What Makes a Shredding Company HIPAA-Compliant?

Entities that transfer health data, such as hospitals, insurance agencies and medical billing companies, are subject to the Health Insurance Portability and Accountability Act (HIPAA). When choosing a health care shredding provider, you should ensure the business follows HIPAA requirements.

Selecting the right document destruction company will help you comply with regulations, protect your reputation and foster valuable relationships. Safeguard your business and clients today by partnering with TrueShred.

Importance of Following Compliance

HIPAA regulates how you share, store and destroy health care-related data. The mandates require you to safeguard the information even after it leaves your facility. Following the rules for destroying documents and data allows you to protect patient privacy and avoid legal ramifications with costly fees.

Key Requirements for HIPAA-Compliant Shredding

HIPAA requires most businesses to keep medical records for at least six years after their creation date or last use, whichever happens later. Each state has additional requirements for record retention, which you should check to ensure you maintain compliance. After the allotted time, an organization may destroy the physical documents or electronic storage devices using the proper methods.

Secure Handling of PHI

Secure destruction of HIPAA data is provided both on a recurring, and a one-time/as-needed basis. Recurring service offers the convenience of free locking containers for your office and regular weekly, biweekly or monthly shredding service visits. One-time service allows for bulk files to be securely destroyed at once, and this service can be scheduled for either onsite or offsite destruction service. Organizations must maintain a secure chain of custody with any third-party providers hired throughout the destruction process. For this reason, the shredding company you choose plays a critical role in ensuring compliance.

Leaving medical records unsecured instead of safely destroying them can give unauthorized users access to sensitive information and put your practice at risk of compliance violations. To mitigate those risks, your company guidelines should cover employee protocols and the potential consequences of breaking HIPAA guidelines.

Certified Destruction Processes

When disposing of health care-related paperwork and documentation, all entities must follow adequate measures to protect personal health information (PHI) such as:

• Names
• Contact information
• Geographic identifiers
• Fingerprints or retinal scans
• Full-face photos or comparable images
• Vehicle identifiers and license plates
• Diagnoses and treatments
• Driver’s license numbers
• Social Security numbers
• Card payment numbers

HIPAA guidelines state that data should be rendered completely unreadable and impossible to reconstruct. For this reason, medical record shredding offers the easiest and most convenient way to ensure compliance.

According to the National Institute of Standards and Technology (NIST), shredding companies should use cross-cut shredders to shred PHI. TrueShred’s industrial cross-cut shredders reduces pages to hundreds of tiny particles, rendering the information completely irrecoverable.

Background Checks and Employee Training

Some organizations use background checks to identify potential red flags and indicate if an individual may pose a risk to protected information, patients or staff. While HIPAA doesn’t require employers to submit workers to background checks, NAID AAA Certified” hyperlink to the front & change to: “NAID AAA Certified date destruction companies like TrueShred must conduct three-level background screenings of all employees. These background checks are conducted on an ongoing basis, and all employee personnel files and shredding equipment are audited regularly by NAID.

HIPAA does require organizations to create and implement policies protecting PHI. Specifically, new employees must complete compliance training within a reasonable time after their start date. Employees must receive refresher training when policies and procedures change significantly or as needed, such as after a risk assessment or patient complaint.

Features of a HIPAA Compliant Shredding Company

Compliant shredding providers will clearly indicate the following:

• Documented policies and procedures: Employees receive instructional materials documenting the correct procedures for destroying PHI. The staff is appropriately informed and trained when policy updates or changes occur.
• Regular audits and compliance checks: Compliant companies pass regular, unscheduled audits from NAID AAA Certified auditors to ensure employees follow the proper data security protocols. Each audit provides a comprehensive accounting of the handling, transportation, storing, destruction, and recycling procedures.
• Chain-of-custody documentation: HIPAA compliant shredding companies maintain a secure chain of custody for documents and electronic data and certify the destruction procedures with a certificate of destruction. This process ensures a proper paper trail and compliance evidence for HIPAA audit procedures.
• Secure facilities and equipment: TrueShred utilizes tamper-proof containers, lockable cabinets and bins.  All destruction and retrieval vehicles are monitored 24/7/365 by GPS tracking and TrueShred’s local destruction and processing facility is owned by the company, which prohibits any outside access to materials
• Shredding equipment: As a NAID AAA Certified company, TrueShred uses industry-leading, cross-cut industrial shredding equipment.

Verifying a Shredding Company’s HIPAA Compliance

To comply with HIPAA standards, the shredding company must meet certain standards to protect health-related data:

• Business Associate Agreement: As your HIPAA compliance partner, your shredding company needs to sign your organization’s HIPAA Business Associate Agreement (BAA)
• Trained staff: Check the “About” or “Service” pages on a website to learn about a company’s training process. The employees should receive initial training and ongoing support to stay up to date with policy guidelines.
• Chain of custody: Learn how the company maintains a secure chain of custody. Ask clarifying questions about the provider’s processes to ensure they always secure PHI materials.
• Proper equipment: Read about the company’s destruction methods to learn if they use cross-cut shredders to make paperwork irrecoverable. Request more information about the staff’s processes if you can’t find details about their equipment.
• Certificates of Destruction: Check to ensure you’ll receive a Certificate of Destruction. This document provides an easy and convenient way to verify compliance.

Benefits of Choosing a Company Following HIPAA Regulations

Hiring professionals to shred your paperwork and electronic storage devices gives you:

• Peace of mind: Focus on your tasks, increase your productivity and keep your operations running smoothly while a third-party company handles your shredding responsibilities. Hire a compliant company dedicated to safeguarding sensitive data.
• Legal protection: Receive a Certificate of Destruction to keep for your records and provide proof that health-related information was properly destroyed and recycled.
• Reputation management: Protect personal data from reaching the wrong hands. Preventing data breaches and incidents involving illegal activity will help your brand build a trustworthy, credible image.

Securely Dispose of Health Care Documents Today

TrueShred provides shredding services you can trust. In addition to following HIPAA regulations, we are NAID AAA Certified. This certification confirms that we’re in good standing with the International Secure Information Governance and Management Association, pass regular audits, have documented policies, and hire employees who pass background screenings.

To learn more, contact our team and receive a free estimate. If you’re a recurring customer, use our online form to request services today.