Medical documents contain a wealth of personal and sensitive information, including protected health information (PHI) and personally identifiable information (PII) such as demographics, financial information, diagnoses, treatment information, and more.

To protect this sensitive patient information, the HIPAA Privacy Rule requires that all covered medical entities—including doctors’ offices, hospitals, walk-in clinics, pharmacies, assisted care facilities, and other medical offices—use “appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.”

According to Colorado’s state medical record laws, doctors and hospitals are required to retain medical records for 10 years after the most recent patient care usage for adults, and for 10 years after minor patients turn 28.

After that time, the U.S. Department of Health and Human Services (HHS) requires that documents containing protected health information be securely shredded before they are discarded.

Despite these clear regulations, medical facilities continue to dispose of medical documents improperly, exposing the personal information of millions of patients.

According to the HIPAA Journal, there were 514 healthcare data breaches between January 1, 2010 and December 31, 2017, involving 500 or more paper records and 3,393,240 individuals.

What It Means to Improperly Dispose of Medical Records

Failing to comply with HIPAA requirements for secure document disposal can happen in many different ways, and can have serious consequences.

A recent study that monitored document disposal at five hospitals in Canada found that thousands of documents containing personally identifiable information and personal health information were placed in regular recycling bins rather than in the designated secure recycling bins to be shredded before disposal. These documents contained information including clinical notes, medical reports, billing forms, diagnostic test results, and more.

The CVS pharmacy chain was fined $2.25 million for disposing of intact documents containing patient PHI in dumpsters accessible to the public.

FileFax, a medical records storage company based in Northbrook, Illinois, was fined $100,000 for disposing of documents containing protected health information in a dumpster.

A medical clinic in Florida was sued by patients when more than 483,000 intact patient records fell out of a waste truck on their way to being incinerated.

In 2014, an employee of Maximus, the cell center vendor for Access Health CT, lost a backpack containing the protected health information of around 400 patients, including names, birth dates, and Social Security numbers.

Avoiding Fines for Improper Disposal of Medical Records

Medical companies can be fined up to $50,000 for each improperly discarded medical record, but fines are easy to avoid if you use a secure, professional method of destroying unneeded medical records and other confidential documents.

Proshred® Denver offers HIPAA-compliant document destruction to ensure your medical records are destroyed properly and professionally, to safeguard the privacy of your patients and protect your medical company from fines and lawsuits.