The Real Talk article series includes real customer questions and our answers. Since these are questions directly from actual clinics, practices, hospitals, and businesses, we thought you might have these questions too. We hope that you find this format helpful. Stay tuned for more Real Talk - your question might even be featured!  

Question: What is a cost effective and HIPAA compliant alternative to using a shredding service for documents? We are wondering the following:

  1. Is it HIPAA compliant to purchase and use our own shredders? 
  2. If so, are we able to throw the shredded materials in the normal trash/recycle bin at that time or is there a different process that needs to be followed for these items?
  3. What makes a shredding service "HIPAA compliant"?

Answer: Short answer: Yes, you can do your own shredding. You'll need to use a cross-cut shredder and there are some other considerations explained in more detail below. 

  1. Yes, as long as reasonable safeguards are implemented to limit incidental uses and disclosures and avoid prohibited uses and disclosures of the Protected Health Information (PHI) during the disposal process. This includes training workforce members involved in disposing of PHI, or who supervise those involved in disposing of PHI, on the disposal policies/procedures and ensuring those policies/procedures are followed. See 45 CFR 164.306(a)(4), 164.308(a)(5), and 164.530(b) and (i). Covered entities must review their own circumstances to determine what steps are reasonable to safeguard PHI through disposal, and develop and implement policies and procedures to carry out those steps. In determining what is reasonable, covered entities should assess potential risks to patient privacy, as well as consider such issues as the form, type, and amount of PHI to be disposed. For instance, the disposal of certain types of PHI such as name, social security number, driver’s license number, debit or credit card number, diagnosis, treatment information, or other sensitive information may warrant more care due to the risks associated with inappropriate access to this information. The goal is to ensure that the shredded records are rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.
    1. If a covered entity does its own shredding, we recommend including in the disposal policy that the shredder must be a cross-cut shredder. We also recommend that the PHI awaiting shredding be stored in a sealed or locked box or bin, file cabinet, or locked room with limited access so that unauthorized personnel cannot access the PHI that is to be disposed of.
    2. If a covered entity outsources shredding, the policy should state that the service must use a cross-cut shredder, must supply locked/sealed boxes/bins that remain locked/sealed until they are opened for shredding, and must sign a written contract for the shredding service as well as a BAA. Ideally, in both cases, the covered entity should maintain a disposal log documenting type/volume of PHI that was disposed of, method of disposal, date of disposal, and responsible parties.
  2. Cross-cut shredded PHI may be disposed of in normal trash/recycling.
  3. A HIPAA-compliant shredding service would need to follow the same requirements as discussed above in item 1. They must use a cross-cut shredder or other shredding method that renders the PHI essentially unreadable, indecipherable, and otherwise unable to be reconstructed. They should train their personnel regarding disposal procedures and should ensure those policies and procedures are followed. They should ensure that once the PHI is picked up from the covered entity’s site, the PHI remains secured until disposal occurs. The services must be agreed to in a written contract, and the vendor is considered a business associate and must sign a BAA. The vendor should provide a certificate of destruction as proof of disposal, and I would include that as a requirement in the written agreement. I recommend the covered entity thoroughly vet potential vendors and inquire about their security measures, disposal processes, and compliance with relevant standards.