaceutical waste collection containers
- Cans for regular trash
- Recycling bins
- Secure containers for sensitive documentation that require shredding
However, employees must understand the system and use it properly.
In a 2018 study published in the Journal of the American Medical Association, researchers found that “documents containing medium- and high-sensitivity items were being disposed of in the recycling” at hospitals and other medical care facilities. Employees naturally want to recycle as much as possible but may not consider the privacy and regulatory consequences of mixing PHI documents with regular recycling. Proper employee training is a must!
Sharps customers have access to our ComplianceTrac online training and audit platform. It’s available 24/7 and offers convenient, accessible HIPAA training tools. Your staff can access required training on their schedule.
Stay Compliant with Sharps Compliance Shredding Services
At Sharps Compliance, we offer everything your facility needs to securely collect and store documents with PHI at your facility before pickup and disposal.
Our document shredding service includes:
- Secure containers provided for the collection of materials
- We accept all paper products containing PHI
- Pickup available at scheduled frequencies
- Flat-fee pricing per cabinet – no hidden fees or surcharges
- Documents destroyed at an NAID-approved facility
- Document tracking and Certificate of Destruction that should be retained in case of a HIPAA audit or other legal need
We offer this HIPAA-compliant waste management service in selected markets. Contact us at 800.772.5657 for more information about our shredding and secure document destruction services.