Are you HIPAA compliant?

That is the question plaguing many health care organizations across the country. At the federal level, information destruction requirements in the health care field are part of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Although the centerpiece of the act focused on uses and disclosures of health information, parts of the legislation also establish national standards for the privacy, security and electronic transmission of health information. Insurance companies, hospitals, and physician practices are obligated to protect Individually identifiable health information, which has been interpreted to mean any records that include a patient’s name, address or Social Security number. The privacy protection portion of HIPAA took effect on April 14 of 2003, yet many organizations still struggle to address its requirements. Now health care organizations are facing another challenge on the horizon: Compliance with the April 21, 2005 HIPAA security requirements.

While HIPAA doesn’t dictate how to dispose of the information it reinforces the mandate that covered entities deploy safeguards to prevent improper disclosures of protected health information (PHI). “Examples of appropriate safeguards include requiring that documents containing PHI be shredded prior to disposal,” the preamble to the privacy regulation states (65 FR 82562).