We have all heard about HIPAA, the Health Insurance Portability and Accountability Act. But do you know what it says about the destruction of Protected Health Information (PHI)? Whether you’re a compliance officer for a large area hospital or the owner of a small medical practice, ensuring full compliance with HIPAA must be a top priority. Failure to do so could result in devastating fines and costly liability.
UV&S is committed to helping all business comply with requirements regarding the proper disposal of PHI. We stay up to date on the changes and renew our NAID certification.
Privacy Rule and Security Rule
The HIPPA Privacy Rule stipulates that covered entities must apply ‘appropriate administrative, technical and physical safeguards to protect the privacy of protected health information in any form’. It also says PHI should be destroyed in a manner so it cannot be reconstructed. The HIPPA Security Rule applies to electronic PHI. It requires policies and procedures to be implemented that define what happens to electronic PHI. The policies must also cover what happens to the hardware data is stored on. The Privacy and Security Rules do not require a particular method of disposal for either type of information. However you must take reasonable steps to ensure the data cannot be accessed.
One of the accepted methods of disposal is shredding. You can shred in house or outsource. UV&S provides both mobile and offsite document destruction. We also shred non-paper media and Hard-Drives and recycle E-waste. Our destruction services are NAID certified. Companies using a certified vendor can show they have done their due diligence to find a service provider that has high security standards.
The Latest Updates to HIPAA Affect You
In 2013, changes to HIPAA went into effect. Now, the law requires your institution, practice or business to:
- Complete a risk analysis to pinpoint any risks to the security of paper documents and electronic data that is classified as PHI
- Develop policies that outline what steps will be taken if PHI is compromised due to theft, loss or breach of confidentiality and review these policies on a regular basis
- Ensure that employees are trained on all of your policies and procedures regarding PHI
- Work with vendors and partners that have access to patient PHI to guarantee that the information is safeguarded by them while in their possession
American Health Information Management Association
The American Health Information Management Association (AHIMA) also suggests that health care providers document the destruction of information. We provide an Agreement of Service that documents the method of destruction and a Certificate of Destruction once the material is destroyed. Check out the AHIMA article “Retention and Destruction of Health Information” for more information on their suggestions.
Compliance Made Easy
Our shred agreement also helps with compliance. It spells out safeguards against breaches, indemnification for the organization, provides for loss due to unauthorized disclosure, and requires the business associate to maintain liability insurance at all times. Not only will our services save you time, lower your compliance costs and boost employee productivity, but we’ll also provide you with proof that you took steps to protect PHI in accordance with HIPAA.
You should review your policies to see if UV&S can help with your storage or destruction needs.