Not only do employers sponsoring group health plans have to be concerned with the plan maintaining protected health information (PHI), but they also have to pay attention to disposing of PHI. The HIPAA privacy rules require covered entities to take appropriate administrative, technical and physical safeguards to protect the privacy of PHI in any form. Any form includes protections in connection with the disposal of PHI.
While the HIPAA rules do not prescribe a required disposal method, covered entities cannot just dispose of information in a manner that allows access by the public or unauthorized individuals. In developing disposal procedures, covered entities should consider what is reasonable in light of the form, type and amount of PHI to be disposed.
According to the U.S. Department of Health and Human Services, proper disposal methods may include:
Other methods may be appropriate in certain circumstances. Covered entities should consider disposal practices when creating policies to protect PHI. Click here for suggestions from the Department of Health and Human Services on the disposal of information.