The Health Insurance Portability Accountability Act (HIPAA) was enacted in 1996 by the U.S. Department of Health and Human Services to require covered entities to safeguard the privacy of protected health information (PHI) in any form. This means that organizations must implement procedures that limit incidental — while fully avoiding prohibited — uses and disclosures of PHI including disposal. HIPAA requires that covered entities to implement procedures to specifically address disposition of electronic PHI as well as the hardware or e-media on which it is stored.

In laymen’s terms, this means that covered entities are never permitted to dispose of any PHI or the media on which it is housed in dumpsters or other publicly accessible containers, nor is PHI allowed to be simply abandoned. That said, like most other data security regulations, HIPAA does not mandate a specific disposal methodology but rather references NIST 800-88 while asking organizations to determine their own disposal policies. Typically, organizations determine their own circumstances and potential risks to determine the most appropriate methodology to safeguard PHI and the required steps to do so. PHI such as name, social security number, credit card number, diagnosis, treatment information, or other sensitive information require more stringent care due to the risk of identity theft or harm to a person’s reputation.

Those who must comply with HIPAA include but are not limited to the following: Health insurance companies; HMOs, or health maintenance organizations; doctors; clinics; psychologists; dentists; chiropractors; nursing homes; and pharmacies.

As there are no specific disposal regulations with HIPAA, NIST 800-88 data disposal methodology should be followed. All of SEM’s high security paper shredders, disintegrators, IT shredders, IT crushers, and degaussers are appropriate for the disposal of PHI following NIST 800-88 protocols.