Disposal of Medical Information—It’s More Than Just Shredding


Reprinted with permission from Birmingham Medical News (October 2022).

Providers oftentimes ask how long they need to retain certain types of medical information. While there are some general rules regarding the timeframes for retaining medical information, the specific answer varies depending on what type of information is involved and what type of health care provider is inquiring. For example, a ten (10) year retention period would typically cover most legal requirements, but the timeframe may be extended depending on the age of the patient or the specific type of information involved. Further, if the medical information is the subject of an investigation or dispute, the information should be retained at least until resolution of the investigation or dispute.

However, how long to retain medical information is only one piece of the puzzle. Once you decide you have satisfied the retention timeframes and can destroy the information, you have to also make sure that the destruction and disposal process is compliant with applicable HIPAA requirements. The destruction and disposal process may also vary depending on what format the health information takes, which can range from paper records to electronic information to information included on certain medical supplies. Regardless, a recent Office for Civil Rights (“OCR”) settlement reminds providers of the importance of ensuring that a proper destruction and disposal process is followed.

OCR recently announced a $300,000 settlement involving the improper disposal of protected health information by a physician practice. A dermatology practice filed a voluntary breach report with OCR when empty specimen containers with labels containing patient identifiable information were placed in the garbage for disposal. The information was not destroyed or rendered unreadable prior to being placed in the trash. The information contained on each label included patient name, patient date of birth, date of collection, and provider name. Interestingly, the information did not include diagnosis, detailed clinical information, social security numbers or billing information. In connection with the investigation, OCR determined that proper disposal safeguards were not followed by the dermatology practice and resolved the case with a $300,000 settlement.

In announcing the settlement, OCR took the opportunity to remind providers of its guidance on the proper destruction and disposal of protected health information. In that regard, OCR reminds covered entities to have policies and procedures in place addressing the destruction and disposal process for the various forms of medical information they receive or maintain. OCR also reminds covered entities to train individuals involved in the destruction and disposal of medical information on such processes and procedures.

While HIPAA does not dictate a certain destruction method, reasonable methods of destruction should be utilized based on the form, type, and amount of health information to be destroyed. OCR provides a few examples of proper destruction methods. Shredding, burning, or pulping would be appropriate for paper records. Clearing or purging electronic media would be appropriate for electronic information. However, when it comes to disposal, OCR makes it clear that disposing health information in dumpsters, recycle containers, or other trash bins that are accessible to the public is not an acceptable form of disposal when such information has not been rendered unreadable or indecipherable.

In some instances, it may make sense to hire a third-party business associate to handle the destruction and disposal of the information. Using a third-party is acceptable, as long as you enter into a Business Associate Agreement with the third-party and contractually agree to the destruction terms (e.g., that the vendor will destroy the information in accordance with applicable legal requirements).

In light of the most recent action by OCR, it would be wise to re-visit your policies and procedures regarding not only the retention of medical information, but also the destruction and disposal of such information. Take this opportunity to train your employees on acceptable procedures for destroying and disposing of medical information in various forms. Otherwise, you could find yourself facing a similar $300,000 settlement with OCR.

Jump to Page

Contact Us

About Burr & Forman Cybersecurity & Data Privacy Law

Burr & Forman's experienced team helps clients navigate the complex cybersecurity and data privacy landscape with strategies designed to assess current risks, develop a corrective action plan, implement best practices, and provide immediate and appropriate responses to a cybersecurity breach.

We use cookies to improve your website experience, provide additional security, and remember you when you return to the website. This website does not respond to "Do Not Track" signals. By clicking "Accept," you agree to our use of cookies. To learn more about how we use cookies, please see our Privacy Policy.

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.