Entities covered under the HIPAA Privacy Rules face very high penalties Paper-Shredder-Thinkstocklofilolo-300x199for failing to properly handle protected health information (PHI) as one Indiana non-profit health care system learned to the tune of $800,000. If you handle PHI there is a good chance the privacy rules apply to you and you must ensure your staff follows the rules.

 

The Parkview Example

Parkview Health System, Inc., an Indiana non-profit health care system recently agreed to pay a $800,000 settlement and to adopt a corrective action plan to address deficiencies in its policies.

Parkview’s staff took custody of the medical records of about 5,000 to 8,000 individuals while assisting a retiring physician transition her practice. Unfortunately, the staff left 71 boxes containing these records outside of the physician’s home with knowledge that she was not at home. The boxes were left within 20 feet of a public road and near a public shopping center.

As a result of this improper disposal of health records, the privacy of those records was compromised and Parkview faced an investigation and eventual settlement with HHS.

 

Disposal Policies

The HIPAA Privacy Rules require covered entities to maintain policies that “limit incidental, and avoid prohibited, uses and disclosures of PHI, including in connection with the disposal of such information.” Covered entities must also provide their staff with adequate training in order for them to follow those policies. The exact language and the scope of your policies might be larger than these points here, but below are a couple quick tips you should consider.

Rather than simply disposing of PHI in a dumpster or other trash receptacle you should consider making use of shredding, burning, or other services which will render the records unreadable. With respect to digital records, you should consider professional services that have the capability to entirely erase and replace the digital information and also physically destroying the media through safe burning or shredding.

You can perform these actions yourself but many times you will be better served using the services of a professional. But, you must remember that using the services of a third party will require additional protections including executing a business associate agreement with those vendors to ensure the privacy of the PHI is maintained.

If you need a new policy regarding disposing PHI or if you simply want your policy reviewed, be sure to contact one of our health care attorneys.

Image: Thinkstock/lofilolo

Further Reading: HHS Frequently Asked Questions

*This article is very general in nature and does not constitute legal advice. Readers with legal questions should consult with an attorney prior to making any legal decisions.