HIPAA (Confidential) Document Destruction

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires all healthcare facilities to manage the privacy of patient (past and present) information. Thus, document destruction is an important topic in healthcare. What types of information falls under HIPAA? The following definitions and information are taken directly from the U.S. Department of Health and Human Services page entitled Summary of the HIPAA Privacy Rule.

Protected Health Information (PHI) 

The Privacy Rule protects all individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information protected health information (PHI).

Individually identifiable health information, including demographic data, relates to:

  1. the individual’s past, present or future physical or mental health or condition,
  2. the provision of health care to the individual, or
  3. the past, present, or future payment for the provision of health care to the individual,
  4. and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.  Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security number).
This means that if you generate paperwork or electronic records with PHI, you must ensure secure and proper disposal of these materials. In other words, you cannot recycle papers with identifying patient information in your regular recycling stream, nor can these records be placed in the trash. Some healthcare facilities may choose to destroy their own records (via shredding or other means), which is generally acceptable. However, the more common method of disposal is to contract with a certified document destruction company. These companies can ensure, with manifests and a chain of custody, that the paper records you dispose of are destroyed as required by HIPAA. Though MnTAP cannot recommend any one company, an internet search of “confidential document destruction in Minnesota” will afford you the names of many companies who offer this service.

For more information on how to destroy and dispose of electronic records correctly, please visit the healthcare universal waste section of our website.