Destruction of Protected Health Information

Once the required retention period for medical records has been met, it is important to dispose of protected health information (PHI) in compliance with state and federal law. HIPAA requires safeguarding of PHI for as long as it is maintained, which applies through the disposal of such PHI.  Some states may also have requirements pertaining to the destruction of PHI.  

In the absence of any state or other applicable law to the contrary, PHI must be destroyed by a method that provides for no possibility that the information can be reconstructed. 

Requirements for Disposal of PHI 

The HIPAA Privacy Rule requires there to be appropriate safeguards in place throughout the entire information lifecycle, including during the disposal process, to protect from intentional or unintentional uses and disclosures of PHI.  

The HIPAA Security Rule requires implementation of policies and procedures on the disposal of electronic PHI or the hardware or media that stores such PHI and the removal of PHI from electronic media before the media is reused. Further, any members of the workforce who dispose of PHI or supervise the disposal of PHI must be trained on appropriate disposal according to the policies and procedures.  

In addition to HIPAA requirements, there may be state laws governing the destruction of medical records; for instance, state law may mandate that practices notify patients when destroying patient information. Additionally, records involved in any open investigation, audit, or litigation must not be destroyed until the legal case has been closed. 

It is important to become familiar with HIPAA and relevant state laws to ensure the proper destruction of medical records and other PHI. 

Destruction Methods 

The HIPAA Privacy and Security Rules do not prescribe the method by which paper, electronic, or other PHI must be destroyed and/or disposed of. Examples of acceptable disposal methods for paper records, electronic PHI, or other PHI are covered in the HHS FAQ, What do the HIPAA Privacy and Security Rules require of covered entities when they dispose of protected health information?

For more information on rendering data inaccessible on media, refer to the National Institute of Standards and Technology resource, Guidelines for Media Sanitization. 

Documentation of Medical Record Destruction 

Maintain documentation of the destruction of health records, including the following information: 

• Date of destruction
• Method of destruction
• Description of the disposed records
• Inclusive dates
• A statement that the records were destroyed in the normal course of business
• The signatures of the individuals supervising and witnessing the destruction 

Outsourcing Disposal to Business Associate 

As discussed in the HHS FAQ, May a covered entity hire a business associate to dispose of protected health information?, disposal of PHI may be outsourced to a business associate. If destruction and/or disposal services are outsourced to a business associate, the contract must specify that the business associate will comply with relevant regulations. The agreement should cover the following: 

• The method of destruction or disposal
• The time that will elapse between acquisition and destruction or disposal
• Safeguards in place against breaches
• Indemnification for the organization for losses due to unauthorized disclosure
• Requirements for the business associate to maintain liability insurance in specified amounts at all times 

Medical offices should regularly reassess the method of destruction based on current technology, accepted practices, and availability of timely and cost-effective destruction services. 

Additional Resources 

Visit the AAP webpage, Medical Record Retention, for more information on determining record retention periods.   

The HHS FAQs on Disposal of Protected Health Information discuss HIPAA requirements for disposal of physical or electronic PHI. 

Disclaimer: The recommendations in this publication do not indicate an exclusive course of treatment or serve as a standard of medical care. Variations, taking into account individual circumstances, may be appropriate. This content is for informational purposes only. It is not intended to constitute financial or legal advice. A financial advisor or attorney should be consulted if financial or legal advice is desired.