PHI, or “Protected Health Information”, is the personal health information used to identify an individual. Often, this data is demographic in nature, and reveals facts that relate to the individual’s mental or physical health, as well as their provision of health care, how they pay for that health care, and a variety of general identifiers including the person’s
Date of Birth
Address of Residence
Social Security Number
As sensitive information, all PHI must comply with the Health Insurance Portability and Accountability Act standards (HIPAA). According to the HIPAA, all covered entities will be required to dispose of PHI properly and securely, with proper proof of shredding. A reliable method that most organizations use to do this is to hire a shredding company that will destroy all of the PHI off site in a manner consistent with the security and privacy rules and regulations of HIPAA. Following are just some of the things that you should expect when hiring a shredding company to destroy PHI on your behalf.
1. All Sensitive Records Will Be Reliably Destroyed
Hiring a skilled and qualified service to destroy your discarded PHI is a great solution for many companies searching to eliminate a significant portion of substantial risk, while lowering internal costs. It’s no surprise that using a qualified PHI destruction service has become the most popular method of disposing of PHI.
Paying for a qualified service to conduct the destruction on your behalf allows your office to obtain a valid record of compliance, or proof of shredding. Even if you’re sure that your employees always shred every document that they should, it’s important to have proof that this happens regularly. Your chosen company must be capable of destroying the following types of media:
Smart Phones, CDs, Thumb Drives
Computers – simply pressing delete does not erase data from a computer system
Stored records – records that have been electronically converted or exist beyond their retention period
Paper Records – any paper documents, messages, notes, memos and forms
2. The Destroyed PHI Will Be Completely Indecipherable
To comply with the rules of HIPAA, all destroyed PHI must be completely indecipherable, or “essentially unreadable”. What’s more, even if the destroyed PHI cannot be reconstituted, this does not mean that it can simply be deposited into any garbage can, recycling bin or dumpster used for general waste that might be accessible to unauthorized persons or the public.
When you hire a company to dispose of your PHI for you, you enter into an agreement or contract that ensures the PHI will be safeguarded carefully throughout the disposal process. This ensures that your PHI will be carefully retrieved, burned, shredded or pulped and removed according to the requirements of the law.
3. You Will Receive A Certificate of Destruction
A proof of shredding receipt gives you and your company the HIPAA compliance documentation essential to the audit trail. Not only will you have a reliable destruction program in place, but you will also have the documentation required to back yourself up – and for a lower cost than would be required to destroy data yourself.
Most businesses today know that HIPAA compliance is crucial, and to demonstrate your compliance, your paper trail must establish the following:
You have been destroying sensitive materials with a registered destruction company on a regular basis
Proper care was put into choosing your specialist and qualified destruction vendor
Your employees have been trained to understand their own destruction responsibilities
Safeguarding Your Company
The privacy rule determined by the HIPAA requires that all covered entities apply the appropriate technical, physical, and administrative safeguards needed to protect PHI in any form. This means that no covered entity may dispose of PHI without due caution and specialist care. Though the security and privacy rules do not require that companies use a specific method of disposal, covered entities must determine steps that are reasonable in safeguarding PHI and implement policies to carry out those steps.
How do you feel about using a professional company to destroy PHI on your behalf? Do you think that accessing specialist shredders may be a safer, cheaper, and all-around more secure option of dealing with sensitive data?