HIPAA Compliance and Data Disposal

Before the digital age, the disposal of private patient data was a relatively simple process. However, by the late 2000s, the Health Insurance Portability and Accountability Act was updated, with rules regarding electronic data. The health care industry has some of the highest stakes if data is not sanitized correctly. HIPAA mandates are in place to prevent protected health information from your physical therapy practice from falling into the hands of not only hackers but scientists as well.

Protected Health Information

Insurance companies and health care providers understand that when PHI is disclosed to a third party, such as a consultant, an attorney or even a cloud data storage organization, a legal agreement is required to comply with HIPAA. Safeguarding the disclosed information is a priority. When disposing of paper documents, there are many methods available for destruction, from being fed through a cross-cut shredder to incineration. However, when dealing with electronic data disposal, the process is more complicated.

Even if you delete the information, some data could be recovered from drives and devices. Consider all of the patient health data that is on devices in your practice. Social security numbers are just the beginning. Credit card numbers, bank account information and prescription data are all very valuable on the black market. Each piece of information can be worth hundreds or thousands of dollars.

Requirements for Data Destruction

There are exacting standards set by HIPAA for safe data disposal. The method used depends on the type of media containing the information.

• Computerized Data – For devices such as portable storage drives or hard drives, magnetic degaussing is required. This method erases data by removing then reinstalling the existing file system. Degaussing is conducted several times on a single device to ensure data security. Even if there is patient data still on the drive, it is less recoverable each time the drive is formatted. Also, the use of a magnet typically renders the drive unusable, so it must be replaced, not reused.
• DVDs – Optical storage media such as CDs and DVDs must be physically destroyed. Standard methods for erasing data are not secure enough, according to HIPAA standards. The discs must be shredded or cut with scissors.
• Magnetic Tapes – The method used for safe data disposal on tapes is similar to that of magnetic degaussing of a computer’s hard drive. The magnet ensures all information on a tape is erased. However, unlike the drives, magnetic tapes may be used again.

Documenting Data Destruction

In addition to destroying patient and client data, HIPAA privacy rules mandate meticulous documentation of the destruction. This information is stored permanently, with details that include:

• Destruction date
• Method used
• Description of the destroyed records

Signatures from witnesses and those who supervise the destruction must also be in the documentation.

Full RCM Services

Due to the complex nature of the healthcare system, handling paperwork is no longer practical. Claims submission, payment processing and financial reporting are among the processes that run more smoothly and are less time-consuming when done electronically. At Rev-Ignition, our revenue cycle management services can help your physical therapy practice become more stable and get paid faster, enabling you to grow.