Technology has changed the way we handle health information. What used to include piles of paperwork is now being digitally produced and stored. Personal health information (PHI) includes medical histories, lab tests and results, mental health evaluations, insurance information, and other data a medical professional deems vital to identify and keep on file for appropriate care.
As medical facilities continue to digitize their records, the obvious question is: What do you do with the stacks of paperwork in the back room?
When you dispose of files, according to HIPAA regulations the paperwork should be rendered indecipherable. If not, you could be fined. Yet that hasn’t stopped many practices from dumping them in insecure ways.
You can’t just bring a box of files to a recycling center and consider your job done. Yet it’s done from time to time.
While HIPAA might not specify precisely how to dispose of sensitive medical records, it does state that you aren’t permitted to dispose of them in dumpsters or containers accessible to the public or unauthorized users. You have to take care to ensure that anything with patient information on them - including demographics or personal medical information - can never be accessed by unauthorized personnel.
That’s why you need a plan.
Create a Destruction Plan
Document destruction isn’t as easy as grabbing a file and sending it through a shredder underneath your desk. It’s an ongoing process. Even if you no longer have a cabinet filled with records somewhere in your office, there will always be sensitive paperwork that needs proper destruction. Your plan should contain what should be stored and what should be destroyed. It may also provide ways for technology to be destroyed - what about flash cards and hard drives? You should also review this on an annual basis, as rules and regulations are continually changing.
Have a Records Manager
Document destruction can become a messy project if someone isn’t in control of the process. By establishing a project manager, you’ll have someone who knows the system well. They can be relied on to evaluate volume and when the destruction process needs tweaking. They will also be well-versed in how to dispose of all documentation - paper, microfiche, hard drives, etc - and do so in regulated ways.
Your project manager should be well versed in HIPAA regulations, and also follow up with the state to ensure they meet all federal, state, and local requirements. For example, each state has different rules about retention times for documentation. Be sure this person is properly trained and up to date at all times.
Schedule the Process
Once you know what to shred, be sure the process is handled with care. Hire a company that follows proper procedures to meet HIPAA guidelines. Make sure the project manager is available and present during the procedure. In most cases, the shredding company will come to your office. This ensures the documentation is properly destroyed; most companies will provide a certificate of destruction detailing the process.
What To Do In The Event of a Violation
While it's important to ensure every precaution is taken during the process, it’s equally important to have a plan in place if something goes wrong. A HIPAA violation is considered both a civil and criminal offense. How will you react if a breach occurs? The more you know about the process up front, the less likelihood a violation will occur.
What’s your disposal plan for your personal health information?
For IT Strategy, Cloud Conversion, or Help Desk Services reach out to us at Silver Linings Technology 360-450-4759.