Compliance Portal |  Customer Portal
 888-427-5797
Free Quote, Call Today!

HIPAA Compliance in Document Destruction



May 12, 2021



Home » Document Destruction » HIPAA Compliance in Document Destruction

HIPAA Compliance in Document Destruction

HIPAA (Health Insurance Portability and Accountability Act) requires that all covered entities that have protected health information (PHI) of any kind or form must protect the privacy of the PHI. This requirement includes actions that must be taken to implement reasonable safeguards to avoid, prohibit, and/or limit incidental uses or disclosures of PHI which include the disposal process. Covered entities are required to enact procedures and policies that address the final disposal of paper and electronic PHI and/or the electronic media/hardware used for storage so that all PHI is permanently removed and cannot be accessed for re-use.

While the HIPAA guidelines for paper document destruction does not dictate any particular device, the fact that it requires that the documents cannot be accessed for re-use reflects that strip-cut shredders are no longer acceptable due to the ability to reconstruct the paper. In addition, HIPAA guidelines include the requirement for a healthcare organization and/or covered entity to provide proof of document destruction. Certification of destruction cannot be offered in the case of in-house shredding. Making use of a professional document destruction company such as Healthcare Waste Management is now considered to be an answer to the compliance issue.

Healthcare Providers are Responsible

All healthcare providers and their business associates known as “covered entities” are responsible for maintaining total security of all patients medical records and all PIH. This responsibility involves every aspect of the records, from the moment that they are generated all the way to storage and ultimate destruction. The process is called “cradle to grave” and places the responsibility completely on the shoulders of the covered entities.  HIPAA guidelines for document destruction help to deter accidental or deliberate access to medical records and PIH which could result in data breaches and identity theft.

Laws that Dictate Medical Record Retention and Destruction

All covered entities are required to know the laws involved in both medical record and PHI retention duration and destruction allowance. HIPAA requires that all medical records be retained for a period of six years from the creation date or last use; whichever comes first. There are also some state laws that dictate retention time periods, however, these laws and some are shorter retention periods than those involving HIPAA. Covered entities should create best security practices for all medical record documents and PHI whether stored on or off site to comply with the retention laws.

Once the medical records and/or PHI have reached the end-of-life process it will be time to enact secure document destruction procedures. Using a certified document destruction company such as Healthcare Waste Management will ensure the decrease of potential accidental disclosure or breach.

Violation of any of the HIPAA guidelines are issued in the form of penalties by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys. The financial penalties can be from $1,000 to $50,000 per violation, with a maximum fine of $1.5 million per year. In addition to financial penalties, covered entities are also required to create a corrective action plan that adjusts procedures and policies up to HIPAA standards. The Department of Health and Human Services is responsible for auditing all covered entities to ensure they are complying with HIPAA standards. The violation penalty structure was created to make sure that all covered entities are held accountable in protecting and securing health records and PHI as well as for the ultimate safe destruction once end of life has occurred. Ignorance of the rules and guidelines set by HIPAA is not an acceptable excuse for violation. In the case where a covered entity has been discovered to willfully commit a HIPAA violation, the maximum fines will be applied.

In addition to HIPAA penalties, a covered entity risks lawsuit by private individuals whose PHI or medical records were breached. These can arrive as individual lawsuits all the way to class action lawsuits that has the potential to destroy any organization’s reputation.

Medical Records that Are Required to be Shredded

HIPAA requires that all safeguards be in place for the protection of medical records and PHI all the way to the point of disposal. HHS (Department of Health and Humans Services) define the destruction of PHI and medical records as being rendered “unreadable, indecipherable, and otherwise unable to be reconstructed.”  Professional document destruction companies such as Healthcare Waste Management use high tech shredding machinery that implements “piece and tear” shredding so that no two pieces are alike, and they cannot be reassembled.

HIPAA privacy laws also define eighteen different types of medical documents and records as PHI:

HIPAA Compliant Shredding Services

Professional document destruction companies such as Healthcare Waste Management are knowledgeable in all state and federal laws regarding HIPAA compliance. A team of consultants will work with a medical organization to review their particular unique needs for on or offsite document destruction schedules and design a strategy to ensure that their documents as well as all PHI involved with business associates are protected at each step to final destruction.

The services of a HIPAA compliant shredding company such as Healthcare Waste Management supplies lockable containers or bins to secure the documents prior to shredding, sends in-house staff drivers in company owned trucks to pickup the containers and transports them for complete destruction. A certificate of destruction is supplied to customers so that they have proof for any audit or legal necessity.

Healthcare Waste Management also places high priority on the environment and has partnered with organizations to recycle the destroyed paper so that it reduces everyone’s carbon footprint.

Which Covered Entities Use Medical Records/PHI Shredding?

Any covered entity that maintains medical records and/or PHI should be using professional shredding services for their documents. The healthcare industry must comply with HIPA guidelines for document destruction and the covered entities can include but are not limited to:

Digital Document Destruction

There are now many healthcare organizations and business associates putting medical records and PHI on digital formats. There are now a multitude of device types that can retain medical information and each one must be maintained to comply with HIPAA guidelines for security and safety. EMR (electronic medical records) are held within networks, on the cloud, on laptops, USBs, fax machines and copiers, hard drives, and tablets. Whether the devices have reached end of life or are being replaced, all of the medical records data must be completely destroyed.

There are a variety of methods that are used to destroy/remove all medical records and PIH from digital sources:

What Is a Certificate of Document Destruction?

Professional document destruction companies such as Healthcare Waste Management supply customers with a “certificate of destruction” that can be used as proof of destruction for a HIPAA audit or any other legal need.  The certificate of destruction is a priority document for all healthcare organizations to have and retain as part of HIPAA compliance.

A certificate of destruction is typically supplied to a healthcare organization immediately following the complete destruction/shredding of the documents that they have supplied. It should include:

Why Using a Professional Document Destruction Company is Important

The choice to use a professional and knowledgeable document destruction company is both cost effective and legally sound. In the past, healthcare organizations might have done in-house document shredding that incurred costs for employee time to do the shredding as well as constant maintenance, repairs, and replacements of the shredder machines. This labor-intensive and pricey choice also doesn’t offer any certificate of proof that is required in the case of a HIPAA audit or a legal action.

Compliance with HIPAA requirements for document destruction is a critical step in maintaining security for all medical records and PHI. Professional document destruction companies such as Healthcare Waste Management work with medical organizations to consult and examine their particular needs, make recommendations for changes to accommodate HIPAA compliance for security such as in-house locked desks and cabinets, assist in creating a strategy for document destruction, supply secure bins/containers for documents, review both on and off-site storage to assure complete security, and arrange for scheduled pick-ups for the destruction of documents. Healthcare Waste Management team members work with the healthcare organization’s representatives so that they are aware of all state and federal HIPAA guidelines for compliance of paper and electronic medical records. The final phase of service is to supply the client with a certificate of destruction that offers peace of mind for compliance for an audit or as proof during any legal situations.

Healthcare Waste Management sends drivers that are employed by the company, in company-owned trucks for pickup so that there are only representatives of the company either on or off premise. Although HIPAA guidelines don’t recommend or endorse any particular type of shredder, Healthcare Waste Management makes use of the “piece and tear” process of document destruction which is highly technical and renders each piece unique so that they cannot be reassembled.  Every healthcare organization has different needs and our team coordinates to adjust for flexible pick-up schedules as well as changes that may be needed. Healthcare Waste Management takes pride in assisting our customers in maintaining all HIPAA protocols for document and data device destruction. It takes serious devotion to work together as a focus for HIPAA compliance and to ensure the safety and protection of all medical records and PHI.


Make The Switch

Join thousands of other practices working with HWM.
"The only company you will ever need."

Learn More        Click to Call