Shawndouglas: /* Disposal of PHI */ Added image

2022-02-10T23:02:44Z

Disposal of PHI: Added image

← Older revision		Revision as of 23:02, 10 February 2022
Line 1:		Line 1:
	==Additional compliance guidance==		==Additional compliance guidance==
	===Disposal of PHI===		===Disposal of PHI===
	In the previous section, we learned that HIPAA requires covered entities to apply appropriate administrative, technical and physical safeguards to protect the privacy of PHI in any form. This means that covered entities must implement reasonable safeguards to limit incidental and avoid prohibited uses and disclosures of PHI, including in connection with its disposal.<ref name="HHSWhatDo">{{cite web \|url=https://www.hhs.gov/hipaa/for-professionals/faq/575/what-does-hipaa-require-of-covered-entities-when-they-dispose-information/index.html \|title=What do the HIPAA Privacy and Security Rules require of covered entities when they dispose of protected health information? \|author=Office for Civil Rights \|publisher=U.S. Department of Health & Human Services \|date=06 November 2015 \|accessdate=10 February 2022}}</ref>		[[File:Paper shredder news.jpg\|right\|350px]]In the previous section, we learned that HIPAA requires covered entities to apply appropriate administrative, technical and physical safeguards to protect the privacy of PHI in any form. This means that covered entities must implement reasonable safeguards to limit incidental and avoid prohibited uses and disclosures of PHI, including in connection with its disposal.<ref name="HHSWhatDo">{{cite web \|url=https://www.hhs.gov/hipaa/for-professionals/faq/575/what-does-hipaa-require-of-covered-entities-when-they-dispose-information/index.html \|title=What do the HIPAA Privacy and Security Rules require of covered entities when they dispose of protected health information? \|author=Office for Civil Rights \|publisher=U.S. Department of Health & Human Services \|date=06 November 2015 \|accessdate=10 February 2022}}</ref>

	In addition, the HIPAA Security Rule requires that covered entities implement policies and procedures to<ref name="HHSWhatDo" />:		In addition, the HIPAA Security Rule requires that covered entities implement policies and procedures to<ref name="HHSWhatDo" />:

Shawndouglas: Created as needed.

2022-02-10T22:45:41Z

Created as needed.

New page

==Additional compliance guidance==
===Disposal of PHI===
In the previous section, we learned that HIPAA requires covered entities to apply appropriate administrative, technical and physical safeguards to protect the privacy of PHI in any form. This means that covered entities must implement reasonable safeguards to limit incidental and avoid prohibited uses and disclosures of PHI, including in connection with its disposal.<ref name="HHSWhatDo">{{cite web |url=https://www.hhs.gov/hipaa/for-professionals/faq/575/what-does-hipaa-require-of-covered-entities-when-they-dispose-information/index.html |title=What do the HIPAA Privacy and Security Rules require of covered entities when they dispose of protected health information? |author=Office for Civil Rights |publisher=U.S. Department of Health & Human Services |date=06 November 2015 |accessdate=10 February 2022}}</ref>

In addition, the HIPAA Security Rule requires that covered entities implement policies and procedures to<ref name="HHSWhatDo" />:

* address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored; and
* implement procedures for removal of electronic PHI from electronic media before the media are made available for re-use, per 45 CFR 164.310(d)(2)(i) and (ii).

Failing to implement reasonable safeguards to protect PHI in connection with disposal could result in impermissible disclosures of PHI, which exposes the risk of fines and other sanctions.

Additionally, workforce members must receive training on and follow those disposal policies and procedures, as necessary and appropriate for each workforce member, per 45 CFR 164.306(a)(4), 164.308(a)(5), and 164.530(b) and (i). Therefore, any workforce member involved in disposing of PHI, or who supervises others who dispose of PHI, must receive training on disposal. This includes any volunteers.<ref name="HHSWhatDo" />

These requirements are not met if covered entities simply abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons. However, the Privacy and Security Rules do not require a particular disposal method. Covered entities must review their own circumstances to determine what steps are reasonable to safeguard PHI through disposal, and develop and implement policies and procedures to carry out those steps. In determining what is reasonable, covered entities should assess potential risks to patient privacy, as well as consider such issues as the form, type and amount of PHI to be disposed. For instance, the disposal of certain types of PHI such as name, social security number, driver’s license number, debit or credit card number, diagnosis, treatment information or other sensitive information may warrant more care due to the risk that inappropriate access to this information may result in identity theft, employment or other discrimination, or harm to an individual’s reputation.<ref name="HHSWhatDo" />

In general, examples of proper disposal methods may include, but are not limited to<ref name="HHSWhatDo" />:

* shredding, burning, pulping or pulverizing PHI on paper records so that PHI is rendered essentially unreadable, indecipherable and otherwise cannot be reconstructed
* clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying (disintegration, pulverization, melting, incinerating, or shredding) PHI on electronic media
* maintaining labeled prescription bottles and other PHI in opaque bags in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI

For more information on proper disposal of e-PHI, see the HHS [https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/physsafeguards.pdf HIPAA Security Series 3 Security Standards: Physical Safeguards]. Additionally, for practical information on how to handle sanitization of PHI throughout the information lifecycle, you can consult [https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final NIST SP 800-88 Rev. 1, Guidelines for Media Sanitization].

Other methods of disposal also may be appropriate, depending on the circumstances. Covered entities are encouraged to consider the steps that other prudent healthcare and health information professionals are taking to protect patient privacy in connection with record disposal. Resources like [https://www.limsforum.com/ LIMSforum] provide useful information and experience exchange. In addition, if a covered entity is closing a business, it may wish to consider giving patients the opportunity to pick up their records prior to any disposition (however, keep in mind that many states may impose requirements on covered entities to retain and make available for a limited time, as appropriate, medical records after dissolution of a business).<ref name="HHSWhatDo" />

===Enforcement and penalties===
As discussed in the prior section, the OCR may impose a penalty on a covered entity for a failure to comply with a requirement of the Privacy or Security Rules. Penalties will vary significantly depending on factors such as the date of the violation, whether the covered entity knew or should have known of the failure to comply, or whether the covered entity’s failure to comply was due to willful neglect. Penalties may not exceed a calendar year cap for multiple violations of the same requirement.<ref name="HHSSummaryHIPAA">{{cite web |url=https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html |title=Summary of the HIPAA Privacy Rule |author=Office for Civil Rights |publisher=United States Department of Health and Human Services |date=26 July 2013 |accessdate=09 February 2022}}</ref>

Current penalties and cap include<ref name="HHSSummaryHIPAA" />:

* Penalty amount: $100 to $50,000 or more per violation
* Calendar year cap: $1,500,000

A penalty will not be imposed for violations in certain circumstances, such as if<ref name="HHSSummaryHIPAA" />:

# the failure to comply was not due to willful neglect, and was corrected during a 30-day period after the entity knew or should have known the failure to comply had occurred (unless the period is extended at the discretion of OCR); or
# the Department of Justice has imposed a criminal penalty for the failure to comply.

Additionally, OCR has the option to reduce a penalty if the failure to comply was due to reasonable cause and the penalty would be excessive given the nature and extent of the noncompliance. Before OCR imposes a penalty, it will notify the covered entity and provide the them with an opportunity to submit written evidence of those circumstances that would reduce or avoid a penalty. This evidence must be submitted to OCR within 30 days of receipt of the notice. In addition, if OCR states that it intends to impose a penalty, a covered entity has the right to request an administrative hearing to appeal the proposed penalty.<ref name="HHSSummaryHIPAA" />

====Criminal penalties====
A person who knowingly obtains or discloses individually identifiable health information in violation of the Privacy Rule may face a criminal penalty of up to $50,000 and up to one-year imprisonment. The criminal penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses, and to $250,000 and up to 10 years imprisonment if the wrongful conduct involves the intent to sell, transfer or use identifiable health information for commercial advantage, personal gain or malicious harm. The Department of Justice is responsible for criminal prosecutions under the Privacy Rule.<ref name="HHSSummaryHIPAA" /><ref name="HIPAASecurity">{{cite web |url=https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html |title=Summary of the HIPAA Security Rule |author=Office for Civil Rights |publisher=U.S. Department of Health and Human Services |date=26 July 2013 |accessdate=10 February 2022}}</ref>

Template:HIPAA Compliance: An Introduction/Additional compliance guidance - Revision history

Shawndouglas: /* Disposal of PHI */ Added image

Shawndouglas: Created as needed.