September 18, 2020

Volume X, Number 262

September 17, 2020

Subscribe to Latest Legal News and Analysis

September 16, 2020

Subscribe to Latest Legal News and Analysis

September 15, 2020

Subscribe to Latest Legal News and Analysis

FAQs About Disposing of Protected Health Information

Recent guidance from the U.S. Department of Health and Human Services in the form of six frequently asked questions reminds providers to properly dispose of Protected Health Information in compliance with HIPAA. So this is a good time to review how your organization handles PHI and update your policies. If you don’t have policies in place already, you need to fix this right away. Here is the gist of what DHHS has to say. Everyone who handles PHI should know this.

  1. Disposal Methods. HIPAA does not require any particular method for disposing of PHI, but every method must be reasonably designed to keep PHI away from the public and unauthorized persons. Keep PHI securely out of sight until is it obliterated. Burn, shred or pulp paper. Overwrite, degauss or physically destroy electronic media. Make sure PHI cannot be read, recovered or reconstituted.
  2. Dumpsters. The ordinary Dumpster is not secure. However unlikely it may seem that a plastic trash bag full of PHI will spill out of the Dumpster, that is an unacceptable risk. Before PHI goes into the Dumpster, it needs to be made indecipherable. If that’s not a reasonable option, then the Dumpster needs to be locked and the disposal workers need to understand their duty to safeguard the PHI in it while they carry it to its ultimate destruction. DHHS is making a point about Dumpsters, so it must believe providers still put lots of PHI in the trash.
  3. Business Associates. A provider can contract with a business associate to dispose of PHI.
  4. Recycled Electronics. A provider can recycle electronic media and devices that once held PHI, but only if the PHI is first made inaccessible to others.
  5. Off-Site Staff. The provider’s staff must be trained to handle PHI, and staff who work off-premises must be trained in the special problems that arise when carrying PHI off-site. Off-site workers may destroy PHI off-site if that is a reasonable way to handle it. 
  6. Storage Times. HIPAA does not specify how long a provider has to keep PHI. That is a matter for other laws, rules and provider policies.  

For the full text of "Frequently Asked Questions About the Disposal of Protected Health Information," see enforcement/examples/disposalfaqs.pdf.

© 2009 Poyner Spruill LLP. All rights reserved.National Law Review, Volume , Number 224


About this Author

Steven Mansfield Shaber, Poyner Spruill Law Firm, Health Law Attorney

Steve has spent his entire career in health law -- first with the North Carolina Attorney General's Office and, since 1985, in private practice. His clients range from large hospitals to sole practitioners. Most of his work focuses on Medicare and Medicaid fraud & abuse, false claims, hospital medical staff matters, and professional licensing board cases. His cases have involved patient deaths, million-dollar claims for recoupment, and other urgent matters. Steve has also helped providers with a number of innovative business transactions. He speaks frequently to various...