How the Right Shredding Company Can Help with HIPAA Compliance
Zoe’s Health Records
Several years ago, Zoe, a young 12-year-old who was vacationing locally, visited the local hospital emergency room with what appeared to be a broken leg from falling off of her bike. From the moment she spoke with the ER intake nurse, her Personally Identifiable Information (PII) and Protected Health Information (PHI) was in their system. But what happened to it after that? Did the healthcare organization keep it secure throughout its lifecycle?
Here’s a look at what happens to an individual’s information when they visit a healthcare facility.
On entry to the facility, a file was created with her personal information from her health insurance card and her parents’ testimony about her health history. The information included:
- Patient and parents’ names
- Date of birth and birthplace
- Home address and phone number
- Email address
- Medical record and health plan numbers
- Patient account number assigned by the medical facility
This information immediately became governed by the Health Insurance Portability and Accountability Act (HIPAA) rules that require all PHI to be kept confidential and protected against access and misuse from internal and external sources. It also stipulates how long the information must be kept and when it must be securely destroyed.
As tests and x-rays were conducted, information, results, and images were added to Zoe’s medical record. All of this additional PHI is instantly protected by HIPAA rules, and the hospital and staff are held responsible for keeping it private and protected, whether the information was in hard copy or digital format. Her PHI passed from one department to another and was seen and used by doctors and nurses who each added information of their own throughout Zoe’s stay.
When Zoe was released, her information was requested by and sent to her primary care physician at home, who is also obligated to follow HIPAA rules.
Zoe never returned to that hospital, but the medical facility held her PHI in their system for the legally-mandated retention period, determined by federal and state regulations which specify when hard copy and digital records can be destroyed. From Zoe’s patient intake to the end of the retention period, the hospital was responsible for ensuring that her records remained secure and accessible only to authorized personnel for the purposes of providing healthcare or sharing information with other authorized healthcare providers or Zoe’s insurer.
When it comes to information destruction, HIPAA states the following:
- PHI on paper may be shredded, burned, pulped, or pulverized so that the PHI is unreadable, indecipherable and may not be reconstructed.
- Electronic PHI (ePHI) may be cleared by overwriting it, purged by degaussing or exposing the media to a magnetic field, or otherwise destroyed by disintegration, pulverization, melting, incinerating or shredding.
Using the services of a NAID AAA Certified, HIPAA-compliant shredding company is recommended because:
- It allows professional medical staff to focus on the care of patients like Zoe rather than shredding documents in house.
- It offers the best means of destroying both ePHI and paper PHI in a way that meets or exceeds HIPAA requirements.
- The shredding company will continue the same HIPAA-approved security measures from the point of removing the files from the hospital until they are fully destroyed.
- A professional shredding company uses security-screened destruction specialists trained to adhere to HIPAA requirements.
- A Certificate of Destruction can be provided after the records are destroyed so the healthcare provider has proof it has remained compliant with HIPAA rules and is no longer liable for the patient’s PHI.
- A professional shredding company can offer scheduled shredding services so patient records can be dropped into locked shred collection containers and protected until they are picked up for shredding.
- As an added value, responsible shredding companies will also recycle 100 percent of their shredded paper.
As you can see, partnering with a NAID AAA Certified, HIPAA-compliant shredding company is the preferred method of complying with HIPAA information destruction requirements.
Pacific Shredding provides healthcare organizations throughout California’s Central Valley with HIPAA-compliant, NAID AAA Certified shredding services. For help with all of your secure shredding needs, give us a call at 800-685-9034 or complete the form on this page. Our friendly experts are standing by!