|
|
| Line 1: |
Line 1: |
| __NOTOC__
| | #REDIRECT [[LII:HIPAA Compliance: An Introduction]] |
| ==Disposal of PHI==
| |
| [[File:Shredding security.jpg|left|300px]]In [[LII:HIPAA Compliance - LII 007 06. Security|Lesson 6]], we learned that [[HIPAA]] requires covered entities (CEs) to apply appropriate '''administrative, technical, and physical safeguards''' to protect the privacy of protected health information (PHI), in any form. This means that CEs must implement ''reasonable safeguards'' to limit incidental and avoid prohibited uses and disclosures of PHI, including in connection with its disposal.<ref name="HHSWhatDo">{{cite web |url=http://www.hhs.gov/hipaa/for-professionals/faq/575/what-does-hipaa-require-of-covered-entities-when-they-dispose-information/ |title=What do the HIPAA Privacy and Security Rules require of covered entities when they dispose of protected health information? |publisher=U.S. Department of Health & Human Services |accessdate=10 June 2016}}</ref>
| |
| | |
| In addition, the HIPAA Security Rule requires that CEs implement policies and procedures to<ref name="HHSWhatDo" />:
| |
| | |
| * address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored
| |
| * implement procedures for removal of electronic PHI from electronic media before the media are made available for re-use (see 45 CFR 164.310(d)(2)(i) and (ii)).
| |
| | |
| Failing to implement reasonable safeguards to protect PHI in connection with disposal could result in impermissible disclosures of PHI, which exposes the risk of fines and other sanctions.
| |
| | |
| Additionally, workforce members must receive training on and follow those disposal policies and procedures, as necessary and appropriate for each workforce member (see 45 CFR 164.306(a)(4), 164.308(a)(5), and 164.530(b) and (i)). Therefore, any workforce member involved in disposing of PHI, or who supervises others who dispose of PHI, must receive training on disposal. This includes any volunteers.<ref name="HHSWhatDo" />
| |
| | |
| These requirements are NOT met if CEs simply abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons. However, the Privacy and Security Rules do not require a particular disposal method. CEs must review their own circumstances to determine what steps are <u>reasonable</u> to safeguard PHI through disposal, and develop and implement policies and procedures to carry out those steps. In determining what is reasonable, CEs should assess potential risks to patient privacy, as well as consider such issues as the form, type, and amount of PHI to be disposed. For instance, the disposal of certain types of PHI such as name, social security number, driver’s license number, debit or credit card number, diagnosis, treatment information, or other sensitive information may warrant more care due to the risk that inappropriate access to this information may result in identity theft, employment or other discrimination, or harm to an individual’s reputation.<ref name="HHSWhatDo" />
| |
| | |
| In general, examples of proper disposal methods may include, but are not limited to<ref name="HHSWhatDo" />:
| |
| | |
| * shredding, burning, pulping, or pulverizing PHI on paper records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed
| |
| * clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying (disintegration, pulverization, melting, incinerating, or shredding) PHI on electronic media
| |
| * maintaining labeled prescription bottles and other PHI in opaque bags in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI
| |
| | |
| For more information on proper disposal of electronic PHI, see the [[United States Department of Health and Human Services]] (HHS) [http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/physsafeguards.pdf HIPAA Security Series 3: Security Standards – Physical Safeguards]. In addition, for practical information on how to handle sanitization of PHI throughout the information lifecycle, you can consult [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf NIST SP 800-88, Guidelines for Media Sanitization, Revision 1].
| |
| | |
| Other methods of disposal also may be appropriate, depending on the circumstances. CEs are encouraged to consider the steps that other prudent healthcare and health information professionals are taking to protect patient privacy in connection with record disposal. Resources like [http://limsforum.com LIMSforum] provide useful information and experience exchange. In addition, if a CE is winding up a business, it may wish to consider giving patients the opportunity to pick up their records prior to any disposition (however, keep in mind that many states may impose requirements on CEs to retain and make available for a limited time, as appropriate, medical records after dissolution of a business).<ref name="HHSWhatDo" />
| |
| | |
| ==Enforcement and penalties==
| |
| [[File:HIPAA Penalties.jpg|right|400px]]As we discussed in [[LII:HIPAA Compliance - LII 007 06. Security|Lesson 6]], the Office for Civil Rights (OCR) may impose a penalty on a CE for a failure to comply with a requirement of the Privacy or Security Rules. Penalties will vary significantly depending on factors such as the date of the violation, whether the CE knew or should have known of the failure to comply, or whether the CE’s failure to comply was due to willful neglect. Penalties may not exceed a calendar year cap for multiple violations of the same requirement.<ref name="HHSPrivacy">{{cite web |url=http://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html |title=Summary of the HIPAA Privacy Rule |publisher=U.S. Department of Health & Human Services |accessdate=10 June 2016}}</ref>
| |
| | |
| Current penalties and cap<ref name="HHSPrivacy" />:
| |
| | |
| * Penalty amount: $100 to $50,000 or more per violation
| |
| * Calendar year cap: $1,500,000
| |
| | |
| A penalty will not be imposed for violations in certain circumstances, such as if<ref name="HHSPrivacy" />:
| |
| | |
| # the failure to comply was not due to willful neglect, and was corrected during a 30-day period after the entity knew or should have known the failure to comply had occurred (unless the period is extended at the discretion of OCR)
| |
| # the Department of Justice has imposed a criminal penalty for the failure to comply
| |
| | |
| In addition, OCR has the option to reduce a penalty if the failure to comply was due to reasonable cause and the penalty would be excessive given the nature and extent of the noncompliance. Before OCR imposes a penalty, it will notify the CE and provide the them with an opportunity to submit written evidence of those circumstances that would reduce or avoid a penalty. This evidence must be submitted to OCR within 30 days of receipt of the notice. In addition, if OCR states that it intends to impose a penalty, a CE has the right to request an administrative hearing to appeal the proposed penalty.<ref name="HHSPrivacy" />
| |
| | |
| ===Criminal penalties===
| |
| A person who knowingly obtains or discloses individually identifiable health information in violation of the Privacy Rule may face a criminal penalty of up to $50,000 and up to one-year imprisonment. The criminal penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses, and to $250,000 and up to 10 years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain or malicious harm. The Department of Justice is responsible for criminal prosecutions under the Privacy Rule.<ref name="HHSPrivacy" /><ref name="HIPAASecurity">{{cite web |url=http://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html |title=Summary of the HIPAA Security Rule |publisher=U.S. Department of Health and Human Services |accessdate=15 June 2016}}</ref>
| |
| | |
| ==Additional resources==
| |
| * The entire Privacy Rule, as well as guidance and additional materials, may be found on [http://www.hhs.gov/ocr/hipaa the HHS website].
| |
| * A combined (unofficial) version of all of the CFR elements that make up HIPAA is [http://www.hhs.gov/sites/default/files/hipaa-simplification-201303.pdf provided by the OCR]. (PDF)
| |
| * HHS' "[http://www.hhs.gov/hipaa/for-professionals/faq HIPAA FAQs for Professionals]
| |
| * HHS' "[http://www.hhs.gov/hipaa/for-professionals/covered-entities/fast-facts/index.html Fast Facts for Covered Entities]"
| |
| * HHS' "[http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/physsafeguards.pdf HIPAA Security Series 3: Security Standards – Physical Safeguards]" (PDF)
| |
| * NIST's "[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf Guidelines for Media Sanitization]", Revision 1 (PDF)
| |
| | |
| ==References==
| |
| <references />
| |
| | |
| <!---Place all category tags here-->
| |
| [[Category:LabCourses material (all)]]
| |
| [[Category:LabCourses material on regulations and standards]]
| |
