Protected Health Information comes in many forms. Usually, when we think of PHI, we think of electronic medical records, email, etc. but it can also be stored on reams and reams of paper, old computer drives, and in many other places. Properly disposing of this information, when it is no longer needed, is a huge part of any HIPAA compliance program. Let’s cover the basics so that you have a good idea of how to address this in your own practice or business.
Paper is a very common way of storing PHI. You may receive printed faxes from insurance carriers, billing companies, or hospitals. You may receive paper EOBs from payors. In addition, many sites are still using paper in some form for patient charts. All of this paper must be accounted for and have the same level of care for patient privacy as we give to electronic PHI. The biggest area where this can become a problem is the disposing of patient records. It is easy to just throw away old records that a practice no longer needs but several practices have been forced to pay large fines due to this improper handling of patient information.
In 2012, a small Denver, Colorado-based pharmacy, Cornell Prescription Pharmacy, threw away the records of 1,610 patients. The records were in an unlocked dumpster on the property of the pharmacy. A local news outlet got wind of the data and contacted the Department of Health and Human Services Office of Civil Rights (HHS OCR). OCR began an investigation and found that the records had not been shredded or destroyed. In 2015, OCR released a statement saying it had reached a settlement with the pharmacy. In their statement, OCR settled that the pharmacy had agreed to pay a $125,000 penalty and abide by a corrective action plan. In addition to the $125,000 settlement amount, OCR required the pharmacy to develop and implement a comprehensive set of policies and procedures to comply with the Privacy Rule and develop and provide staff training, This was done to address the deficiencies that OCR found in the pharmacy’s compliance program.
It is very important you have a documented process of disposing of all paper that contains PHI. Shredding is the easiest way to dispose of these but if you have a large number, your office shredder may not be up to the job. In that case, consider hiring a shredding company that will come to your location. They usually charge on a per box rate and this would allow you to securely destroy large volumes of paper records.
Another area of concern is old computers and backup systems. These systems all contain hard drives that likely contain PHI on them. When you replace your computers or other devices, how do you properly dispose of the old ones? For hard drives, there are many secure methods of destruction but most can’t be done in a practice of business. Usually, this involves physically destroying the hard drives themselves by either drilling holes in multiple places through the drives or in an industrial shredder. Shredding companies can often do this for you also if you let them know ahead of time. If you have many drives that need to be destroyed, this is the easiest way to do it.
Keep in mind, you can donate old computers but before doing so, the drives should be thoroughly sanitized. Ideally, it would be best to donate computers without hard drives. However, if you must include the hard drives. a secure wipe of the entire hard drive is necessary beforehand. This involves overwriting the data on the drive multiple times with random data and with modern, large drives, this is a very time-consuming process. When we perform this process in our office, it has taken as long as 48 hours per drive to run. We usually use our in-house drill press to destroy drives for customers.
The last area you will want to consider is printers and copiers. This doesn’t include the standard desktop printers but is for the larger units that are usually rented from copier companies. These devices scan everything that is copied on them and often also save copies of documents that are printed on them. They all contain hard drives that store this data and since we don’t usually think of them as computers, they often get missed. If you are leasing a device when it is replaced or removed, make sure the company provides you with a document stating that they have destroyed all of the data on the drives. This is your due diligence to ensure that the PHI on those drives is destroyed.
Following these guidelines will ensure that your practice or business doesn’t accidentally throw away patient records.