4.5.B HIPAA/Privacy: Other Requirements - Destruction of PHI Policy

  • POLICY:

    LHCC has a duty to protect the confidentiality and integrity of confidential medical information as required by law, professional ethics, and accreditation requirements. PHI may only be disposed of by means that ensure that it will not be accidentally release to an outside party. This policy defines the guidelines and procedures that must be followed when disposing of information containing PHI.

    PROCEDURE:

    The destruction and disposal of PHI will be carried out in accordance with HIPAA regulations.

    No protected health information will be destroyed before the minimum retention period has been met.

    Confidential information includes that which contains PHI of a patient, relative or household member of a patient. All documents containing PHI must be destroyed in a manner that prevents reconstruction. Destruction will be in the following manner:

    Paper

    incinerating, shredding or pulverizing

    Computerized data

    reformatting, magnetization or physical destruction

    Radiology films

    shredding or pulverizing

    Laser disks

    pulverizing

    Patient labels

    shredding

    Any documentation containing PHI must be personally shredded or placed in a secure recycling container. PHI must not be discarded in trash bins, unsecured recycle containers and other publicly accessible locations.

    Destruction of the legal medical record must be documented and maintained permanently and include the following:

    • Date of destruction;
    • Method of destruction;
    • Description of the destroyed documents;
    • Inclusive data covered;
    • Statement that the records were destroyed in the normal course of business;
    • Signatures of the individuals supervising and/or witnessing the destruction.

    If destruction services are contracted, the contract must meet the requirements of the HIPAA privacy rule and a Business Associate Agreement must be executed.

    Contracts between LHCC and its business associates will provide that, upon termination of the contract, the business associate will return or destroy and dispose of all consumer health information. The destruction of PHI by the business associate will be documented in writing and sent to the Compliance Officer.

    If such return or destruction is not feasible, the contract will limit the use and disclosure of the information to the purposes that prevent its return or destruction and disposal.

    Revised 12/2013

  • Date Format: MM slash DD slash YYYY