How to protect patient PHI and properly dispose of medical records

The Health Insurance Portability and Accountability Act (HIPAA) includes privacy and security rules designed to protect the Personally Identifiable Information (PII) of patients, often referred to in medical contexts as Protected Health Information (PHI). These rules require that medical professionals establish protocols for protecting and properly disposing of all patient records, especially those containing personally identifiable information.

Though it may be tempting to just say “shred everything” and leave it at that, understanding what PII and PHI are, and how your practice and your patients may be vulnerable to information misappropriation, is crucial. The internet makes sharing – and misusing – personal data easier than ever. Yes, even data that originated on paper.

What is Personally Identifiable Information?

Personally identifiable information are any data points that separately or together can lead to the identification or location of an individual. This means that two completely separate records could potentially be combined through linked information to form a complete individual profile. For example, if one medical record includes basic information like name and date of birth, it may not seem to pose a security threat. But if you combine this record with an emergency contact form that lists the patient name and mother‚Äôs maiden name, the two records combined could lead to the eventual discovery of more information about the individual.

For medical offices, the protection of PHI and HIPAA compliance is an essential part of daily operations. The best way to secure your patients‚Äô privacy and identities is to make protecting PII and PHI part of the everyday routine.

5 Healthy HIPAA Compliance Habits for Protecting PHI

1. Identify everywhere you collect PII and PHI. Some obvious points of collection are intake forms, medical notes and records, records transferred from other offices or to referrals, insurance information, and even invoice and payment data. Biometric data such as X-Rays and MRIs also contain important personally identifying information and must be disposed of properly when you no longer need to retain the records.

2. Identify how the data is used, by whom, and for what purpose. You may discover that you are holding on to duplicates or information that you simply don‚Äôt need. Train your staff on what information they need to keep and what they can securely discard.

3. Shred any unnecessary or out-of-date records (physically or electronically). The only way to guarantee that PHI won‚Äôt be pieced together once your office disposes of the records is to shred them – securely and professionally. If you have paper records, this means contracting a professional, confidential shredding service. Many such services are available, including mobile shredding (performed on-site at your office) and container services (you fill a locked container that sits in your office and is periodically collected for secure shredding off-site). If you have electronic patient records, you still need a shredding service – but an electronic one. Simply deleting the files and emptying the trash will not necessarily make the data from those files unrecoverable.

4. Devise a plan to protect your patients‚Äô PHI. Whether you are using electronic or physical storage, decide how you can best protect your patients‚Äô PHI in your office and when transferring records to the patient or authorized third parties. (Pssst. Make sure your electronic records and emails are encrypted!)

5. Conduct regular trainings and reviews of your process. Office technology, industry standards, and government regulations will change over time. Make sure your plan to protect patient information and records evolves with both your technology and the technology of those who might misuse unprotected PHI.