Paper Records Disposal Still a Big Problem
The recent discovery of stacks of paper patient records in dumpsters at
an Ohio recycling center offers an important reminder: Any effort to
safeguard patient information must include not just high-tech breach
prevention measures but also proper policies on the disposal of paper
records.
Unfortunately, breaches involving improper disposal of paper or electronic records are common. A snapshot of the Department of Health and Human Services' "wall of shame" website listing health data breaches affecting 500 or more individuals shows that since September 2009, there have been at least 52 incidents involving improper disposal of paper, X-ray film or electronic media containing PHI.
If you rely on your workforce to put confidential information in appropriate bins, you may need to repeat training on the point regularly and get your hands dirty with audits of trash and recycling. Recycling bins can be particularly problematic, as many employees may incorrectly assume that information that is put into recycling is securely disposed of.
Covered entities can also take their own circumstances into consideration. If a hospital does not have the ability to shred its own documents, it is permitted to maintain PHI for disposal in a secure area. The hospital can then work with a disposal vendor as a business associate that will pick up the PHI and shred or destroy it.
The HIPAA Privacy Rule also does not require covered entities or business associates to keep patient medical records for a certain amount of time. Improper disposal is typically not one of the leading causes of healthcare data breaches, but it can still create data security concerns.
Unfortunately, breaches involving improper disposal of paper or electronic records are common. A snapshot of the Department of Health and Human Services' "wall of shame" website listing health data breaches affecting 500 or more individuals shows that since September 2009, there have been at least 52 incidents involving improper disposal of paper, X-ray film or electronic media containing PHI.
If you rely on your workforce to put confidential information in appropriate bins, you may need to repeat training on the point regularly and get your hands dirty with audits of trash and recycling. Recycling bins can be particularly problematic, as many employees may incorrectly assume that information that is put into recycling is securely disposed of.
Covered entities can also take their own circumstances into consideration. If a hospital does not have the ability to shred its own documents, it is permitted to maintain PHI for disposal in a secure area. The hospital can then work with a disposal vendor as a business associate that will pick up the PHI and shred or destroy it.
The HIPAA Privacy Rule also does not require covered entities or business associates to keep patient medical records for a certain amount of time. Improper disposal is typically not one of the leading causes of healthcare data breaches, but it can still create data security concerns.
Comments
Post a Comment