Protected Health Information (PHI) is any data that contains a patient’s name or could be combined with other information to determine the patient’s identity. It is your responsibility to ensure that PHI is not open to theft or even simple exposure, by following the guidelines set forth by the Health Insurance Portability and Accountability Act (HIPAA) in the HIPAA Privacy Rule.
HIPAA defines PHI as information, including demographic data, that relates to:
- The individual’s past, present or future physical or mental health or condition
- The provision of health care to the individual
- The past, present, or future payment for the provision of health care to the individual
HIPAA mandates that unused media containing PHI be adequately destroyed. It can not simply be disposed of in a public receptacle. You will need to identify all of the individual types of media on which PHI is stored in your medical office, since each type will most likely have its own policies and procedures to follow for compliant destruction.
Here are the three main types of PHI that should be destroyed:
1. Paper Documents
While electronic storage is used for many records, paper items may include clinical notes, summaries, medical reports, billing forms, and diagnostic test results. Also included in this category are labels and file folders, including labels on prescription bottles. Hard copy destruction may include (but is not limited to) shredding, burning, or pulverizing. According to the Department of Health and Human Services (HHS), “shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed” is an example of a proper disposal method.
2. Electronic PHI
Electronic PHI (ePHI) is any protected health information that is created, stored, transmitted, or received electronically. There are two basic types of ePHI, data that is being stored and data that is being transmitted. The HIPAA Security Rule, which protects health information that is held or transferred in electronic form, covers these technologies for stored data:
- Media containing stored data
- Computers with internal hard drives
- External portable hard drives
- Removable storage devices (such as CDs, DVDs, floppy disks, and USB memory sticks)
- Magnetic tape
- Smartphones and PDAs
When disposing of electronic media that contains ePHI, you should make sure that it is unusable and/or inaccessible. HHS says that appropriate methods for electronic digital media destruction include “disintegrating, pulverizing, melting, incinerating, or shredding the media.” Using software or hardware products to overwrite the media (clearing) or exposing the media to a strong magnetic field to fully erase the data (degaussing) may also be used as disposal methods.
It’s important to remember that a digital copier is basically a computer with an internal hard drive. The copier’s hard drive stores data about the documents it prints, scans, faxes, or emails.
3. X-ray Film
Both medical x-ray films and MRI films contain confidential information. In general, proper disposal methods include shredding, burning, pulping or pulverizing the records so that PHI is rendered unreadable and cannot be reconstructed. (It’s also important to remember that the x-ray jackets also contain PHI that must be properly destroyed.)
These are three types of PHI that your medical office should make sure are destroyed in order to maintain patient confidentiality. Remember that your medical office is responsible for all PHI it generates or comes in contact with, even once that data has been sent for disposal. If documents or data files are not properly destroyed, your office is liable for violations and penalties. It’s important to use a trusted partner if you use an outside source to dispose of documents or other media containing PHI, and to make sure that they sign a Business Associate Agreement.