Most recent breaches of unsecured protected health information (PHI) reported to the Office of Civil
Rights (OCR) have been electronic in form
(e.g., email, electronic medical record [EMR],
or network server).1 Indeed these types of
breaches are getting the headlines as
the healthcare industry is focusing
more and more on safeguarding PHI
in electronic form. However, PHI still
exists in paper form.
What do we do about that? You
should ensure that paper records are
stored and/or destroyed properly.
From the point that paper forms containing PHI are either submitted by the patient
or printed by the healthcare worker, they
are at risk of being inappropriately released.
Ultimately, the forms are either scanned or
the information is typed into an EMR. What
happens next is a critical step in safeguarding
The forms are either stored or destroyed.
Either way the forms need to be put in a
place that is well labeled and secure. If the
forms are to be stored, they should be placed
in a file folder and deposited into a file
room or file cabinet. The file room or cabinet
should be marked as such and kept under
lock and key, preferably at all times, but defi-
nitely when the office is closed. If the paper
is to be immediately destroyed, one of the
best ways is to shred it.
When shredding paper records, you have
a few choices to pick from. Two of the more
popular are self-shredding in the office or
contracting with a document destruction
vendor to shred for you. If you choose to do
your own shredding, the National Institute
of Standards and Technology (NIST) recommends using a cross-cut shredder instead of
a strip-cut shredder. 2 If you do not immediately shred the documents, place them in a
container that is labeled as SHRED ONLY
and be sure to shred them daily. If you go
with a document destruction vendor instead,
be sure that they follow the recommendations set forth by NIST. The vendor will
more than likely provide you with a secure
(lockable) bin to place your shred materials in. If you do not immediately place the
documents in the secure bin, place them in
a container that is labeled as SHRED ONLY
by Jason Throckmorton, CHC
Assessing your HIPAA risk:
Don’t forget the paper
» Paper records should be stored and/or destroyed properly.
» NIST recommends using a cross‑cut shredder.
» A business associate agreement (BAA) is needed with a document destruction vendor.
» Obtain a certificate of destruction to show proof of destruction.
» Reduction of risk is important.
Jason Throckmorton ( firstname.lastname@example.org) is an Information Security Auditor
at Southern Ohio Medical Center in Portsmouth, OH.