Medical Record Disposal: Handle With Care to Avoid HIPAA Violations

Multiple news outlets recently reported on a case involving the dumping of patient dental records in a church dumpster in Indiana.  The records originated from a dentist who had lost his dental license due to fraudulent billing.

The Indiana Attorney General’s office brought a case against the dentist for violation of HIPAA and state laws.  The dentist agreed to a consent judgment requiring payment of a $12,000 fine.

Upon review of the information on the Indiana Attorney General’s website, it is of interest to note that the dentist actually hired an outside company to dispose of these records.  The company then apparently discarded the medical records in the church recycle bin.

In order to comply with the HIPAA Privacy Rule, records containing protected health information (PHI) must be disposed of in a manner that makes them unreadable, e.g., shredding.  If a covered entity is relying on an outside entity to perform this service, the covered entity should enter into a business associate agreement if the disposal company is going to take custody of the records for any period of time.  The covered entity should also consider requesting a certificate of destruction from the company trusted with the disposal.

Prior to disposing of medical records, providers should also ensure that state medical record retention laws allow such disposal.

Speak Your Mind