Destruction of Protected Health Information

-A   +A

Destruction of Protected Health Information

​Health Insurance Portability and Accountability Act​​ (HIPAA)

Destruction of patient health information by a medical office or pediatrician must be done in accordance with federal and state law. It should be follow the individual practice's proper written retention schedule and destruction policy.

Records involved in any open investigation, audit, or litigation must not be destroyed until the legal case has been closed.

Some states require health care organizations to create an abstract of the destroyed patient information, notify patients when destroying patient information, or specify how the protected health information was rendered unreadable.

In the absence of any state law to the contrary, medical offices must ensure paper and electronic records are destroyed by a method that provides for no possibility that the protected health information can be reconstructed.

Advertising Disclaimer

Common destruction methods are:

  • Burning, shredding, pulping, and pulverizing for paper records.
  • Pulverizing for microfilm or microfiche, laser discs, document imaging applications.  
  • Magnetic degaussing for computerized data.
  • Shredding or cutting for DVDs.
  • Demagnetizing magnetic tapes.

Medical offices should maintain documentation of the destruction of health records which include the following:

  • Date of destruction
  • Method of destruction
  • Description of the disposed records
  • Inclusive dates
  • A statement that the records were destroyed in the normal course of business
  • The signatures of the individuals supervising and witnessing the destruction

Under the HIPAA privacy rule, when destruction services are outsourced to a Business Associate, the contract must provide that the Business Associate will establish the permitted and required uses and disclosures and include the following elements:

  • The method of destruction or disposal
  • The time that will elapse between acquisition and destruction or disposal
  • Safeguards against breaches
  • Indemnification for the organization or provide for loss due to unauthorized disclosure
  • Require the Business Associate to maintain liability insurance in specified amounts at all times

A medical practice may, but is not required to, hire a Business Associate to dispose of PHI on its behalf.

When doing this, the Covered Entity must enter into a contract or other agreement with the Business Associate requiring the Business Associate to safeguard the PHI through disposal appropriately. For example, a medical practice may hire an outside vendor to pick up PHI in paper records or on electronic media from its premises, shred, burn, pulp, or pulverize the PHI, or purge or destroy the electronic media, and deposit the deconstructed material in a landfill or other appropriate area.

Medical offices should reassess the method of destruction annually based on current technology, accepted practices, and availability of timely and cost-effective destruction services.

Disclaimer: This information is general in scope and educational in nature. It is not intended as legal advice. If you require legal advice, contact an attorney. 

The recommendations in this publication do not indicate an exclusive course of treatment or serve as a standard of medical care. Variations, taking into account individual circumstances, may be appropriate. This content is for informational purposes only. It is not intended to constitute financial or legal advice. A financial advisor or attorney should be consulted if financial or legal advice is desired.​

            print           email           share