Medical facilities handle a wide range of personal patient records throughout the day. These records contain sensitive information that hackers and other malicious parties can easily use to their benefit. For that very reason, federal laws like HIPAA have been in effect for over 20 years. HIPAA compliance in document shredding is something that all medical facilities and other relevant parties need to prioritize if they want to maintain their status as a reliable, reputable, and legally abiding entity. This guide will introduce you to the details of HIPAA and the steps you need to take to maintain patient record security.
What Is HIPAA?
HIPAA stands for the Health Insurance Portability and Accountability Act. This federal law came to fruition in 1996 in an attempt to keep private medical records (physical and electronic) exactly that: private. HIPAA’s primary goals were to combat problems like identity theft, insurance fraud, and other possible forms of PHI (protected health information) abuse from plaguing medical patients. Entities such as healthcare providers and their business associates are “covered entities” that, by law, must abide by HIPAA’s guidelines. If a covered entity doesn’t handle and dispose of PHI in accordance with HIPAA, it will inevitably face fines, a bad reputation in the industry, and potentially even a lawsuit.
PHI Protected by HIPAA
Now that you know what PHI stands for and that facilities need to dispose of it properly, we’ll dive into what exactly counts as PHI. Below are examples of patient information that covered entities need to dispose of in accordance with HIPAA guidelines:
- Birthdates (or dates of any kind)
- Social security numbers
- Phone numbers
- Record numbers
- Account numbers
- Fax numbers
- Serial numbers for vehicles or devices
- Photographs (including x-rays)
- Biometric information (fingerprints, retinal scans, etc.)
- Home addresses (as well as any form of geographical information)
- IP addresses
- Email addresses
Tips for Complying With HIPAA
HIPAA compliance is an important topic for medical facilities to abide by, and, although you should feel more comfortable with your knowledge of the subject by now, there’s still more to learn. The tips below will help medical facilities follow and enforce HIPAA guidelines in the workplace every day.
Never Place PHI in the Trash
From their first day on the job, all authorized personnel handling records containing PHI need to know when and how to dispose of such information. Records containing PHI should never go into a standard trash bin, recycle bin, or personal shredder. Doing any of those tasks puts that information at risk of falling into the hands of malicious parties once it leaves your office. Don’t forget to complete thorough background checks on authorized personnel to ensure you can trust them with the handling and disposal of PHI.
Never Leave PHI Out in the Open
To piggyback off the previous point, inform all authorized personnel to refrain from leaving records containing PHI out in the open, unattended, for someone to see or take. This is especially important when visitors are around, but even if it’s just other employees in the building, those records should never be out-of-reach or out-of-sight unless they’re in a secured location.
Furthermore, your medical facility needs to keep PHI under lock and key at all times to prevent anyone from taking advantage of it. Not only should you keep this information under lock and key, but there must also be security measures in place that ensures only authorized personnel has access to the key. Additionally, whenever authorized personnel takes that key, there needs to be a record of it so that, if medical files containing PHI go missing or are otherwise compromised, you can track down who had them last and start your investigation from there.
NAID AAA Certification
Seek help through an NAID AAA certified document/media destruction company. NAID, which stands for National Association for Information Destruction, keeps an eye on professional document/media destruction companies to ensure they’re maintaining industry standards through legal and secure means.
To put it simply, NAID ensures that a professional destruction service is really doing what they claim—securely handling and disposing of your designated records. If a destruction service has AAA certification from NAID, you can rest easy when allowing them to work with your medical facility.
Business Associate Agreement
Earlier in this guide, we briefly addressed that business associates of healthcare facilities are also considered covered entities that have to abide by HIPAA whenever they handle PHI. To ensure that your business associates, including document shredding services, work within the security and privacy guidelines laid forth by HIPAA, put together a BAA (business associate agreement) for them to sign. If any business associate refuses to sign the agreement, you’ll need to look elsewhere for more reputable associates to work with.
Certificate of Destruction
A Certificate of Destruction is a document any organization or agency should receive upon completion of their media destruction process. Aside from a unique transaction number, your certificate should list information about the destruction process, such as the date you gave the records to the shredding service, the date on which the destruction took place, the location in which it took place, and the name of the employee who successfully carried out the destruction.
Always make sure that you receive a Certificate of Destruction after any kind of materials destruction process. It’s not just for peace of mind; that certificate can come in handy in events like audits or lawsuits. Saying that you’re HIPAA or NAID compliant is one thing, but taking the extra step to obtain and provide proof of that compliance is another thing entirely.
Secure destruction of digital records is just as important as it is with physical records. Instead of simply deleting digital PHI, you should put devices like laptops and hard drives through the same destruction process as physical records. A competent professional paper shredding company should also offer you additional media destruction (hard drives, laptops, CDs, DVDs), which means you won’t have to seek out two companies for two different forms of PHI disposal.
As you can see, HIPAA compliance in document shredding isn’t just something to consider; it’s a federal law that entities like medical facilities have to follow consistently. Now that you know how to securely and legally dispose of PHI, you can prevent data breaches from occurring in your workplace.
When patients enter a medical facility, they should never feel as though their information is at risk of being recklessly used, stored, or discarded. If your medical facility needs secure, NAID AAA certified document destruction, The Shredding Company is here to help. We offer paper shredding services in DC with both offsite or onsite options—whichever is more convenient and comfortable for you.