Officially known as the Standards and Privacy of Individually Identifiable Health Information. The HIPAA Privacy Rule concerns “national standards to protect individuals’ medical records and other personal health information. This rule requires organizations to implement safeguards to protect patient data.”
“The HIPAA Privacy Rule requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI), in any form. See 45 CFR 164.530(c). This means that covered entities must implement reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosure of PHI, including in connection with the disposal of such information. In addition, the HIPAA Security Rule requires that covered entities implement policies and procedures for removal of electronic PHI from electronic media before the media are available for re-use. See 45 CFR 164.310(d)(2)(i) and (ii). Failing to implement reasonable safeguards to protect PHI in connection with disposal could result in impermissible disclosures of PHI.”
“In general, examples of proper disposal methods include, but are not limited to:
For more information on proper disposal of PHI, see this HHS HIPAA Security Series 3: Security Standards – Physical Safeguards – PDF. In addition, for practical information on how to handle sanitization of PHI throughout the information life cycle, readers may consult NIST SP 800-88, Guidelines for Media Sanitization. – PDF”
“No, unless the protected health information (PHI) has been rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed prior to being placed in the dumpster.” See 45 CFR 164.530(c) and 45 CFR 164.310(d)(2)(i)
“Yes, a covered entity may, but is not required to, hire a business associate to appropriately dispose of protected health information (PHI) on its behalf. In doing so, the covered entity must enter into a contract or other agreement with the business associate that requires the business associate, among other things, to appropriately safeguard the PHI through disposal. See 45 CFR 164.308(b), 164.314(a), 164.502(e), and 164.504(e).”
“Yes, but only if certain steps have been taken to remove the electronic protected health information (ePHI) stored on the computers or other media before disposal or reuse, or if the media itself is destroyed before its disposal. The HIPAA Security Rule requires that covered entities implement policies and procedures to address the final disposition of ePHI and/or the hardware or electronic media on which it is stored, as well as to implement procedures for removal of ePHI from electronic media before the media are made available for reuse. See 45 CFR 164.310(d)(2)(i) and (ii).