The Right Way to Dispose of Medical and Legal Records
All you have to do is Google the phrase, “medical information found in dumpster,” and you will find endless news headlines from back alleys all over the USA about medical and legal practices tossing client records directly into a dumpster, leaving it wide open to dumpster divers. Some of these culprits who are dumping files are practices that have either closed or have files older than seven years, which they assume means they can just toss highly-sensitive, personal information into the street.
These true stories clearly indicate that despite operating a professional medical or legal organization, there is still a misunderstanding of the right way to dispose of medical and legal records. This short article will help bring clarity about the proper handling of personal information.
What Does the Law Say?
All Personal Health Information (PHI) and Personally Identifiable Information (PII) that is generated must be protected and is the responsibility of the organization creating that information from the “cradle to the grave.”
- The Health Insurance Portability and Accountability Act (HIPAA) requires entities handling PHI to “apply appropriate administrative, technical, and physical safeguards to protect the privacy of PHI, in any form.” It also requires that any PHI that is disposed of must be “rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.”
- The Gramm-Leach-Bliley Act (GLBA) requires covered businesses to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information when it is in use and when it is disposed of.
- The Sarbanes-Oxley Act (SOX) is a set of rules for accountants, auditors, and corporate offices and has criminal penalties for violating security laws.
The laws are very clear that you must protect health and legal information from being exposed to unauthorized individuals, shared inappropriately, lost, or stolen. Here are some important terms that pertain to the protection of private medical and legal information:
- Retention Dates – All forms of documents that contain private information have a final disposition date, also known as a “retention date,” at the end of their lifecycle. You must destroy them on time, not prematurely, and not keep them beyond their retention date.
- Chain of Custody – A record of the lifespan of documents with PII or PHI must be kept on hand and made available for authorized inquiries, including an audit. Medical and legal professionals should have proof of the chain of custody of all information they have generated or received.
- Certificate of Destruction – The end of the chain of custody. A reputable shredding company can provide this after they have securely shredded your files. This certificate acts as proof of your compliance with privacy laws.
Outsourcing Your Records Disposal
As a medical or legal professional, your primary focus is the health and welfare of your clients. Working with them requires a great deal of skill, attention, and time. Risking that legacy for a quick file dump is simply not worth it.
It is your responsibility to create a records management plan and educate yourself and your staff about the proper procedures to remain compliant. Keep everyone up to date with changing laws and guidelines with a once-a-quarter training session.
Once you have a handle on records management, the best way to securely destroy records at the end of their lifecycle is to partner with a local, reputable shredding service that can give you a Certificate of Destruction after every shredding service.
Wiggins Shredding has been working with medical and legal professionals in Pennsylvania and Tri-State Delaware, New Jersey, and Maryland since 2007. If you are ready to get compliant or just need help staying compliant, call us at 610-692-TEAR(8327) or complete the form on this page. We look forward to talking with you!