www.hhs.gov Open in urlscan Pro
2a02:26f0:6c00:19c::219c  Public Scan

Form analysis
1 forms found in the DOM

Name: HHS — GET //search.hhs.gov/searchblox/ocr_hipaa/index.html

<form class="usa-search usa-search--small" name="HHS" action="//search.hhs.gov/searchblox/ocr_hipaa/index.html" method="get">
  <div class="search-container" role="search">
    <label class="usa-sr-only" for="global-search">Search</label>
    <input class="usa-input" id="global-search" type="search" name="query" placeholder="">
    <button class="usa-button" type="submit" aria-label="Search">
      <img src="/themes/custom/hhs_uswds/images/usa-icons-bg/search--blue.svg" class="usa-search__submit-icon" alt=""> <span class="usa-sr-only">Search</span>
    </button> <input type="hidden" name="page" value="1"> <input type="hidden" name="pagesize" value="10"> <input type="hidden" name="sortdir" value="desc"> <input type="hidden" name="sort" value="relevance"> <input type="hidden" name="adsCol"
      value="38"> <input type="hidden" name="adsDisplay" value="false"> <input type="hidden" name="col" value="38"> <input type="hidden" name="default" value="AND"> <input type="hidden" name="tune" value="true"> <input type="hidden" name="tune.0"
      value="60"> <input type="hidden" name="tune.1" value="40"> <input type="hidden" name="tune.2" value="15"> <input type="hidden" name="tune.3" value="1"> <input type="hidden" name="tune.4" value="75"> <input type="hidden" name="tune.5"
      value="20">
  </div>
</form>

Text Content

Skip to main content

An official website of the United States government

Here’s how you know

Here’s how you know

Official websites use .gov
A .gov website belongs to an official government organization in the United
States.

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the
.gov website. Share sensitive information only on official, secure websites.

Welcome to the updated visual design of HHS.gov that implements the U.S. Web
Design System. The content and navigation are the same, but the refreshed design
is more accessible and mobile-friendly.

Expand/Collapse Alert


Menu
Search Search
 * About HHS
 * Programs & Services
 * Grants & Contracts
 * Laws & Regulations

Health Information Privacy
 * HIPAA for Individuals
 * Filing a Complaint
 * HIPAA for Professionals
 * Newsroom


BREADCRUMB

 1. HHS
 2. HIPAA Home
 3. For Professionals
 4. FAQ
 5. 575-What does HIPAA require of covered entities when they dispose of PHI

Navigate to:
 * Authorizations (30)
 * Business Associates (41)
 * Compliance Dates (2)
 * Covered Entities (14)
 * Decedents (9)
 * Disclosures for Law Enforcement Purposes (5)
 * Disclosures for Rule Enforcement (1)
 * Disclosures in Emergency Situations (2)
 * Disclosures Required by Law (6)
 * Disclosures to Family and Friends (28)
 * Disposal of Protected Health Information (6)
 * Facility Directories (7)
 * Family Medical History Information (3)
 * FERPA and HIPAA (10)
 * Group Health Plans (3)
 * Health Information Technology (41)
 * Incidental Uses and Disclosures (10)
 * Judicial and Administrative Proceedings (8)
 * Limited Data Set (6)
 * Marketing (18)
 * Marketing - Refill Reminders (16)
 * Mental Health (35)
 * Minimum Necessary (14)
 * Notice of Privacy Practice (20)
 * Personal Representatives and Minors (12)
 * Preemption of State Law (10)
 * Privacy Rule: General Topics (12)
 * Protected Health Information (2)
 * Public Health Uses and Disclosures (13)
 * Research Uses and Disclosures (20)
 * Right to Access and Research (58)
 * Right to an Accounting of Disclosures (8)
 * Right to File a Complaint (1)
 * Right to Request a Restriction (3)
 * Safeguards (13)
 * Security Rule (24)
 * Smaller Providers and Businesses (145)
 * Student Immunizations (8)
 * Telehealth (11)
 * Transition Provisions (3)
 * Treatment, Payment, and Health Care Operations Disclosures (30)
 * Workers Compensation Disclosures (5)

 * 
 * 
 * 
 * 
 * 


WHAT DO THE HIPAA PRIVACY AND SECURITY RULES REQUIRE OF COVERED ENTITIES WHEN
THEY DISPOSE OF PROTECTED HEALTH INFORMATION?

The HIPAA Privacy Rule requires that covered entities apply appropriate
administrative, technical, and physical safeguards to protect the privacy of
protected health information (PHI), in any form. See 45 CFR 164.530(c). This
means that covered entities must implement reasonable safeguards to limit
incidental, and avoid prohibited, uses and disclosures of PHI, including in
connection with the disposal of such information. In addition, the HIPAA
Security Rule requires that covered entities implement policies and procedures
to address the final disposition of electronic PHI and/or the hardware or
electronic media on which it is stored, as well as to implement procedures for
removal of electronic PHI from electronic media before the media are made
available for re-use. See 45 CFR 164.310(d)(2)(i) and (ii). Failing to implement
reasonable safeguards to protect PHI in connection with disposal could result in
impermissible disclosures of PHI.

Further, covered entities must ensure that their workforce members receive
training on and follow the disposal policies and procedures of the covered
entity, as necessary and appropriate for each workforce member. See 45 CFR
164.306(a)(4), 164.308(a)(5), and 164.530(b) and (i). Therefore, any workforce
member involved in disposing of PHI, or who supervises others who dispose of
PHI, must receive training on disposal. This includes any volunteers. See 45 CFR
160.103 (definition of “workforce”).

Thus, covered entities are not permitted to simply abandon PHI or dispose of it
in dumpsters or other containers that are accessible by the public or other
unauthorized persons. However, the Privacy and Security Rules do not require a
particular disposal method. Covered entities must review their own circumstances
to determine what steps are reasonable to safeguard PHI through disposal, and
develop and implement policies and procedures to carry out those steps. In
determining what is reasonable, covered entities should assess potential risks
to patient privacy, as well as consider such issues as the form, type, and
amount of PHI to be disposed. For instance, the disposal of certain types of PHI
such as name, social security number, driver’s license number, debit or credit
card number, diagnosis, treatment information, or other sensitive information
may warrant more care due to the risk that inappropriate access to this
information may result in identity theft, employment or other discrimination, or
harm to an individual’s reputation.

In general, examples of proper disposal methods may include, but are not limited
to:

 * For PHI in paper records, shredding, burning, pulping, or pulverizing the
   records so that PHI is rendered essentially unreadable, indecipherable, and
   otherwise cannot be reconstructed.
 * Maintaining labeled prescription bottles and other PHI in opaque bags in a
   secure area and using a disposal vendor as a business associate to pick up
   and shred or otherwise destroy the PHI.
 * For PHI on electronic media, clearing (using software or hardware products to
   overwrite media with non-sensitive data), purging (degaussing or exposing the
   media to a strong magnetic field in order to disrupt the recorded magnetic
   domains), or destroying the media (disintegration, pulverization, melting,
   incinerating, or shredding).

For more information on proper disposal of electronic PHI, see the HHS HIPAA
Security Series 3: Security Standards – Physical Safeguards - PDF. In addition,
for practical information on how to handle sanitization of PHI throughout the
information life cycle, readers may consult  NIST SP 800-88, Guidelines for
Media Sanitization. - PDF

Other methods of disposal also may be appropriate, depending on the
circumstances. Covered entities are encouraged to consider the steps that other
prudent health care and health information professionals are taking to protect
patient privacy in connection with record disposal. In addition, if a covered
entity is winding up a business, the covered entity may wish to consider giving
patients the opportunity to pick up their records prior to any disposition by
the covered entity (and note that many states may impose requirements on covered
entities to retain and make available for a limited time, as appropriate,
medical records after dissolution of a business).

 

Created 02/18/09



 

Content created by Office for Civil Rights (OCR)
Content last reviewed November 6, 2015

Back to top
 * Contact HHS
 * Careers
 * HHS FAQs
 * Nondiscrimination Notice

 * HHS Archive
 * Accessibility
 * Privacy Policy
 * Viewers & Players

 * Budget/Performance
 * Inspector General
 * Web Site Disclaimers
 * EEO/No Fear Act

 * FOIA
 * The White House
 * USA.gov


SIGN UP FOR EMAIL UPDATES

Receive the latest updates from the Secretary, Blogs, and News Releases.

Sign Up


HHS HEADQUARTERS

200 Independence Avenue, S.W.
Washington, D.C. 20201
Toll Free Call Center: 1-877-696-6775



Building Preview ...