FAQs About Disposing of Protected Health Information
Wednesday, August 12, 2009
Print Mail Download i

Recent guidance from the U.S. Department of Health and Human Services in the form of six frequently asked questions reminds providers to properly dispose of Protected Health Information in compliance with HIPAA. So this is a good time to review how your organization handles PHI and update your policies. If you don’t have policies in place already, you need to fix this right away. Here is the gist of what DHHS has to say. Everyone who handles PHI should know this.

  1. Disposal Methods. HIPAA does not require any particular method for disposing of PHI, but every method must be reasonably designed to keep PHI away from the public and unauthorized persons. Keep PHI securely out of sight until is it obliterated. Burn, shred or pulp paper. Overwrite, degauss or physically destroy electronic media. Make sure PHI cannot be read, recovered or reconstituted.
  2. Dumpsters. The ordinary Dumpster is not secure. However unlikely it may seem that a plastic trash bag full of PHI will spill out of the Dumpster, that is an unacceptable risk. Before PHI goes into the Dumpster, it needs to be made indecipherable. If that’s not a reasonable option, then the Dumpster needs to be locked and the disposal workers need to understand their duty to safeguard the PHI in it while they carry it to its ultimate destruction. DHHS is making a point about Dumpsters, so it must believe providers still put lots of PHI in the trash.
  3. Business Associates. A provider can contract with a business associate to dispose of PHI.
  4. Recycled Electronics. A provider can recycle electronic media and devices that once held PHI, but only if the PHI is first made inaccessible to others.
  5. Off-Site Staff. The provider’s staff must be trained to handle PHI, and staff who work off-premises must be trained in the special problems that arise when carrying PHI off-site. Off-site workers may destroy PHI off-site if that is a reasonable way to handle it. 
  6. Storage Times. HIPAA does not specify how long a provider has to keep PHI. That is a matter for other laws, rules and provider policies.  

For the full text of "Frequently Asked Questions About the Disposal of Protected Health Information," see www.hhs.gov/ocr/privacy/hipaa/ enforcement/examples/disposalfaqs.pdf.

© 2009 Poyner Spruill LLP. All rights reserved.
© 2009 Poyner Spruill LLP. All rights reserved.

Current Legal Analysis

More from Poyner Spruill LLP

Administrative Check-Up on Participant Plan Loans
by: Employment Law
Cybersecurity Threats: What Retirement Plan Sponsors and Fiduciaries Need to Know – and Do
by: Employment Law
Substantial Risk of Forfeiture: What Non-Profit and Governmental Employers Need to Know About IRS Guidance on Section 457 - Part 2
by: Employment Law , Kelsey H. Mayo
Deferred Compensation: What Non-Profit and Governmental Employers Need to Know About IRS Guidance on Section 457 - Part 1
by: Employment Law
NLRB Continues to Target Employers’ Social Media Policies
by: Employment Law
Hospice Providers – Step Up to the “MIC”
by: Iain M Stauffer
Final CMS Rule on the Reporting and Returning of Medicare Overpayments is a Wake-Up Call for Physicians
by: Wilson Hayman
Don't Be a Target -- Retirement Plan Fees and Expenses
by: Employment Law
EEOC Files First Two Lawsuits Challenging Sexual Orientation Discrimination
by: Employment Law
One Year Later: Avoiding Unfavorable Risk Weighting of Acquisition, Development, and Construction Loans for Commercial Real Estate Projects
by: Christopher S. Dwight

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins