Doctors and Hospitals are the particular targets of the Health Insurance Portability and Accountability Act, commonly known as HIPAA. The Act protects the privacy of protected health information (PHI). Your files and records contain medical records of your clients and therefore you must comply with the HIPAA provisions for safeguarding and disposal by shredding of these records.
The two issues that you should deal with is to do due diligence in choosing a reliable vendor for the disposal of PHI by shredding and to give written permission to the vendor to remove PHI for the sole purpose of disposal by shredding. (Referred to as a ”Business Associates Agreement”) A-1 would be in violation of certain provisions of HIPAA if we did not receive written permission from the generator of PHI to posses such information for the sole purpose of disposal by shredding.