HIPAA privacy and security standards require appropriate destruction of obsolete records containing protected health information (PHI). Policies and procedures must address disposal of PHI that a covered entity no longer needs to retain.

Historically, one of the most common reasons for improper health information disclosure has been inattention to safe disposal practices. Paper records containing PHI should be shredded or otherwise destroyed. Electronic storage media and devices containing PHI should have that information deleted by persons with adequate technical knowledge to assure irreversible removal.

On termination of a contract with a covered entity, a business associate must return or destroy all PHI in its possession. Where that is not possible, the business associate must extend the privacy/security protections of the contract for as long as the information is retained.

Note that HIPAA regulations also address records retention requirements.

See also:

• 45 CFR 164.502(e)
• secure disposal, general discussion
• secure disposal methods by media type

Last modified: 11-May-2005 [RC]