How should home health workers of a Home Health Agency (HHA) dispose of protected health information that they use off of the HHA’s premises?
The HIPAA Privacy Rule requires that covered entities (HHA in this case) develop and apply policies and procedures for appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI), including through final disposition. In addition, the HIPAA Security Rule requires that covered entities implement policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored [45 CFR 164.310(d)(2)(i)].
The Rules are flexible and do not specify particular types of disposal methods; however, covered entities must ensure that the disposal method reasonably protects against impermissible uses and disclosures of PHI and protects against reasonably anticipated threats or hazards to the security of electronic PHI.
Whatever the disposal method, the HHA must ensure that appropriate workforce members, either working on the premises or off-site, receive training on and follow the disposal policies and procedures of the HHA. These policies and procedures could require, for example, that employees or other workforce members who use PHI off-site, including electronic PHI, return all PHI to the HHA for appropriate disposal; or, for example, if appropriate under the circumstances, the HHA could give off-site workforce members the option of either properly shredding PHI in paper records themselves or returning the PHI to the HHA for disposal.
In cases where workforce members fail to comply with the HHA’s disposal policies and procedures, the HHA must apply appropriate sanctions [45 CFR 164.530(e)].
Related Products from MCN: