Today on the Mono Blog we’re going to start a two-part series on regulations established by HIPAA and FACTA , two acts of Congress dictating the proper handling of sensitive patient and consumer information. We’ll start with an outline of the guidelines for proper disposal of sensitive patient information from the Health Insurance Portability and Accountability Act, or HIPAA for short.
Enacted by congress in 1996, HIPAA contains two titles, or parts. The first sets guidelines for the health insurance industry, most notably limiting provider exclusions on coverage for preexisting conditions. Title II established controls for the way private patient information needs to be handled, setting up HIPAA rules and guidelines that the health care industry is required to follow. If you’ve worked in the industry you probably know these rules well, and even if you haven’t anyone who has been to the doctor has most likely signed off on a HIPAA related document. In addition to requiring that all patient information is rendered unreadable or unusable, there are other guidelines as well. Prescription containers with patient information must be transported in opaque bags and any third party with which the information needs to be shared must be authenticated by the sharing party. Although these guidelines and regulations made an immediate impact on the health care industry, HIPAA finally got it’s teeth in February 2006 with the Final Rule establishing enforcement, including civil penalties for HIPAA violations and procedures for investigations and hearings. The penalties can be stiff, too. They range from $100 for small accidental violations, up to a $250,000 fine and ten years in prison for knowingly violating HIPAA regulations for the purpose of making a profit. Here are a couple samples of these regulations taken from “Frequently Asked Questions About the Disposal of Protected Health Information” on the U.S Department of Health and Human Services website, hhs.gov:
May a covered entity reuse or dispose of computers or other electronic media that store electronic protected health information? Yes, but only if certain steps have been taken to remove the electronic protected health information (ePHI) stored on the computers or other media before its disposal or reuse, or if the media itself is destroyed before its disposal. The HIPAA Security Rule requires that covered entities implement policies and procedures to address the final disposition of ePHI and/or the hardware or electronic media on which it is stored, as well as to implement procedures for removal of ePHI from electronic media before the media are made available for reuse. See 45 CFR 164.310(d)(2)(i) and (ii). Depending on the circumstances, appropriate methods for removing ePHI from electronic media prior to reuse or disposal may be by clearing (using software or hardware products to overwrite media with non-sensitive data) or purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains) the information from the electronic media. If circumstances warrant the destruction of the electronic media prior to disposal, destruction methods may include disintegrating, pulverizing, melting, incinerating, or shredding the media. Covered entities may contract with business associates to perform these services for them.
May a covered entity dispose of protected health information in dumpsters accessible by the public? No, unless the protected health information (PHI) has been rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed prior to it being placed in a dumpster. In general, a covered entity may not dispose of PHI in paper records, labeled prescription bottles, hospital identification bracelets, PHI on electronic media, or other forms of PHI in dumpsters, recycling bins, garbage cans, or other trash receptacles generally accessible by the public or other unauthorized persons. The HIPAA Privacy Rule requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of PHI, in any form, including in connection with the disposal of such information. In addition, the HIPAA Security Rule requires that covered entities implement policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored. Depositing PHI in a trash receptacle generally accessible by the public or other unauthorized persons is not an appropriate privacy or security safeguard. Instead, covered entities must implement reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI. Failing to implement reasonable safeguards to protect PHI in connection with disposal could result in impermissible disclosures of PHI. For example, depending on the circumstances, proper disposal methods may include (but are not limited to):
• Shredding or otherwise destroying PHI in paper records so that the PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed prior to it being placed in a dumpster or other trash receptacle.
• For PHI on electronic media, clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding).
Additional information on these guidelines can be found on the HHS website, including the NIST SP 800-88, Guidelines for Media Sanitization.
Regardless of the role you play within the healthcare industry, you have a responsibility to remain HIPAA compliant, and this includes shredding, degaussing, or otherwise destroying all patient health information. Tomorrow we will take a look at FACTA, or the Fair and Accurate Credit Transactions Act of 2003, and the role it has played in creating similar guidelines within a range of financial industries.