Document Shredding and HIPAA Compliance
In May 2003, the Raleigh News and Observer reported a nursing assistant was caught rifling through a convalescent center’s trash cans. Allegedly, the nursing assistant was looking for patient information to fraudulently obtain credit cards. In August 2002, medical records from a Pennsylvania hospital (including lab and drug reports for hundreds of patients) were found scattered in the streets of Allentown.
In response to incidents like these, Congress voted in 1996 to enact legislation to protect a patient’s privacy. In the second quarter of 2003, the Health Insurance Portability and Accountability Act (HIPAA) went into effect.
HIPAA mandates higher standards of privacy and security for health-related information. The law defines what type of health-related information is protected, and how and when that information can be transmitted among treatment providers, payment providers and administrators. The law states that healthcare providers must disclose how protected health information will be used, and in some instances, must first receive authorization from the patient.
Healthcare offices, including private practices, nursing homes, health insurance offices, hospitals and state-supported clinics may all be subject to HIPAA regulations. They must provide consumers with an adequate description of their privacy practices. There are several easy ways that an office can increase the security of patients’ protected health information:
- Use password-protected computer systems.
- Remove identifiers (names, birthdates, addresses, etc.) from as many documents as possible; instead, use client identification numbers that are matched to client names in a separate protected file.
- Shred all documents as part of the standard disposal process.
HIPAA affects more than just healthcare consumers and providers. Businesses that provide legal, accounting, actuarial, consulting, accrediting and financial services to healthcare businesses are considered “business associates.”
All business associates that contract with HIPAA-compliant healthcare offices must agree to sufficiently safeguard information that is made available to them. If a business associate is in violation of this agreement, the healthcare organization may be required to terminate the contractual relationship, and possibly report the problem to the Department of Health and Human Services Office for Civil Rights.
HIPAA brings document security issues to the forefront of office management. A new wave of office procedures and equipment is raising the bar on security. The destruction of sensitive documents by shredding has become as commonplace in medical offices as using the copier. To prepare for the first major compliance date in 2003, many facilities purchased small desk side shredders from office supply “super stores.” These large retailers experienced a huge increase in sales of inexpensive, low-quality machines. In the months following the implementation of new shredding policies, many facilities found that the amount of paper to be shredded was much greater than anticipated, and the shredders they purchased could not handle the large volume. In reaction to this, many facilities contracted with outside shredding services.
Now that the deadlines for both major compliance dates have passed, many medical offices are re-evaluating their programs and looking for more efficient and cost effective ways of meeting HIPAA standards. Outside shredding services are increasingly being called into question due to the high costs involved and whether they are truly “secure.” Unlike medical facilities, shredding services are not held to federally mandated standards. If patient information is somehow released or misused by a shredding contractor, it is the contracting facility that is liable for damages under HIPAA laws. More and more compliance officers are deciding that a centralized shredding program with high-quality, industrial shredders is the smartest way to go. The initial equipment cost will be quickly offset by no longer having to pay the high (and always increasing) shredding service fees. And because the information is not leaving the facility, the increased confidence in security is tremendous. As HIPAA-compliant procedures become second nature to healthcare workers, in-house shredding will become the preferred method of document disposal in the medical field.