Document shredding is an important part of ensuring the protection of sensitive patient information and overall compliance when it comes to the Health Insurance Portability and Accountability Act (HIPAA). This makes shredding vitally important to your medical facility.

Proper document destruction processes protects patient privacy and ensures that you and your facility reduce the risk of fines for non-compliance.

01   /   What are HIPAA Rules and Why are they Important?

What is HIPAA, and why is it relevant to medical facilities? The Health Insurance Portability and Accountability Act was enacted in 1996 and is designed to safeguard a patient’s private health information or PHI. It is also known as the Privacy Rule. In essence, it protects the privacy of personal patient information and their medical data. It’s all about confidentiality. Today, any patient receiving any type of medical service is given privacy documents to sign, stating exactly who is allowed to be privy to their personal medical information. 

HIPAA violations can result in hefty fines for practitioners or entire entities such as medical offices, dental care providers, hospitals, outpatient treatment centers, and so forth. Information or data regarding treatment information, diagnosis, medical test results, as well as demographic information is protected under HIPAA.

HIPAA rules also limit access to medical health information by third parties.

Healthcare providers, hospitals and other medical facilities purge their inactive medical records after a certain amount of time has passed based on their retention schedule. With the move to digital health records (also known as electronic Health Records or EHR), paper documentation is not as prevalent as it once was. However, not all hospital systems are able to share information between EHR system platforms, so paper is often necessary.

02   /   How Proper Document Destruction Prevents HIPAA Violations

Protecting patients from compromised PHI matters to every medical facility. Failing to comply with HIPAA puts patients at risk. If personal health information is compromised due to lack of compliance, credibility and trust is lost, not to mention potential fines and penalties for HIPAA violations.

To prevent violations, document shredding must comply with the federal code of regulations found in Title 45 CFR 164.530. Accountability is essential to reduce potential breaches or non-compliance. Any person involved in destruction of PHI must be trained on disposal policies and procedures.

03   /   HIPAA Compliance and Document Destruction

Document shredding is the process by which every piece of paper or document that contains any identifying information about a patient (name, medical history, address, and so on) is destroyed in such a way that no unauthorized person can use that information for any purpose. This process is an integral part of HIPAA compliance and any medical facility that produces these documents needs to comply.

The Department of Human Health and Services recommends that paper records should be pulped, pulverized, burned or shredded, or other methods that make the information found in private documents unrecognizable. For electronic/digital record destruction, methods include software or hardware to overwrite media, or use of magnetic fields to alter the content. Complete destruction of the media through incinerations, pulverization, melting and so forth is also an option.

Even if a medical facility has moved to electronic documents and the majority of patient PHI is stored online, some physical documents may contain sensitive information. All employees with access to such material should know what is not allowed:


Never throw such documents away in the office waste bins or any external dumpster.


Never leave such documents exposed or in any way accessible to the public or any unauthorized person.


Never forget to lock the cabinets or drawers containing such documents.

Failure to comply with HIPAA regulations regarding PHI can result in massive fines and penalties.

04   /   HIPAA Violations: What’s at Stake?

Non-compliance with HIPAA policy increases the risk of fines and, depending on the severity of the offense, even more severe consequences, such as loss of licensing. The penalty structure is assessed by four distinct tiers based not only on severity, but appropriate diligence by the facility to monitor and assess risk and take appropriate measures to protect PHI.

An individual whose information has been compromised due to noncompliance has legal grounds to sue or take other legal action against a medical facility. Fines range from $100 per violation (up to $50,000) on Tier 1 and minimum of a $50,000 fine per violation for Tier 4 violations. Know the laws. There is no excuse for non-compliance.

05   /   Why Work with a Qualified Waste Management Company for Document Destruction?

A knowledgeable, experienced waste management company such as MCF Environmental Services knows the rules and will ensure HIPAA and OSHA compliance. Ensure that the company is:


Thoroughly familiar with all HIPAA protocols. If they don’t know what HIPAA entails, they can’t confidently ensure compliance.


Knowledgeable about different forms and types of document destruction. For example, pulping, shredding, or pulverizing options. Shredding tends to be the easiest method that still produces effective results.


Professional and diligent regarding their responsibilities as the medical waste management company. For example, anyone who supervises the actual shredding or document destruction process has undergone full training.


Dedicated to keeping document shredding costs or destruction as low as possible. This often entails transporting documents from a facility to theirs in order to perform the shredding and disposal process.


Prepared to provide all relevant paperwork to you to show proof and method of destruction in the event of any agency audits, such as those conducted by OSHA. This includes official certificates of destruction after the shredding.

All medical facilities are the responsible party for ensuring total compliance in document destruction methods that protect patients and their health information. Even if you work with a third party, the responsibility and liability falls to you, the medical facility. Therefore, perform due diligence when selecting any company for sensitive document destruction.

For more information about document shredding or other forms of PHI destruction, and ensure full compliance, contact a representative of MCF Environmental Services, a full-service waste management company.

Robert Losurdo

President, COO