What does HIPAA REALLY say about paper shredding

What does HIPAA REALLY say about paper shredding
What does HIPAA REALLY say about
paper shredding?
It doesn’t require covered entities to shred. Really, it doesn’t. It does, however, require
covered entities to protect PHI and specifically uses shredding as one of several examples
of appropriate safeguards for PHI. Here is the pertinent text:
We do not prescribe the particular measures that covered entities must take to meet
this standard, because the nature of the required policies and procedures will vary
with the size of the covered entity and the type of activities that the covered entity
undertakes. (That is, as with other provisions of this rule, this requirement is
"scalable.") Examples of appropriate safeguards include requiring that documents
containing protected health information be shredded prior to disposal, and requiring
that doors to medical records departments (or to file cabinets housing such records)
remain locked and limiting which personnel are authorized to have the key or passcode. We intend this to be a common sense, scalable, standard.
This is the only place paper shredding is mentioned in the text of the law.
HIPAA also establishes penalties for willful or accidental release of PHI:
"SEC. 1177. (a) OFFENSE.--A person who knowingly and in violation of this part-„ (1) uses or causes to be used a unique health identifier;
„ (2) obtains individually identifiable health information relating to an individual; or
„ (3) discloses individually identifiable health information to another person,
shall be punished as provided in subsection (b).
(b) PENALTIES.--A person described in subsection (a) shall-„ (1) be fined not more than $50,000, imprisoned not more than 1 year, or both;
„ (2) if the offense is committed under false pretenses, be fined not more than $100,000,
imprisoned not more than 5 years, or both; and
„ (3) if the offense is committed with intent to sell, transfer, or use individually identifiable
health information for commercial advantage, personal gain, or malicious harm, be fined
not more than $250,000, imprisoned not more than 10 years, or both.”
ShredFirst offers summaries of HIPAA, the Graham-Leach-Bliley Act, the Privacy Act of
1974, California vs. Greenwood, FACTA, California Civil Code Section 1798.801798.84 and other legislation that affects business. For more information, visit our web
site at www.shredfirst.biz or call us at 510-433-0200.
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF