How to Ensure HIPAA-Compliant Document Destruction
The Health Insurance Portability and Accountability Act (HIPAA) was enacted as a federal law in 1996 to combat insurance fraud and medical identity theft. The act’s Privacy Rule states that healthcare providers and their business associates must implement “appropriate administrative, technical and physical safeguards to protect the privacy of protected health information (PHI).” As a result, when disposing of PHI, you must prevent unauthorized access to that information. Here we share our knowledge about ensuring HIPAA-compliant document destruction in your organization.
Use a NAID AAA Certified Provider
Outsourcing the destruction of medical records may ensure HIPAA compliance, but only if your shredding provider is National Association of Information Destruction (NAID) AAA Certified. To achieve AAA status, they must meet strict security regulations verified by an independent Certified Protection Professional (CPP), accredited by the American Society for Industrial Security International (ASIS). CPPs assess the following areas during scheduled and unannounced audits:
- Employee screening processes
- Operational practices
- Security procedures
Additionally, NAID requires that all paper must be destroyed with a cross-cutting shredding process that reduces it to a tiny particle size. Together, all of these requirements significantly reduce privacy risks to PHI.
Update Your HIPAA Business Associate Agreements
Any supplier or vendor that handles PHI for a HIPAA-covered entity is required to sign a HIPAA business associate agreement. This document requires your business associates to abide by HIPAA security and privacy rules, and is legally binding. Your document destruction provider should also sign a HIPAA business associate agreement. If they refuse to do so, you should look for another provider.
Verify Chain of Custody
HIPAA-compliant destruction requires an unbroken chain of custody during the collection, handling and disposal of PHI. Your document destruction provider should have strict policies in place to keep PHI secure at all times. These policies should include:
- Locked shred collection containers
- Video recording of the shredding process
- Transport of PHI in GPS-tracked vehicles
- Issuing of a Certificate of Destruction
Ask your document destruction partner to give you step-by-step procedures for the entire destruction process.
Destroy Media Containing PHI
Healthcare providers now use electronic health records as much as paper records. Like paper records, electronic health data should be destroyed in a manner that prevents unauthorized access to PHI. Merely deleting files or overwriting PHI stored on hard drives or backup tapes should never be used as a final disposition solution for this information. With the right tools, criminals can recover PHI from deleted media and devices. Instead, use a hard drive shredding service in which specialized shredders crush your media into tiny pieces, making it impossible to recover PHI.
Understanding and using HIPAA-compliant document destruction helps your healthcare organization keep patient privacy intact.
Pacific Records Management provides NAID AAA Certified shred services for businesses throughout Fresno, Stockton, Sacramento, Modesto, and Napa and Solano Counties. For more information, please contact us by phone or complete the form on this page.