HIPAA Privacy Security Rules on Document Destruction for PHI Disposal

Under the HIPAA Privacy and Security Rules, covered entities are obliged to observe proper methods of disposing protected health information (PHI), of any form. Appropriate measures of disposal are required to prevent and limit any unauthorized use and access to the information. Furthermore, covered entities handling electronic PHI are required to impose policies and procedures to facilitate the removal, termination and final disposal of PHI in electronic format including the storage media housing the information.


Workforce members, including supervisors and volunteers, commissioned by the covered entities to dispose of PHI should receive proper training on disposal, and must follow the required procedures and guidelines implemented by the covered entities on the proper disposal of the information. Covered entities must also ensure that these procedures and guidelines are followed at all times during the process.

Though there is no standard method of disposing PHI supplied under the HIPAA Law, covered entities are prohibited from discarding old PHI in open places, or abandoning it in containers accessible to the public or to any unauthorized individual.

Covered entities may evaluate their own measures for document destruction, and revise these procedures if necessary, to maintain and ensure the privacy of their patient’s information all the way through final disposal. Assessment on the weight of the information to be disposed should also be conducted to determine if the actions undertaken are sufficient for the purpose. Sensitive information such as name, SSN, and driver’s license number, among others, may be dealt with extra prudence and security considering the degree of risk involved once the information is exposed.

Covered entities may acquire the assistance of other businesses such as paper shredding and document shredding to perform the disposal on its behalf. However, both the covered entity and business partner must enter into an agreement demonstrating the proper handling and disposal of the information. The terms of the contract may indicate the protocols to be followed while transporting the PHI from the premises of the covered entity to its final destination.

Appropriate methods of disposal may include, but should not limit to the following:
PHI in paper can be shredded, pulverized or burned so as to make whatever information present on the sheet unusable.

Handing over PHI and other labeled prescription bottles administered to patients to business partners authorized to destroy and dispose the items.

For PHI made in electronic format, content of the media can be shredded or overwritten through the use of software applications or hardware components designed to destroy information. Storage devices used to contain PHI may also be destroyed.

Covered entities may be required to perform other methods of disposal depending upon the demand of the information that needs to be eradicated. Additionally, covered entities are strongly recommended to apply the procedures followed by other medical institutions and practitioners concerning the disposal of PHI. It should also be noted that, covered entities may allow its patients to collect from its premises their PHI considering that some states require specified durations before information are applicable for disposal.