The HIPAA Privacy Rule requires that covered entities apply appropriate safeguards to protect the privacy of protected health information (PHI). The required safeguards include:

  1. Administrative safeguards
  2. Physical safeguards
  3. Technical safeguards

The rule includes requirements for the acceptable destruction of protected health information.

What is Required for Proper PHI Disposal?

Under the HIPAA Privacy Rule, covered entities must implement reasonable safeguards to avoid prohibited uses or disclosures of PHI. The reasonable safeguards that must be implemented include policies and procedures to address the final disposal of PHI. 

Covered entities, when developing these policies and procedures, should include reasonable safeguards that protect PHI from intentional or unintentional use or disclosure. For example, policies and procedures should contain a prohibition against disposing trash containing PHI in locations such as dumpsters, that are accessible by the public or other unauthorized individuals.

When considering what policies and procedures to develop, covered entities should:

  1. Take into account their particular environment
  2. Be mindful of what locations within that environment are used to store trash

Taking this environment into account enables covered entities to develop and implement policies and procedures for trash disposal from all locations.

What Types of PHI Disposal Methods Must be Used?

The Privacy Rule does not dictate that any particular methods to dispose of trash containing PHI be used. Nonetheless, the Department of Health and Human Services (HHS) has developed guidance related to PHI disposal methods. Under this guidance, proper paper PHI disposal methods may include, but are not limited to:

  1. Shredding,
  2. Burning,
  3. Pulping,
  4. Pulverizing, or
  5. Other methods that render PHI unreadable and unable to be reconstructed.

Proper PHI disposal may also be accomplished by:

  1. Maintaining labeled prescription bottles and similar forms of PHI in a secure area in opaque bags; and 
  2. Using a business associate disposal vendor to remove and shred or otherwise destroy the PHI. 

Other methods of disposal may also be appropriate, depending on the circumstances. Covered entities, in developing their policies and procedures, should consider the steps that other prudent healthcare and health information professionals are taking to protect patient privacy in connection with record disposal. In addition, if a covered entity is winding up a business, the covered entity may wish to consider giving patients the opportunity to pick up their records prior to any disposition by the covered entity.

Do I Need to Train My Workforce About Proper PHI Disposal?

Covered entities are responsible for ensuring that their workforce members, including volunteers, are properly trained on the policies and procedures for disposal of PHI. Further, covered entities must ensure that their workforce members receive training on, and follow, the covered entity’s policies and procedures of the covered entity, as is necessary and appropriate for each workforce member. 

Any workforce member involved in disposing of PHI, or any workforce member who supervises others who dispose of PHI, must receive training on disposal. This includes any volunteers.