In 1996, the US implemented the Health Insurance Portability and Accountability Act (HIPAA) as a way to safeguard patient privacy and prevent unauthorized access to individually identifiable Health Information. Also known as the Privacy Rule, the main goal of HIPAA is to ensure health information is protected while at the same time allowing health information to be shared when necessary for health and well-being of the patent and the public. By striking a balance between access and privacy, HIPAA was designed to be both flexible and comprehensive in its application. For individuals and organizations who handle or process medical information, HIPAA regulates how Protected Health Information (PHI) can be transferred, stored and disposed of.
Who Must Comply?
The HIPAA Security Rule applies to health plans, health care clearinghouses and health care providers who transmit health information in electronic form. Insurance providers, HMOs and Medicare/Medicaid are all considered covered entities, as are health care providers regardless of size. In addition, businesses who process PHI must also comply with HIPAA, this includes electronic billing and records management. In fact, most healthcare providers and intermediaries are required to follow all HIPAA rules and standards. The Department of Health and Human Services investigates complaints and enforces compliance.
What Does HIPAA Cover?
Under HIPAA, patient health status, provisions of health care services and payment for care services linked to an individual are all defined as Protected Health Information. All past, present and future data related to a person’s mental or health condition is also considered PHI if that information can be used to identify an individual or could reasonably be used to identify an individual. Social security numbers, addresses, names, and DOBs are all PHI for the purposes of HIPAA.
Under HIPAA authorized organizations may only share this information when required by law, to facilitate a treatment or help with the processing or collection of a payment. In addition, a patient may also authorize the disclosure of PHI in certain circumstances. Covered entities are permitted, but not required, to maintain, use, and disclose PHI in the following circumstances:
To the Individual (unless required for access or accounting of disclosures);
- Treatment, Payment, and Health Care Operations
- Opportunity to Agree or Object
- Incident to an otherwise permitted use and disclosure
- Public Interest and Benefit Activities
- Limited Data Set for the purposes of research, public health or health care operations
What Are HIPAA’s Records Disposal Requirements?
Under HIPAA, covered entities must follow a set of regulations designed to safeguard PHI. These regulations were put in place to limit incidental and prohibited exposure of PHI, including when that information is set for disposal. Certain policies and procedures must be followed to guarantee PHI are properly destroyed, including:
- Shredding, burning, pulping, or pulverizing the records so PHI becomes unreadable, indecipherable, and cannot otherwise be reconstructed.
- Maintaining labeled prescription bottles and other PHI in opaque bags in a secure area
- Using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI.
- Overwriting PHI stored on electronic media with non-sensitive data
- Using a strong magnetic field to disrupt recorded magnetic domains urging
- Destroying the electronic media used to store PHI through disintegration, pulverization, melting, incinerating, or shredding
Maintain Your HIPAA Compliance
Ensure secure and thorough document destruction by taking advantage of the comprehensive document disposal capabilities of an experienced MSP. As regulations regarding the protection and destruction of sensitive data become stricter and more complicated, it’s good to know you can rely on MCF Environmental for secure and thorough paper shredding and document destruction. We handle all ongoing or one time offsite, secure document destruction and paper shredding for healthcare providers, law offices, and other covered entities in compliance with standards set forth by HIPAA.