LII:HIPAA Compliance - LII 007 07. Additional Compliance Guidance
Disposal of PHILesson 6, we learned that HIPAA requires covered entities (CEs) to apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI), in any form. This means that CEs must implement reasonable safeguards to limit incidental and avoid prohibited uses and disclosures of PHI, including in connection with its disposal.
In addition, the HIPAA Security Rule requires that CEs implement policies and procedures to:
- address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored
- implement procedures for removal of electronic PHI from electronic media before the media are made available for re-use (see 45 CFR 164.310(d)(2)(i) and (ii)).
Failing to implement reasonable safeguards to protect PHI in connection with disposal could result in impermissible disclosures of PHI, which exposes the risk of fines and other sanctions.
Additionally, workforce members must receive training on and follow those disposal policies and procedures, as necessary and appropriate for each workforce member (see 45 CFR 164.306(a)(4), 164.308(a)(5), and 164.530(b) and (i)). Therefore, any workforce member involved in disposing of PHI, or who supervises others who dispose of PHI, must receive training on disposal. This includes any volunteers.
These requirements are NOT met if CEs simply abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons. However, the Privacy and Security Rules do not require a particular disposal method. CEs must review their own circumstances to determine what steps are reasonable to safeguard PHI through disposal, and develop and implement policies and procedures to carry out those steps. In determining what is reasonable, CEs should assess potential risks to patient privacy, as well as consider such issues as the form, type, and amount of PHI to be disposed. For instance, the disposal of certain types of PHI such as name, social security number, driver’s license number, debit or credit card number, diagnosis, treatment information, or other sensitive information may warrant more care due to the risk that inappropriate access to this information may result in identity theft, employment or other discrimination, or harm to an individual’s reputation.
In general, examples of proper disposal methods may include, but are not limited to:
- shredding, burning, pulping, or pulverizing PHI on paper records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed
- clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying (disintegration, pulverization, melting, incinerating, or shredding) PHI on electronic media
- maintaining labeled prescription bottles and other PHI in opaque bags in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI
For more information on proper disposal of electronic PHI, see the United States Department of Health and Human Services (HHS) HIPAA Security Series 3: Security Standards – Physical Safeguards. In addition, for practical information on how to handle sanitization of PHI throughout the information lifecycle, you can consult NIST SP 800-88, Guidelines for Media Sanitization, Revision 1.
Other methods of disposal also may be appropriate, depending on the circumstances. CEs are encouraged to consider the steps that other prudent healthcare and health information professionals are taking to protect patient privacy in connection with record disposal. Resources like LIMSforum provide useful information and experience exchange. In addition, if a CE is winding up a business, it may wish to consider giving patients the opportunity to pick up their records prior to any disposition (however, keep in mind that many states may impose requirements on CEs to retain and make available for a limited time, as appropriate, medical records after dissolution of a business).
Enforcement and penaltiesLesson 6, the Office for Civil Rights (OCR) may impose a penalty on a CE for a failure to comply with a requirement of the Privacy or Security Rules. Penalties will vary significantly depending on factors such as the date of the violation, whether the CE knew or should have known of the failure to comply, or whether the CE’s failure to comply was due to willful neglect. Penalties may not exceed a calendar year cap for multiple violations of the same requirement.
Current penalties and cap:
- Penalty amount: $100 to $50,000 or more per violation
- Calendar year cap: $1,500,000
A penalty will not be imposed for violations in certain circumstances, such as if:
- the failure to comply was not due to willful neglect, and was corrected during a 30-day period after the entity knew or should have known the failure to comply had occurred (unless the period is extended at the discretion of OCR)
- the Department of Justice has imposed a criminal penalty for the failure to comply
In addition, OCR has the option to reduce a penalty if the failure to comply was due to reasonable cause and the penalty would be excessive given the nature and extent of the noncompliance. Before OCR imposes a penalty, it will notify the CE and provide the them with an opportunity to submit written evidence of those circumstances that would reduce or avoid a penalty. This evidence must be submitted to OCR within 30 days of receipt of the notice. In addition, if OCR states that it intends to impose a penalty, a CE has the right to request an administrative hearing to appeal the proposed penalty.
A person who knowingly obtains or discloses individually identifiable health information in violation of the Privacy Rule may face a criminal penalty of up to $50,000 and up to one-year imprisonment. The criminal penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses, and to $250,000 and up to 10 years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain or malicious harm. The Department of Justice is responsible for criminal prosecutions under the Privacy Rule.
- The entire Privacy Rule, as well as guidance and additional materials, may be found on the HHS website.
- A combined (unofficial) version of all of the CFR elements that make up HIPAA is provided by the OCR. (PDF)
- HHS' "HIPAA FAQs for Professionals
- HHS' "Fast Facts for Covered Entities"
- HHS' "HIPAA Security Series 3: Security Standards – Physical Safeguards" (PDF)
- NIST's "Guidelines for Media Sanitization", Revision 1 (PDF)
- "What do the HIPAA Privacy and Security Rules require of covered entities when they dispose of protected health information?". U.S. Department of Health & Human Services. http://www.hhs.gov/hipaa/for-professionals/faq/575/what-does-hipaa-require-of-covered-entities-when-they-dispose-information/. Retrieved 10 June 2016.
- "Summary of the HIPAA Privacy Rule". U.S. Department of Health & Human Services. http://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html. Retrieved 10 June 2016.
- "Summary of the HIPAA Security Rule". U.S. Department of Health and Human Services. http://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html. Retrieved 15 June 2016.