Can physical copies of PHI be disposed of in public dumpsters?

No, physical copies of protected health information (PHI) cannot be disposed of in public dumpsters because they risk unauthorized access.

What HIPAA says about the disposal of protected health information (PHI)

According to HHS guidance, “...covered entities must implement reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI, including in connection with the disposal of such information…the HIPAA Security Rule requires that covered entities implement policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media...”

The Privacy Rule doesn't specify exact disposal methods but requires that PHI must be destroyed in a way that makes it unreadable, indecipherable, and otherwise unable to be reconstructed. Common methods include shredding paper records, destroying electronic media, or using other technology that can completely clear or destroy the information.

The Security Rule takes this a step further by requiring covered entities to implement policies and procedures that address the final disposition of electronic PHI (ePHI) and the hardware or electronic media on which it is stored. They must ensure that electronic media are cleared, purged, or destroyed consistent with the National Institute of Standards and Technology (NIST) guidelines.

See also: What is media sanitization?

Why public dumpsters should not be used to dispose of PHI

Further HHS guidance provides that, “In general, a covered entity may not dispose of PHI in paper records, labeled prescription bottles, hospital identification bracelets, PHI on electronic media, or other forms of PHI in dumpsters, recycling bins, garbage cans, or other trash receptacles generally accessible by the public or other unauthorized persons.”

When PHI lands in a public dumpster, it's exposed to the world, and accessible to anyone who passes by. It exposes the organization to the risk of a breach. Sensitive details like social security numbers and medical records could be easily picked up and misused, leading to identity theft or breaches of confidentiality. Given the risks, HIPAA requires that PHI must be disposed of in a manner that renders it unreadable and unrecoverable. 

The alternative methods of disposal

1. Shredding: Using cross-cut or micro-cut shredders helps completely destroy paper records containing PHI. 
2. Burning: Incinerating paper records is one of the best methods of destroying paper records if done right, records are completely disposed of. 
3. Pulping: Breaking down paper records into slurry to make it irretrievable. 
4. Rendering unreadable with confetti cutter: Using shredders that produce small pieces of paper (less than 5mm) to make sure information cannot be reconstructed. 
5. Chemical deactivation: Using chemicals can make physical records unreadable and irreversible. 
6. Paper recycling and PHI destruction: Ensuring that recycling companies used are certified to destroy PHI before recycling. 
   
   

The benefit of using professional destruction services

Using HIPAA compliant disposal services is a good way to ensure that physical copies of PHI are properly handled. Choosing the right service means that organizations can take the hassle out of PHI disposal and reduce the chances of a breach due to employee negligence or insider threats. When referencing the right service, organizations should look for the following: 

• They are willing to sign a business associate agreement. 
• Certified destruction methods are used. 
• The organization has documentation and certification. 
• There is a secure chain of custody. 
• They have secure disposal facilities. 
• There are ongoing risk assessments.

Related: HIPAA Compliant Email: The Definitive Guide

FAQs

What is the NIST? 

The National Institute of Standards and Technology (NIST) is a U.S. agency that develops technology, metrics, and standards to drive innovation and economic competitiveness.

What is ePHI?

ePHI is any patient health information that is created, stored, transmitted, or received electronically.

What is unauthorized access?

Unauthorized access refers to the situation where someone gains entry to data or resources without permission, potentially leading to privacy breaches or security threats.