What do the HIPAA Privacy and Security Rules require of covered entities when they dispose of protected health information?

The HIPAA Privacy Rule requires that covered entities apply appropriate administrative, technical and physical safeguards to protect the privacy of Protected Health Information (PHI) in any form. This means that covered entities must implement reasonable safeguards to limit incidental, and avoid prohibited uses and disclosures of, PHI. This includes the disposal of such information. In addition, the HIPAA Security Rule requires that covered entities implement policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored. This also requires procedures to be in place for removal of PHI from electronic media before the media are made available for re-use. Failing to carry out reasonable safeguards to protect PHI in connection with disposal could result in impermissible disclosures of PHI.

Covered entities must ensure that their workforce members receive training regarding proper disposal policies and procedures. Any workforce member involved in disposing of PHI, or who supervises others who dispose of PHI, must receive training on disposal. This includes any volunteers.

In general, examples of proper disposal methods may include, but are not limited to:

• For PHI in paper records: SHREDDING, burning, pulping or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable and otherwise, cannot be reconstructed.
• Maintaining labeled prescription bottles and other PHI in opaque bags in a secure area and using a disposal vendor to pick up and shred or otherwise destroy the PHI.