Journal of Healthcare Risk Management: Richard Sheinis on Proper Disposal of Protected Health Information (PHI)

The Office of Civil Rights recently announced a settlement with a Massachusetts dermatology clinic regarding the improper disposal of protected health information (PHI) after staff at the clinic placed empty specimen containers with PHI labels in a garbage bin in their parking lot. Richard Sheinis, partner and head of the Data Privacy & Cyber Security Practice at Hall Booth Smith, discussed proper disposal of protected health information with the Journal of Healthcare Risk Management.

He mentioned that most covered entities use locked shred bins to dispose of tangible material containing PHI. While Sheinis said normally that is paper, the Massachusetts case shows facilities must also properly dispose of non-paper items, like labeled test tubes, in a secure way.

Paper is fairly easy, but what I’ve seen medical providers get in trouble with is what happens between the creating of paper PHI and when it gets to the shred bin, he said. Clerical staff in an office create and handle a lot of paper with insurance information and other PHI, and they may follow the policy of using the locked shred bin when they’re done with it. But in the meantime, they might leave those documents laying around on desks and counters, unprotected and visible to people.

I’ve been involved in cases where covered entities had records that went back 20 or 30 years, she said. They never got rid of it, and when they had a security breach, instead of dealing with records from just the past five years we’re dealing with thousands more records going back for decade.

Subscribers can read the full article on the Journal of Risk Management site.