September 1, 2023
The TV show ‘Hoarders‘ showcases the struggles of individuals who have an extreme tendency to accumulate and hold on to items, sometimes to the point of causing harm or distress. In a medical practice, holding onto Protected Health Information (PHI) that is no longer needed may not only cause harm and distress but can also lead to severe legal penalties. The Health Insurance Portability and Accountability Act (HIPAA) mandates safeguarding PHI, including its proper disposal when no longer needed. This blog post will guide medical practices on how to dispose of electronic PHI (ePHI) and physical PHI in a HIPAA-compliant manner.
Understanding ePHI and Physical PHI
ePHI refers to any PHI that is created, received, maintained, or transmitted in electronic form. This includes information stored in electronic health records (EHR), electronic billing records, digital images, and any other electronic documents containing PHI.
Physical PHI refers to any PHI that is in a physical form, such as paper records, printed images, and other tangible materials containing PHI.
The Need for Proper Disposal
Just as the individuals on ‘Hoarders’ need to declutter their living spaces to create a safer and healthier environment, medical practices need to dispose of ePHI and physical PHI that is no longer needed to create a safer and healthier environment for their patients’ information. Holding onto old and unnecessary PHI increases the risk of unauthorized access, identity theft, financial fraud, and reputational damage to the practice.
HIPAA-Compliant Disposal Methods
The HIPAA Privacy Rule requires covered entities to implement reasonable safeguards to limit incidental and avoid prohibited uses and disclosures of PHI, including in connection with its disposal. Additionally, the HIPAA Security Rule requires covered entities to implement policies and procedures to address the final disposition of ePHI and the hardware or electronic media on which it is stored.
ePHI Disposal Methods
- Clearing: Clearing involves overwriting electronic media with non-sensitive data. This method is appropriate for media that will be reused within the same organization.
- Purging: Like extreme cleaning might be necessary in some cases on ‘Hoarders,’ purging involves degaussing or exposing the media to a strong magnetic field to render the data unrecoverable. This method is appropriate for media that will be reused outside the organization or disposed of.
- Destroying: Destroying involves physically destroying the electronic media, such as by shredding, crushing, or melting, so that the data cannot be reconstructed.
Physical PHI Disposal Methods
- Shredding: Just as a shredder might be used to dispose of old papers during a clean-up on ‘Hoarders,’ a cross-cut shredder can be used to cut paper PHI into tiny pieces that cannot be reconstructed.
- Burning: Sometimes, the safest way to dispose of PHI is to incinerate paper records in a controlled environment.
- Pulverizing: Pulverizing involves using a machine to turn paper PHI into a fine powder.
Proper disposal of ePHI and physical PHI is a crucial responsibility of medical practices, as HIPAA mandates. Failure to properly dispose of PHI can lead to unauthorized access, severe legal penalties, and reputational damage. Just as the individuals on ‘Hoarders’ must learn to let go of items that are no longer needed, medical practices must learn to let go of ePHI and physical PHI that is no longer needed and to do so in a HIPAA-compliant manner.
Utilizing Abyde’s comprehensive HIPAA and OSHA Compliance SAAS solutions can help medical practices navigate these complex requirements effortlessly. By implementing and following proper disposal procedures—often simplified and clarified through Abyde’s automated systems—medical practices can create a safer and healthier environment for their patients’ information.