Dumping medical records in an alley dumpster is a sure way to end up on the HHS Wall of Shame.

Tod Ferran, CISSP, QSA
By: Tod Ferran
Did you hear about the Texas hospital fined for their PHI-filled microfiche found in a park dumpster? What about Eureka Internal Medicine’s janitorial service that mixed recycled papers containing PHI with the regular trash?

Or the four pathology groups in Massachusetts forced to pay $140,000 because their business associate abandoned thousands of medical records at the dump?

Making sure PHI is correctly disposed seems like a no brainer, but I wouldn’t be blogging about it if it weren’t a serious issue.

In 60 seconds, learn the compliant way to destroy documents.


Subscribe on YouTube to see more vids like this.


Ok so what did we learn?

Paper or other physical copies of PHI should NEVER be thrown away in a dumpster, recycle bin, or office trashcan. The HHS says shredding, burning, pulping, and pulverizing are the only way these records should be destroyed.

What about labeled prescription bottles? Do you use a business associate to dispose of waste? The HHS says you should keep the bottles in opaque bags until a business associate picks them up to destroy them. If you don’t have a business associate, then individually ripping off the labels and shredding them works too.


For electronic media containing PHI (like an old hard drive or backup tape), the HHS recommends using software or hardware products to overwrite media with non-sensitive data, exposing the media to a strong magnet, or physically destroying the media (disintegration, pulverization, melting, incinerating, or shredding).

Hard drives make excellent target practice!


So how do you keep this requirement top of mind in your office?

  • Replace office trashcans with crosscut shredders
  • Tape a sign to the trashcan that states, ‘NO PHI!’
  • Make it a policy that all paper documents be shredded, just in case
SEE ALSO: How to stay off the HHS naughty list

Have a HIPAA security question? Leave a comment and you may see your question answered on the next HIPAA Snippets video.

Tod Ferran (CISSP, QSA) is a Mensa aficionado, Cancun expert, and Security Analyst for SecurityMetrics with over 25 years of IT security experience. In addition to his many speaking engagements and webinars, he provides security consulting, risk analysis assistance, risk management plan support, and performs security, HIPAA, and PCI compliance audits. Connect with him for recommendations on excellent places to stay, activities, and restaurants in Cancun, or check out his other blog posts here.