What is HIPAA's stance on shredding confidential paper?
HIPAA Weekly Advisor, April 7, 2003
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Q: What is HIPAA's stance on shredding confidential paper?
A: HIPAA regulations call for security safeguards including administrative, technical, and physical measures. However, they do not tell covered entities exactly how to implement those measures, because that depends on the particular level of risk in each environment. Each organization must assess its own risk. And often we find that within one organization, the risk can vary from one area to another.
In general, we know that shredding paper containing PHI is a standard method of ensuring confidentiality today. And the use of locked bins or compactors for interim storage until papers can be disposed of safely by a contractor is considered acceptable. But there are many ways of implementing a shredding policy. The details of how that's done, along with all the other components of an information security program (such as awareness training) are the key to how effective the policy is, and whether it is good enough to demonstrate due diligence.
Let's take the example of a doctor's office with two physicians and three support staff. The workforce of five people has discussed and understands the risk of throwing away any unshredded papers containing PHI, even phone message slips. They have installed desk-side office shredders in every room, and the shredders are used constantly. In this environment, these measures would be considered appropriate and adequate.
In a larger facility-a clinic or hospital, for example-the risks are typically greater. There is less control over the PHI, the workforce, and the public who enter. This leads to greater exposure.
This facility may choose to use a combination of shredders and locked bins. The larger and more costly bins can be placed in out-of-the-way areas, whereas office shredders can be in tighter spaces, such as under desks and at nursing stations. In any case, for workforce compliance, it's important that a shredder or bin be readily accessible everywhere.
So the answer to the question is "maybe." Locked containers and a strong contract are good steps, but they're only part of the confidential paper disposal solution.
Editor's note: Answered by Kate Borten, CISSP, president of The Marblehead Group, in Marblehead, MA, and excerpted from the April 2003 issue of Briefings on HIPAA. This is not legal advice. Be sure to consult with your facility's legal counsel for legal matters.
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Topic: CMS, OESS post new security compliance review information, checklist
- Capturing all necessary codes for IUD insertion and removal can be challenging
- What does case-mix index mean to you?
- HIPAA Q&A: Level of encryption needed for email
- QA:Coding multiple initial infusions
- News and briefs: Oklahoma Osteopathic Association against residency bill change
- OB services: Coding inside and outside of the package
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- HIPAA Q&A: Level of encryption needed for email
- CMS has reformulated payments for some bilateral procedures
- Catch up on what's new with injections and infusions
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- What does case-mix index mean to you?
- Hospitals are not bound by InterQual criteria for determining patient status
- ED-to-inpatient transfers are flawed with safety gaps
- Searched