What is the HIPAA Privacy Rule? 

Officially known as the Standards and Privacy of Individually Identifiable Health Information. The HIPAA Privacy Rule concerns “national standards to protect individuals’ medical records and other personal health information. This rule requires organizations to implement safeguards to protect patient data.”

HIPAA Privacy and Security Rules and the Requirement for Covered Entities to Dispose of PHI 

“The HIPAA Privacy Rule requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI), in any form. See 45 CFR 164.530(c). This means that covered entities must implement reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosure of PHI, including in connection with the disposal of such information. In addition, the HIPAA Security Rule requires that covered entities implement policies and procedures for removal of electronic PHI from electronic media before the media are available for re-use. See 45 CFR 164.310(d)(2)(i) and (ii). Failing to implement reasonable safeguards to protect PHI in connection with disposal could result in impermissible disclosures of PHI.”

“In general, examples of proper disposal methods include, but are not limited to: 

• For PHI in paper records, shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed. 
• Maintaining labeled prescription bottles and other PHI in opaque bags in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI. 
• For PHI on electronic media, clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic media in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding). 

For more information on proper disposal of PHI, see this HHS HIPAA Security Series 3: Security Standards – Physical Safeguards – PDF. In addition, for practical information on how to handle sanitization of PHI throughout the information life cycle, readers may consult NIST SP 800-88, Guidelines for Media Sanitization. – PDF”

May a covered entity dispose of protected health information in dumpsters accessible to the public? 

“No, unless the protected health information (PHI) has been rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed prior to being placed in the dumpster.” See 45 CFR 164.530(c) and 45 CFR 164.310(d)(2)(i)

May a covered entity hire a business associate to dispose of protected health information? 

“Yes, a covered entity may, but is not required to, hire a business associate to appropriately dispose of protected health information (PHI) on its behalf. In doing so, the covered entity must enter into a contract or other agreement with the business associate that requires the business associate, among other things, to appropriately safeguard the PHI through disposal. See 45 CFR 164.308(b), 164.314(a), 164.502(e), and 164.504(e).”

May a covered entity reuse or dispose of computers or other electronic media that store electronic protected health information?

“Yes, but only if certain steps have been taken to remove the electronic protected health information (ePHI) stored on the computers or other media before disposal or reuse, or if the media itself is destroyed before its disposal. The HIPAA Security Rule requires that covered entities implement policies and procedures to address the final disposition of ePHI and/or the hardware or electronic media on which it is stored, as well as to implement procedures for removal of ePHI from electronic media before the media are made available for reuse. See 45 CFR 164.310(d)(2)(i) and (ii). 

Download this PDF to learn more about HIPAA and how Clarabyte protects electronic protected health information.