The HIPAA Privacy Rule requires that covered entities apply appropriate administrative, technical and physical safeguards to protect the privacy of Protected Health Information (PHI) in any form. This means that covered entities must implement reasonable safeguards to limit incidental, and avoid prohibited uses and disclosures of, PHI. This includes the disposal of such information. In addition, the HIPAA Security Rule requires that covered entities implement policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored. This also requires procedures to be in place for removal of PHI from electronic media before the media are made available for re-use. Failing to carry out reasonable safeguards to protect PHI in connection with disposal could result in impermissible disclosures of PHI.
Covered entities must ensure that their workforce members receive training regarding proper disposal policies and procedures. Any workforce member involved in disposing of PHI, or who supervises others who dispose of PHI, must receive training on disposal. This includes any volunteers.
In general, examples of proper disposal methods may include, but are not limited to: