The Health Insurance Portability and Accountability Act of 1996 aims to keep medical records and other personal health information secure — especially in this age of rapid technological development. Also known as HIPAA, this groundbreaking legislation has dramatically streamlined the transition from paper-based to electronic records while also improving the efficiency of a variety of other health care administrative functions.
In addition to governing the use of electronic records, HIPAA provides clear direction for organizations looking to dispose of protected health information. Without proper disposal, health care organizations risk accidentally disclosing the personal information they are charged with keeping safe and secure. Personal information cannot simply be tossed in dumpsters or other easily accessible locations. Full compliance relies on proper disposal, including, when necessary, HIPAA shredding.
The strict standards associated with HIPAA are largely outlined in the Privacy Rule, which mandates a variety of safeguards. These cover not only the creation and transfer of sensitive records, but also their ultimate destruction.
Multiple methods can be employed to ensure that records protected by HIPAA are properly discarded without compromising patient security. Shredding is a top option that should be applied to documents that include personally identifiable information such as:
- Social Security Numbers
- Phone numbers
- Email addresses
- Biometric identifiers
- License plate numbers and other vehicle identifiers
- Health plan beneficiary numbers
The Department of Health and Human Services refers to documents as properly shredded only when they have been rendered "unreadable, indecipherable, and otherwise unable to be reconstructed." Once records have been fully destroyed, a HIPAA Certificate of Destruction can be granted.
Beyond providing guidance for the physical component of document destruction, HIPAA also requires health care organizations to retain medical records for a full six years following the date of their creation or the date on which they were last effective. State laws provide further guidance as to how long and under which conditions medical records should be retained.
HIPAA Security Rule
The Security Rule forms a key component of HIPAA. It aims to strike an ideal balance between allowing health care organizations to adopt new technologies while still maintaining the full security of potentially vulnerable patient records. This rule applies to any health plans and health care providers that electronically transmit health care information.
Specifically, the HIPAA Security Rule applies to "electronic protected health information," which includes any health care information that is individually identifiable and that has been created, maintained, received, or transmitted in electronic form.
Under the HIPAA Security Rule, health care organizations must implement a variety of measures to protect relevant information. These may include:
- Designating officials responsible for implementing security protocol
- Identifying current risks related to electronic health information
- Properly training and supervising employees charged with handling sensitive information
- Implementing policies regarding the proper use and transfer of electronic media
Contact South Bay Document Destruction
The complications of health care security legislation create a whole host of problems for medical organizations, which may struggle to maintain full compliance for HIPAA shredding and other provisions. The consequences for committing a HIPAA violation can be harsh; today's health care organizations cannot afford to risk such penalties for the sake of convenience. The experts at South Bay Document Destruction can help. Contact us at your earliest convenience to learn more about our HIPAA compliant shredding services.