Disposing ePHI

When disposing ePHI, the HIPAA privacy and security law have been well documented on the HHS website.  Disposing ePHI includes various methods that may include, but are not limited to:

  • For PHI in paper records, shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.
  • Maintaining labeled prescription bottles and other PHI in opaque bags in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI.
  • For PHI on electronic media, clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in
    order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding).

Other methods of disposal also may be appropriate, depending on the circumstances. Covered entities are encouraged to consider the steps that other prudent health care and health information professionals
are taking to protect patient privacy in connection with record disposal. In addition, if a covered entity is winding up a business, the covered entity may wish to consider giving patients the opportunity to pick
up their records prior to any disposition by the covered entity (and note that many states may impose requirements on covered entities to retain and make available for a limited time, as appropriate, medical
records after dissolution of a business).

Things NOT to do

  • Dispose in a dumpster (unless proper steps to deem the records unreadable).
  • Do not reload or reuse computers.  Swap out the hard drive and completely reload.  Use the steps mentioned above on the hard drive you remove.
  • Do not recycle with the hard drive in the computer.

Be very careful with CD’s, jump drives and other forms of media that contain ePHI.  Also, make sure you have a good HIPAA policy in place for disposing ePHI, and document every time you dispose of something. Keeping a record is extremely important, and can help you meet the standard HIPAA requirements.

For more information, contact Tier3MD.

Does HIPAA protect the dead?