The Health Insurance Portability and Accountability Act (HIPAA) included standardized procedures for protecting health records. HIPAA's Privacy Rule addresses how information may be used and the steps that covered entities must take to ensure confidentiality. As part of the privacy issue, the act identifies acceptable disposable methods for personal information.
HIPAA does not mandate how long a patient's records must be retained. Each state's laws govern the retention period for medical records. However, the HIPAA Privacy Rule applies for the entire retention period until the records have been properly destroyed.
Destruction of Paper Records
Paper records include medical files, prescription bottles with the patient's name and identification tags or bracelets. If a dumpster, trash can or recycling receptacle can be accessed by the public or unauthorized personnel, all protected information mush be shredded or otherwise made indecipherable and unreadable before placing it in the container. Using an outside vendor to destroy the records is acceptable if records are secured until the vendor picks them up. If justified by the type and size of the health care provider, a locked dumpster that can only be accessed by those with the authority to do so may be used for disposal.
Destruction of Electronic Data
The HIPAA Privacy Rule mandates that data recorded on electronic media may be overwritten with information that is not of a sensitive nature or exposed to a magnetic field of sufficient strength to disrupt the recorded data. The provider may also physically destroy the disks or tapes by melting, shredding, incinerating or pulverizing them. Only after the media is rendered unreadable may such media be placed in an accessible dumpster or trash can. Tapes, disks and computers may be reused if all protected information is first purged from the media, hardware or software that held the data.
Destruction of Data Held by Field Personnel
If health records or information is provided to outside personnel for them to use in performing their duties, the rules for proper disposal still apply. Employees may destroy the information in the field or return it to the employer's place of business for destruction.