Everything You Need to Know About HIPAA Compliant Shredding

If you’re a healthcare provider or you service a healthcare provider, you know that few things are more critical than HIPAA compliance.

HIPAA doesn’t just relate to the way you share and store data. It specifically covers the destruction of protected health information (PHI). While most of the emphasis is on the destruction of electronic records, healthcare organizations with paper records need to be careful, too.

If you have paper records, then you need to understand HIPAA compliant shredding. Are you committing a HIPAA violation as we speak? Keep reading to learn more.

Does the HIPAA Security Rule Cover Shredding?

As a covered entity, you must be careful of the way you destroy data. The HIPAA Security Rule demands that you use the appropriate safeguards to protect the privacy of PHI, even as it leaves your door.

HIPAA doesn’t explicitly cover shredding. A control + F search of the law won’t bring up any results. However, HIPAA doesn’t cover best practices. It asks you to take reasonable and appropriate action. And by using shredding, you introduce the process into the legislation on your own.

What Does HIPAA Compliant Shredding Look Like?

HIPAA compliant shredding requires you to shred PHI documents (or hard drives) in a way so that the PHI is not only unreadable but impossible to reconstruct. In other words, it should be impossible to reenact a scene from a film where a spy takes a shredded document from a bin and pastes the pieces back together.

What does that look like in practice?

According to the National Institute of Standards and Technology, that means using cross cut shredders that create tiny squares (1×5 mm) from paper records. These squares may have single words and letters on them, which makes them entirely unreadable.

Of course, compliance isn’t only related to technical measures.

If you contract a shredding service, then the service must also be HIPAA compliant, and you must issue a contractual agreement between your organization (the covered entity) and the shredder (the business associate).

Remember to Shred All Medical Information Appropriately

Remember that the shredding process doesn’t apply solely to paper records. If you choose to shred other file types, the same protocols apply. You must use the appropriate technology to ensure the files are not only destroyed but unsalvagable. The rule also applies to:

  • Hard drives
  • Tapes
  • X-ray films
  • Any other shreddable media

If you’re not sure whether the document falls under PHI, then your best option is to choose HIPAA compliant shredding anyway.

Could You Be Committing HIPAA Violations?

HIPAA’s reach extends from the creation of PHI to its destruction. And the shredding of PHI could be where your organization is at its most vulnerable. That’s why it’s so important to ensure you use a HIPAA compliant shredding service.

Marshall Shredding offers on-site paper shredding, e-waste shredding, and off-site shredding for all your document destruction needs. Get in touch to learn how we can help your healthcare organization comply with the HIPAA Security Rule and protect your patients.