Book:HIPAA Compliance: An Introduction/Additional compliance guidance

From LIMSWiki
Jump to navigationJump to search

Additional compliance guidance

Disposal of PHI

Paper shredder news.jpg

In the previous section, we learned that HIPAA requires covered entities to apply appropriate administrative, technical and physical safeguards to protect the privacy of PHI in any form. This means that covered entities must implement reasonable safeguards to limit incidental and avoid prohibited uses and disclosures of PHI, including in connection with its disposal.[1]

In addition, the HIPAA Security Rule requires that covered entities implement policies and procedures to[1]:

  • address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored; and
  • implement procedures for removal of electronic PHI from electronic media before the media are made available for re-use, per 45 CFR 164.310(d)(2)(i) and (ii).

Failing to implement reasonable safeguards to protect PHI in connection with disposal could result in impermissible disclosures of PHI, which exposes the risk of fines and other sanctions.

Additionally, workforce members must receive training on and follow those disposal policies and procedures, as necessary and appropriate for each workforce member, per 45 CFR 164.306(a)(4), 164.308(a)(5), and 164.530(b) and (i). Therefore, any workforce member involved in disposing of PHI, or who supervises others who dispose of PHI, must receive training on disposal. This includes any volunteers.[1]

These requirements are not met if covered entities simply abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons. However, the Privacy and Security Rules do not require a particular disposal method. Covered entities must review their own circumstances to determine what steps are reasonable to safeguard PHI through disposal, and develop and implement policies and procedures to carry out those steps. In determining what is reasonable, covered entities should assess potential risks to patient privacy, as well as consider such issues as the form, type and amount of PHI to be disposed. For instance, the disposal of certain types of PHI such as name, social security number, driver’s license number, debit or credit card number, diagnosis, treatment information or other sensitive information may warrant more care due to the risk that inappropriate access to this information may result in identity theft, employment or other discrimination, or harm to an individual’s reputation.[1]

In general, examples of proper disposal methods may include, but are not limited to[1]:

  • shredding, burning, pulping or pulverizing PHI on paper records so that PHI is rendered essentially unreadable, indecipherable and otherwise cannot be reconstructed
  • clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying (disintegration, pulverization, melting, incinerating, or shredding) PHI on electronic media
  • maintaining labeled prescription bottles and other PHI in opaque bags in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI

For more information on proper disposal of e-PHI, see the HHS HIPAA Security Series 3 Security Standards: Physical Safeguards. Additionally, for practical information on how to handle sanitization of PHI throughout the information lifecycle, you can consult NIST SP 800-88 Rev. 1, Guidelines for Media Sanitization.

Other methods of disposal also may be appropriate, depending on the circumstances. Covered entities are encouraged to consider the steps that other prudent healthcare and health information professionals are taking to protect patient privacy in connection with record disposal. Resources like LIMSforum provide useful information and experience exchange. In addition, if a covered entity is closing a business, it may wish to consider giving patients the opportunity to pick up their records prior to any disposition (however, keep in mind that many states may impose requirements on covered entities to retain and make available for a limited time, as appropriate, medical records after dissolution of a business).[1]

Enforcement and penalties

As discussed in the prior section, the OCR may impose a penalty on a covered entity for a failure to comply with a requirement of the Privacy or Security Rules. Penalties will vary significantly depending on factors such as the date of the violation, whether the covered entity knew or should have known of the failure to comply, or whether the covered entity’s failure to comply was due to willful neglect. Penalties may not exceed a calendar year cap for multiple violations of the same requirement.[2]

Current penalties and cap include[2]:

  • Penalty amount: $100 to $50,000 or more per violation
  • Calendar year cap: $1,500,000

A penalty will not be imposed for violations in certain circumstances, such as if[2]:

  1. the failure to comply was not due to willful neglect, and was corrected during a 30-day period after the entity knew or should have known the failure to comply had occurred (unless the period is extended at the discretion of OCR); or
  2. the Department of Justice has imposed a criminal penalty for the failure to comply.

Additionally, OCR has the option to reduce a penalty if the failure to comply was due to reasonable cause and the penalty would be excessive given the nature and extent of the noncompliance. Before OCR imposes a penalty, it will notify the covered entity and provide the them with an opportunity to submit written evidence of those circumstances that would reduce or avoid a penalty. This evidence must be submitted to OCR within 30 days of receipt of the notice. In addition, if OCR states that it intends to impose a penalty, a covered entity has the right to request an administrative hearing to appeal the proposed penalty.[2]

Criminal penalties

A person who knowingly obtains or discloses individually identifiable health information in violation of the Privacy Rule may face a criminal penalty of up to $50,000 and up to one-year imprisonment. The criminal penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses, and to $250,000 and up to 10 years imprisonment if the wrongful conduct involves the intent to sell, transfer or use identifiable health information for commercial advantage, personal gain or malicious harm. The Department of Justice is responsible for criminal prosecutions under the Privacy Rule.[2][3]


  1. 1.0 1.1 1.2 1.3 1.4 1.5 Office for Civil Rights (6 November 2015). "What do the HIPAA Privacy and Security Rules require of covered entities when they dispose of protected health information?". U.S. Department of Health & Human Services. Retrieved 10 February 2022. 
  2. 2.0 2.1 2.2 2.3 2.4 Office for Civil Rights (26 July 2013). "Summary of the HIPAA Privacy Rule". United States Department of Health and Human Services. Retrieved 09 February 2022. 
  3. Office for Civil Rights (26 July 2013). "Summary of the HIPAA Security Rule". U.S. Department of Health and Human Services. Retrieved 10 February 2022. 

Citation for this section

Title: HIPAA Compliance: An Introduction - Additional compliance guidance

Author for citation: Alan Vaughan, with editorial modifications by Shawn Douglas

License for content: Creative Commons Attribution-ShareAlike 4.0 International

Publication date: Originally published June 2016; compiled and lightly edited February 2022