On-Site Document Shredding & HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) enacted in 1996, includes provisions intended to safeguard the privacy of patient health records. This act has sparked numerous debates in the healthcare and information destruction industries. Although the regulations officially took effect on April 14 of this year, the final deadline for implementation is not until 2003. Hospitals, individual doctors, pharmacies, and other businesses involved in the healthcare industry are currently in the process of designing procedures that will comply with the new HIPAA rules. It is important to understand what HIPAA specifically prescribes and what it merely suggests.

The HIPAA rules apply to all protected health information whether it is kept electronically, on paper, or communicated orally. The final rule, Standards for Privacy of Individually Identifiable Health Information, was published in December 2000. This rule implements the privacy requirements of the administrative simplification section of HIPAA. The subsection of this rule that covers safeguards contains the only language that refers specifically to paper documents that contain protected health information. The standard requires that “covered entities put in place administrative, technical, and physical safeguards to protect the privacy of protected health information.” The rule later states that it does not “prescribe particular measures that covered entities must take to meet this standard, because the nature of the required policies and procedures will vary with the size of the covered entity and the type of activities that the covered entity undertakes.” However, the rule does suggest some procedures for information destruction within its section on safeguards. The rule states some “examples of appropriate safeguards.” One example is “requiring that documents containing protected health information be shredded prior to disposal.” Thus, although the federal rule does not specifically prescribe that protected health information on paper be shredded prior to disposal, it does cite shredding as an example of an appropriate safeguard that would meet the standard outlined in HIPAA.

Additional revisions and clarifications will still be made to HIPAA before the final date of implementation. But the language regarding the safeguarding of paper documents that contain protected health information is unlikely to change since the rule must be applicable to a variety of healthcare providers. HIPAA does not mandate the destruction of protected health information by shredding prior to disposal but the rule for implementation of HIPAA does suggest that shredding is an appropriate safeguard to employ in order to comply with HIPAA regulations. Following is an excerpt regarding shredding:

“… We do not prescribe the particular measures that covered entities must take to meet this standard, because the nature of the required policies and procedures will vary with the size of the covered entity and the type of activities that the covered entity undertakes. (That is, as with other provisions of this rule, this requirement is “scalable.”) Examples of appropriate safeguards include requiring that documents containing protected health information be shredded prior to disposal, and requiring that doors to medical records departments (or to file cabinets housing such records) remain locked and limiting which personnel are authorized to have the key or pass-code. We intend this to be a common sense, scalable, standard. We do not require covered entities to guarantee the safety of protected health information against all assaults. Theft of protected health information may or may not signal a violation of this rule, depending on the circumstances and whether the covered entity had reasonable policies to protect against theft.”

Full text of the Standards for Privacy of Individually Identifiable Health Information is available online through the Federal Register at: http://www.access.gpo.gov/su_docs/fedreg/a001228c.html.

(back)