A tip on how to best destroy IV labels

Accreditation Connection, March 29, 2004

If your hospital is struggling to develop a way to properly dispose of intravenous (IV) bag labels, check out the ideas below from your colleagues.

Staff cannot throw IV bag labels into the trash when the bags are empty because that would violate the privacy rules, according to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). These labels contain protected health information (PHI), such as patient names and other identifiers.

Black out the information

Nurses at St. Michael's Hospital in Stevens Point, WI, carry black permanent markers with them when they remove an IV bag from a patient's room, says pharmacy director Todd Faulks, RPh. Using the black marker, nurses cross out the patient's name and any other identifying information, such as an account number or medication type. Each nurse must make sure the information becomes illegible. Then, a nurse places the IV bag into a red biohazard bag, which is sent to an incinerator, Faulks says.

This practice is acceptable under the privacy rule, says Tracy Field, Esq., head of the HIPAA team at Arnall Golden Gregory, a law firm in Atlanta.

"You don't need to buy a shredding machine," Field says. "HIPAA just says to 'take reasonable measures,' but be sure that you adequately erase [identifying information]."

Your problem too?

Staff at St. Michael's sometimes forget to cover up patient information with the markers, Faulks says.

That's why nursing supervisors and charge nurses must now remind all staff to destroy patient identifiers, he says. During the hospital's original HIPAA training, nurses received education on how to conceal PHI.

"You get the people who were trained last that remember to do it," Faulks says. "As the shifts go on, they get into the habit. It's about a month-long phase-in."

Supervisors also remind staff during annual HIPAA refresher training to conceal PHI with black markers, Faulks says.

Self-shredding products

Faulks says pharmacists should consider new products such as self-shredding labels and present them to their hospital pharmacy and nursing committees.

For instance, Howell, MI-based Tri-State Hospital Supply Corp.'s Centurion Label Systems created a self-shredding label after some hospitals began asking for the company's help with disposing IV bag labels, says Zane Myers, a company sales representative for the Pacific Northwest region. Centurion initially began selling "blackout labels" that nurses could affix to the IV bag labels. These labels covered any patient information, he says.

But, like the permanent-marker solution, staff must carry stickers and remember to put them on before throwing the original labels in the trash, Myers says. To correct this problem, the company created a self-shredding label that obliterates patient information when torn off the bag.

Some hospital pharmacies have sent Centurion a sample of the label they use, noting the exact location where they print PHI. Centurion custom-designed self-shredding tags for these pharmacies.

When the pharmacy prints a label, the patient information appears across a perforated area. Once the bag is empty, a nurse peels the label off the bag, shredding the PHI, Myers says. The nurse can then throw the label in the trash.

Monitor compliance

Whatever system you use, conduct an ongoing audit to make sure staff comply with HIPAA's privacy rule, says Kate Borten, CISSP, president of The Marblehead Group, a consulting firm based in Marblehead, MA.

"There are too many hospitals that have written policies and that's it," Borten says. "That's not enough to be HIPAA-compliant, and that's not going to be good for security."

Be a HIPAA detective

Develop a checklist, Borten says. Adapt the following to your needs:

1. Search for violations. On a periodic basis (i.e., monthly), have your hospital's security officer and other managers check to see whether papers with PHI are out in the open, and whether identifying information is just thrown in the trash instead of being shredded or obliterated.

2. Document results of these periodic monthly audits.

3. Follow up any HIPAA violations with education and disciplinary action, if necessary, according to your hospital's policy.

Most Popular