According to a release from the OCR, they have settled a case resulting in a $300,640 fine for improper disposal of PHI. The investigation found that the covered entity had disposed of boxes full of patient records in the parking lot garbage bin. This investigation highlights the importance of safeguarding PHI from when it is introduced to when it is disposed of.

While often we work with Security Officers when it comes to the protection of PHI, it is also the responsibility of the Privacy Officer to maintain the privacy of patient’s health information by ensuring it is securely disposed of when it is no longer needed. In an organization’s policies it should outline how the PHI is being protected while awaiting disposal. The PHI should be locked in a bin or in a room that only necessary people have access to. This process of sanitization includes all confidential and PHI data in any media, including: paper media, removable media, business mobile computing devices, and information assets prior to disposal, release out of organizational control, or release for reuse.

The Privacy and Security Officers will have to determine whether media, devices, or assets must be:

  • Retained prior to disposal.
  • Released out of organizational control.
  • Released for reuse.
  • Securely destroyed or sanitized.

A log or tracking system must be maintained by all departments for all sanitization and destruction activities. This could be destruction of hard drives, the shredding of paper PHI, or the sanitization of a mobile device for reuse.

Business Associates should also follow the steps for the secure disposal of PHI and should supply a certificate of sanitization or destruction of all media and assets.

For FAQ about the disposal of PHI see this link from OCR: LINK