How to Properly Dispose Protected Health Information (PHI)

February 27th, 2017 - InstaCode Institute
Categories:   HIPAA|PHI  
0 Votes - Sign in to vote or comment.

HIPAA requires covered entities to properly dispose of Protected Health Information (PHI) in the following manner:

The problem is that most of us are not computer gurus who can decipher all the technical requirements in the official Medial Sanitation guidelines. So the question becomes, "just what is acceptable and what is unacceptable?" To help address this problem, the U.S. Department of Health and Human Services, Office for Civil Rights has released an FAQ which answers the following questions:

  1. What do the HIPAA Privacy and Security Rules require of covered entities when they dispose of
    protected health information? 
  2. May a covered entity dispose of protected health information in dumpsters accessible by the public? 
  3. May a covered entity hire a business associate to dispose of protected health information?
  4. May a covered entity reuse or dispose of computers or other electronic media that store electronic protected health information?
  5. How should home health workers or other workforce members of a covered entity dispose of protected health information that they use off of the covered entity’s premises? 
  6. Does the HIPAA Privacy Rule require covered entities to keep patients’ medical records for any period of time?

We strongly encourage all healthcare providers and their staff to read through their non-technical answers to ensure your practice is in compliance.


On February 2015, the NIST announced the first revision of the official Guidelines for Media Sanitization. This announcement explains that the new revision describes three types of media sanitization – Clear, Purge, and Destroy. There is a VERY helpful flowchart which shows when each type should be used.

We highly recommend all covered entities to review this announcement in a training session with all their staff. Print out the flowchart and post it where it can be seen as a reminder. Don't forget to record this training session in your Compliance Manual.

Also, don't forget to review your Policies and Procedures to ensure that they are updated to include this information. If you have an Information Technology (IT) department or service, be sure they review the technical specifications of the official Guidelines to ensure that you are in compliance. This IT department  should also issue an official report which should be included in your Compliance Manual as well.



Questions, comments?

If you have questions or comments about this article please contact us.  Comments that provide additional related information may be added here by our Editors.

Latest articles:  (any category)

Don't Let Your QPro Certification(s) Expire! Your Certifications Matter!
June 20th, 2019 - Chris Woolstenhulme, QCC, CMCS, CPC, CMRS
Hello QPro Members, Just a friendly reminder!                                                                                        ...
How to Properly Report Monitoring Patients Taking Blood-thinning Medications
June 18th, 2019 - Wyn Staheli, Director of Research
Codes 93792 and 93792, which were added effective January 1, 2019, have specific guidelines that need to be followed. This article provides some guidance and tips on properly reporting these services.
A United Approach
June 14th, 2019 - Namas
A United Approach As auditors, we all have a different perspective when evaluating documentation. It would be unreasonable to think that we all view things the same way. In my opinion, differing perspectives are what makes a great team because you can coalesce on a particular chart, work it through and ...
Documentation of E/M services for Neurology (Don't Forget the Cardiology Element)
June 13th, 2019 - Chris Woolstenhulme, QCC, CMCS, CPC, CMRS
According to Neurology Clinical Practice and NBIC, the neurologic exam is commonly lacking in documentation due to the extensive requirements needed to capture the appropriate revenue. With the lack of precise documentation, it results in a lower level of E/M than that which is more appropriate, which can cost a physician a lot ...
Medicare Now Reimburses for Remote Monitoring Services (G2010)
June 13th, 2019 - Aimee Wilcox, CPMA, CCS-P, CST, MA, MT, Director of Content
Medicare's 2019 Final Rule approved HCPCS code G2010 for reimbursement, which allows providers to be paid for remote evaluation of images or recorded video submitted to the provider (also known as "store and forward") to establish whether or not a visit is required. This allows providers to get paid for ...
Now is Your Chance to Speak Up! Tell CMS What You Think!
June 13th, 2019 - Chris Woolstenhulme, QCC, CMCS, CPC, CMRS
CMS is asking for your input, we all have ideas on how we would change healthcare documentation requirements and get rid of the burdensome requirements and regulations if it were up to us, so go ahead, speak up! Patients over Paperwork Initiative is being looked at to help significantly cut ...
Spotlight: Anatomy Images
June 13th, 2019 - Brittney Murdock, QCC, CMCS, CPC
When viewing CPT codes, Find-A-Code offers detailed anatomy images and tables to help with coding. For example 28445 offers a table with information to assist classification of gustilo fractures: Click on the image preview from the code information page to expand the image.

About Codapedia & Find-A-Code Contact Us Terms of Use Privacy Policy Advertise with Us

Codapedia™/Find-A-Code™ - 62 E 300 North, Spanish Fork, UT 84660 - Phone 801-770-4203 (9-5 Mountain) - Fax (801) 770-4428

Copyright © 2009-2019 Find A Code, LLC - CPT® copyright American Medical Association