HIPAA Compliance

Secure Document Shredding: How to Be HIPAA Compliant

HIPAA-Compliance-Stack-Papers Data security is an important area of concern for medical practices and protecting your sensitive records is required by law. The Health Insurance Portability and Accountability Act (HIPAA) sets forth guidelines for protecting Protected Health Information (PHI) in the HIPAA Privacy Rule. PHI is defined as information, including demographic data, that is used to identify a patient or provide health care services or health care coverage. Medical histories, test results, insurance information— all individually identifiable health information is included.

Medical records and other sensitive health information can not be disposed of in garbage containers, and compliant document shredding is part of the process to help ensure that PHI is not open to theft or even exposure.

Let’s take a look at what it takes to make sure your document shredding is HIPAA compliant.

What is a document destruction program?

Your medical facility should have a policy and procedures established to destroy records and confidential documents that are beyond their retention period. A destruction program should document your policy and procedures as well as the destruction schedule.

Documentation should demonstrate appropriate retention of records based on state and federal regulations. Records should be destroyed in the normal course of business, as necessary, and at least annually. The destruction process should be documented and include medical records and other types of documents. These destruction logs should be maintained permanently, along with a certificate of destruction.

If you use a document destruction service, they should supply this certificate including a list of items and the date they were destroyed, and the method of destruction. This provides proof that your shredding was HIPAA compliant.

Note: Even if the items that were destroyed are not listed on the certificate of destruction, you are still responsible for an audit trail and must make sure the items are somehow linked to that document. Filing the certificate with the logs is one option.

When Should Medical Records and Documents Be Destroyed?

There are mandatory retention laws for documents that require medical records to be kept for a period of time. Each state has its own state medical record laws governing retention; however, ten years from the last professional contact with the patient is a good rule of thumb.

HIPAA requires that documentation be retained for six years from when a document was created; however, this only applies to HIPAA-related documents, not to medical records.

Note: When the retention period is less than HIPAA’s, the six-year retention period supersedes the state’s law. If your state law requires a longer retention period, then that law would supersede the HIPAA guidelines.

The most common types of medical practice documents that are subject to HIPAA retention requirements include:

  • PHI disclosure authorizations
  • Privacy practices notices
  • Business associate agreements
  • Information security and privacy policies
  • Incident/breach notification documentation
  • Logs recording access to PHI
  • Incident notifications

Once the required time period is up, the documents and medical records your practice had to keep no longer serve a purpose and should be securely shredded. Storing unnecessary documents and medical records can only increase the likelihood of an accidental disclosure or a data breach.

What Medical Records and Documents Should Be Shredded?

PHI consists of any data that contains a patient’s name or could be combined with other information to determine the patient’s identity. While electronic storage is used for many records, paper items may include the following:

  • clinical notes
  • summaries
  • medical reports
  • billing forms
  • diagnostic test results

Labels and file folders are also included in this category, as well as labels on prescription bottles.

The following types of identifiers on medical records and documents classify them as PHI and protect them under the HIPAA Privacy Rule:

  • Names
  • Geographic subdivisions smaller than a state
  • Dates (except year) directly related to an individual
  • Telephone numbers
  • Vehicle identifiers and serial numbers
  • Fax numbers
  • Device identifiers and serial numbers
  • Email addresses
  • URLs
  • Social security numbers
  • IP addresses
  • Medical record numbers
  • Biometric identifiers
  • Health plan beneficiary numbers
  • Full-face photographs/comparable images
  • Account numbers
  • Certificate/license numbers

How Should Records and Documents Be Stored?

Of course all documents with patient health information should be kept in a secure location in your practice at all times. Paper documents should be locked in a filing cabinet, desk, or office. Documents that are awaiting destruction should be stored in secure collection containers, with special attention to the locking capabilities of the container and its location. Your document destruction company can provide secure storage options including locking document cabinets and storage carts.

What Types of Document Shredding are HIPAA Compliant?

If your staff is responsible for document destruction, you need to know that cross-cut shredders are more secure than strip-cut shredding machines. Your health information management staff should oversee any shredding of documents at your facility. Document destruction companies may offer on-site services where a truck with an industrial shredder will come to your facility to securely destroy your documents. Some companies transport documents off-site for destruction, in which case the process should be fully documented including proof of destruction. Note: Some states require notification prior to destruction of health records and may also require that you only use approved document destruction companies.

Your office is responsible for all PHI that you generate or come in contact with, even once that data has been sent for disposal. If documents are not properly destroyed, your office is liable for violations and penalties. Shredding documents as set forth in HIPAA guidelines will ensure compliance and maintain patient confidentiality. TriHaz Solutions can offer secure, compliant document shredding services for your medical office that combine with our waste services for a one-stop solution.


Simplify your job and stay up-to-date on medical and hazardous waste compliance for healthcare and industry..

    By subscribing to our blog you agree to our Privacy Policy.