Common misconceptions about HIPAA and data destruction
October 11, 2012
In my blog next Tuesday, I will continue my pricing thread about why secure destruction professionals aren’t willing to do what’s necessary to get out of the commodity rat race. But, today, I am going to mix it up by shedding light on a few Health Insurance Portability and Accountability Act (HIPAA)misconceptions in our industry. Probably the most common HIPAA misconception is that it requires the destruction of protected health information (PHI). It doesn’t. Nowhere in any of the five HIPAA rules does it say a word about data destruction, particle size, or anything about how or where PHI has to be destroyed.
What it says is that covered entities are required to prevent unauthorized access to PHI. That’s it. But even with such a vague directive, it was enough to get health care organizations to outsource their data destruction. Before that, they were simply throwing the records away or selling the paper to a recycler.
The U.S. Department of Health and Human Services (HHS) gave some direction that they expected data to be destroyed when discarded. Their expectation regarding destruction came when they were asked for an example of what was meant by “physical safeguards to prevent unauthorized access.” The example they provided, completely separate from the law itself, was “for instance, the destruction of discarded PHI.”
Still destruction was not specifically required by the law. In fact, a few years ago, a consultant in the Midwest caused some trouble when he convinced health care organizations they did not have to shred at all. He took the position that recycling was enough because, if done with some control, it still prevented unauthorized access to PHI. He convinced hundreds of organizations they could save a lot of money using this loophole. Eventually, that trend died, although there are still some health care organizations relying on recycling instead of destruction for security.
Now, you might think the Health Information Technology for Economic and Clinical Health (HITECH) amendment to HIPAA added a destruction requirement. It did not. HITECH did, however, add the Health Data Breach Notification provisions, stating that if there was a security breach, the authorities, media, and patients must be notified. Further, it stated that improperly discarded paper and electronic equipment containing PHI would be considered a security breach. HHS later issued guidance that said encrypted or wiped hard drives and paper that was made practicably unreadable would not be considered a security breach when discarded.
In reality, there is no reason for concern over this technicality. Even though data destruction is not specifically required in writing by HIPAA, it is a requirement. Like every other data protection law on the books, HIPAA is based on the reasonableness principle. No one could ever say it was “reasonable” to discard information without destruction and still meet the requirement to prevent unauthorized access to PHI.
It is still important that destruction professionals know the distinction and talk about it correctly in the marketplace. To say HIPAA requires data destruction is not accurate. It is better to say HIPAA requires the prevention of unauthorized access to PHI, which, in turn, necessitates destruction.
It remains to be seen whether clearer requirements for destruction will emerge in the long overdue HITECH Final Rule. You can bet you’ll hear from NAID as soon as it’s published.