HIPAA Compliant Shredding? HIPAA & HITECH Act Blog by Jonathan P. Tomes


A long-time client for whom I have performed HIPAA consulting services recently asked me whether HIPAA had any rules for HIPAA compliant shredding. Short answer: yes, in general, but no, not specifically. In fact, HIPAA does not even mention shredding. It simply requires, in the Security Rule in 45 C.F.R. §§ 164.310(d)(2)(i) and (ii), that covered entities implement policies and procedures to address the final disposition of electronic protected health information (“EPHI”) and/or the hardware or electronic media on which it is stored, as well as implement procedures for removal of EPHI from electronic media before the media are made available for re-use without specifying how to do so. The HIPAA Privacy Rule requires that covered entities (and now business associates) apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (“PHI”), in any form, obviously including paper records. 45 C.F.R. § 164.530(c). Thus, covered entities must implement reasonable safeguards to prevent improper uses or disclosures of PHI in connection with the disposal of such information. See HHS.gov, Office for Civil Rights, Health Information Privacy, Frequently Asked Questions, “What do the HIPAA Privacy and Security Rules require of covered entities when they dispose of protected health information?” That guidance adds that, in general, examples of proper disposal methods for PHI in paper records may include, but are not limited to, shredding, burning, pulping, or pulverizing the records so that PHI is made essentially unreadable and indecipherable and otherwise cannot be reconstructed.

Although HIPAA is not a “best practices” rule, but rather a “reasonable and appropriate rule, you may wish to refer to the National Institute of Standards and Technology (“NIST”) Special Publication 800-88, “Guidelines for Media Sanitization: Recommendations of the National Institute of Standards and Technology,” issued September 2006, which states: “Destroy paper using cross cut shredders, which produce particles that are 1 x 5 millimeters in size (reference devices on the NSA paper Shredder EPL), or pulverize/disintegrate paper materials using disintegrator devices equipped with 3/32-inch security screen (reference NSA Disintegrator EPL.).”

This guidance would certainly be HIPAA compliant and more, but if your paper records are not particularly sensitive, a lesser shredder may be compliant. Simply evaluate in your risk analysis how well a shredder makes the records unreadable, indecipherable, and unable to be reconstructed.

seo by: k.c. seo