Consultants with Doctor Reviewing Computer

Sensitive data comes in many forms in the health care industry, and organizations need a process to ensure that it is disposed of properly.

Preventing Cybercrime

Health Care Organizations Must Safely Dispose of Sensitive Data

  • 7/6/2015

The news is consistently filled with hacking stories and stories about security breaches that implicate large retailers, medical systems, and even our governments. Organizations of all kinds are immersed in daily battles to keep information away from criminals. All organizations need to protect the sensitive information that flows through their systems electronically or once it is printed. Health care organizations and their business associates retain two separate types of confidential information: patient health information (PHI) and personally identifiable information (PII). Management is obligated to secure patient and employee data according to Section 13402(h)(2) Public Law 111-5.

Carelessness case studies

When does printed medical and identifying information create a risk for a health care organization? The following stories illustrate situations that increase the risk of identity theft for patients and regulatory fines for health care organizations.

A medical clinic recently upgraded its information system and, as part of the upgrade, now has a fully integrated billing system. Even though it receives payment information electronically, staff print remittance information on a daily basis. After verifying the payment information is recorded accurately, they discard the printed remittances in unsecured paper boxes under their desks. Whenever the boxes get full, the clinic puts the papers in the secure scan box.

How many clients could have their identities stolen if the documents were inadvertently put in the trash versus the shred box? What sort of compliance penalties might the organization face?

In a similar case of carelessness, the consequences were not theoretical. In one real case, when a physician retired from practice, the entity that purchased the practice transitioned the patients’ care and medical charts to new providers. As part of the process, the entity had medical charts boxed up and left in the driveway of the retired provider’s home. The physician filed a complaint, and the Office for Civil Rights (OCR) determined that “…records being discarded or transferred in a manner (such as this) puts patient information at risk” and settled the case with the entity for $800,000.

Proper precautions

Organizations with sensitive data may follow some simple steps when disposing of medical and patient information:

Step 1

Define the type of PHI and PII that flows through your organization. Remember to account for prescription labels and bottles with prescription labels, hospital identification bracelets, thumb drives, copier hard drives, and unsecured paper “shred boxes.”

Step 2

Create and follow disposal procedures for PHI or PII, including:

  • Securing paper documents containing PHI or PII that could be seen by the public by placing them in lockable cabinets.
  • Shredding, burning, or pulping documents to render them “unreadable, and indecipherable.”
  • Encrypting all transmissions of electronic PII or PHI.
  • Destroying electronic data.

Step 3

Train your employees about the components of PHI and PII that require more care in the disposal or disclosure process (social security numbers, driver’s license numbers, payment card information, and diagnosis). Training should help address the following issues:

  • Employees and contracted employees must understand the consequences of the inappropriate disposal of PHI and PII to patients, employees, and the organization.
  • Anyone involved in the disposal of data should know the organization’s step-by-step process for paper and electronic media disposal.
  • Everyone should be able to identify an unintended or unauthorized disposal (e.g., shred boxes in an unsecure bin) and know immediately whom to contact about the situation.


SKARE your employees. We developed the following mnemonic device to help health care clients remember the elements necessary to secure PHI and PII.

  • Secure documents or electronic media out of sight.
  • Keep documents that contain PII or PHI in-house.
  • Assess and re-assess the disposal vulnerabilities within your organization.
  • Render items thrown in the trash unreadable.
  • Encrypt electronic data that contains PII or PHI.

Taking steps to ensure that everyone in the organization understands the sensitivity of disposal can reduce the risk of disclosure.  

How we can help

CLA performs risk analysis to identify the flow of electronic PHI through your organization and does walkthroughs of patient service areas to identify the vulnerabilities in your paper document disposal system. Our health care information security services include supporting your organization as you develop stronger disposal policies and training employees and contractors in the proper care of sensitive information.