H2E Guidance Document Confidential Paper Document Disposal and

H2E Guidance DocumentConfidential Paper Document Disposal and Resource ConservationIn Compliance with theHealth Insurance Portability and Accountability Act (HIPAA) OF 2002H2E Objectives inMeeting HIPAACompliance:The Hospitals for aHealthy Environmentprogram attempts tohelp health carefacilities meet theintent of HIPAA in amanner that promotesenvironmentalperformance and that isfinancial responsibleand sustainable. Thisdocument is to be usedby H2E Partners as atool to help developpolicies and proceduresto perform their ownfacility assessments toensure confidentiality.HIPAA Standards require health care organizations to establish written policies andprocedures, as well as security measures to protect the privacy of patientinformation as they pertain to the “end-of-life” disposal and destruction ofconfidential paper documents.* The purpose of this guidance is to help you:• Understand the basic requirements for protecting privacy of confidentialdocuments under HIPAA;• Assess your facility’s confidential paper disposal/destruction program’sreadiness for compliance with HIPAA requirements;• Evaluate options for “end-of-life” disposal and destruction of confidentialdocuments, and develop an environmentally responsible and fiscally prudentoption for your facility;• Develop and implement policies and procedures as they pertain to the “end-oflife”disposal and destruction of confidential paper documents.Document Outline:I. Understanding HIPAA and Document Destruction Options• What documents are protected by HIPAA?• What HIPAA says and doesn’t say about the management anddisposal/destruction of confidential paper• Confidential document destruction optionsAttachment B: Sample Certificate of DestructionAttachment C: Due Diligence - Annual Audit of Confidential Paper Recycling* This documentfocuses on paperdestruction.Attachment Aincludes a tablebriefly describingelectronic media datadestructionalternativesDisclaimer: Thesuggestions outlined inthis and other H2E-HIPAA documents arenot legally binding butare intended asguidance documents.II.III.Perform a facility assessment• Perform a facility assessment to help determine policy and proceduralrequirements, operations and infrastructure requirements.• Develop facility-wide policy for compliance with confidential material disposalguidelines• Policy worker codes of conduct concerning violations of policyAttachment D: Sample Facility AssessmentDeveloping and Implement Policies and Procedures• Develop chain of custody policies and procedures from point of origin toconfirmation of point of destruction, include specific responsibilities for generator,handler, staff at points of transfer, haulers and/or recyclers.• Considerations for choosing a vendorAttachment E: Considerations of Shredding On-siteAttachment F: Sample Administrative Policy and ProceduresAttachment G: Sample Confidentiality Agreement facility and vendorAttachment H: Sample “General Terms and Conditions” with facility and vendorH2E-HIPAA DRAFT Guidance Document on the Destruction of Confidential PaperPlease send comments to H2E@valley.net1

See the “ConfidentialPaper DisposalAssessment Tool”Source Reduction iskey to the any potentialminimization ofconfidential wastedisposal. Training andeducation efforts mustbe undertaken if asuccessful sourcereduction program is tohave a sustainable andmeaningful impact onreducing the amount ofpaper generated,whether confidential ornot.Training andCommunication ofyour policies are theunderlyingdeterminants of thesuccess of any processimplemented to reduceexposure to HIPAAregulations.• Container placementThe easier the access to collection containers, the higher the level of compliance to thepolicy. Every office, reception area, conference room should have easy access to theproper container – otherwise confidential materials WILL END UP IN THE TRASHbecause there ARE trash containers everywhere.• What type of containers go where?Your facility assessment should inform you of the risk associated with locations at which acontainer may be placed. For example, an high traffic area with easy public access maywarrant a locked bin or shredder, while a locked records room with limited staff accessmay not warrant such safeguards.• Bins – locked vs. unlockedAdvantages to locked bins:· paper is secure from point of generation through point of destruction· the facility can visually and systematically demonstrate to clients that an infrastructureexists to protect information security· avoids the need to shred at point of generationDisadvantages to locked bins:· additional cost to purchase locking containers· additional labor to collect paper from locked bins or swap out containers· space needed to store locked bins, space needed to stage locked bins duringcollection· finding and keeping track of keys for bins; need to decide if all bins should be keyedalike, or have multiple keys, multiple locks· Increased cost and labor considerations may limit access to confidential containers,consider whether staff compliance will decrease if participation is not easy andaccessible.• To Shred or Not to Shred…What is due diligence?The systematic andobjective process toevaluate risks associatedwith using a particularrecycling vendor for thepurposes of minimizingliability to the facility.Shredding On Site. Shredding as a method of information destruction is no doubt, veryeffective but it’s also expensive and labor intensive, and if other options are available, itmay not be necessary. Facilities can shred onsite with small, departmental shreddersand in a centralized are using a large, industrial centralized shredder. Facilities may alsoopt to minimize shredding on-site by working with a recycling hauler that provides secureservices.Shredding off site (or mobile on-site shredding systems). A variety of firms offershredding services. Typically, they pick up the paper from a central point at the facility andeither shred on-site in mobile units or transport it to a bulk shredding facility. These firmsfall under the category of destruction firms, and they should always provide a certificate ofdestruction.Using the Due Diligence Audit combined with the Facility Assessment will help weigh theoptions and come up with a combination of services that balances cost, security andrecycling as a preferred option.4H2E-HIPAA DRAFT Guidance Document on the Destruction of Confidential PaperPlease send comments to H2E@valley.net