Secure Shredding Guidelines for Paper Medical Records

Woman standing between tall files containing medical paper records

Secure Shredding Guidelines for Paper Medical Records

Do you work in a medical office or healthcare setting? For administrators in these environments, the secure shredding of medical documents (paper records) is a major concern. Greenway Shredding and Recycling offers HIPAA-compliant secure shredding services. The following article outlines secure shredding guidelines for paper medical records.


What is HIPAA?

According to the Centers for Disease Control, The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law requiring the creation of national standards to protect sensitive patient health information. Patient health information cannot be disclosed without the patient’s consent or knowledge.

The US Department of Health & Human Services (HHS) provides additional information on their website regarding HIPAA for Individuals and HIPAA for Healthcare Professionals.


HIPAA Privacy Rule and Protected Health Information (PHI)

The HIPAA Privacy Rule aims to strike a balance between allowing use of individual healthcare information to provide quality care and protecting the privacy of people who seek medical services.

The HIPAA Privacy Rule standards address the use and disclosure of an individual’s health information (known as “protected health information” or PHI) by entities subject to the Privacy Rule. These individuals and organizations are called “covered entities.”

Covered entities include healthcare providers, health plans, healthcare clearinghouses, and associated business partners.

HIPAA requires covered entities to adhere to strict and secure shredding guidelines for medical documents.

For a more in-depth description of organizations and businesses that fall within a covered entity category, as well as permitted uses and disclosures of personal healthcare information, we recommend this CDC article.


HIPAA Security Rule and e-PHI

While the HIPAA Privacy Rule safeguards protected health information (PHI), the HIPAA Security Rule protects a subset of information covered by the Privacy Rule.

This Security Rule subset includes all individually identifiable health information that a covered entity creates, receives, maintains, or transmits in electronic form. This information is called “electronic protected health information” (e-PHI).

The Security Rule does not apply to PHI transmitted orally or in writing.

To comply with the HIPAA Security Rule, all covered entities must do the following:

  • Ensure the confidentiality, integrity, and availability of all electronic protected health information
  • Detect and safeguard against anticipated threats to the security of the information
  • Protect against anticipated impermissible uses or disclosures
  • Certify compliance by their workforce


HIPAA and Records Retention Requirements

According to The HIPAA Journal, the Health Insurance Portability and Accountability Act (HIPAA) requires Covered Entities and Business Associates to maintain required documentation for a minimum of six (6) years from the date of its creation, or the date when it last was in effect, whichever is later.

HIPAA preempts state requirements if the state has a shorter retention period. If you have any questions specific to your state’s record retention policies, if is best to contact your legal counsel for their recommendations.

The list of documents subject to the HIPAA retention requirements depends on the nature of business conducted by the Covered Entity or Business Associate.

The following list is an example of the most common types of documents:

  • Notices of Privacy Practices
  • Authorizations for the Disclosure of PHI
  • Risk Assessments and Risk Analyses
  • Disaster Recovery and Contingency Plans
  • Business Associate Agreements
  • Information Security and Privacy Policies
  • Employee Sanction Policies
  • Incident and Breach Notification Documentation
  • Complaint and Resolution Documentation
  • Physical Security Maintenance Records
  • Logs Recording Access to and Updating of PHI
  • IT Security System Reviews (including new procedures or technologies implemented)


HIPAA Compliance and Document Shredding

The US Department of Health and Human Services (HHS) stipulates that PHI documentation maintained on paper must be destroyed via “shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed”.

For ePHI and documentation maintained on electronic media, HHS recommends clearing or purging the data, or destroying the media by pulverization, melting, or incinerating.

On their website, the American Health Information Management Association (AHIMA) offers guidelines for establishing a compliant approach to shredding paper documents:


Various AHIMA guidelines for compliant shredding

  • Facility Guidelines
    • Every long-term care facility should have a policy and procedure established to destroy records or confidential documents, whether in paper or electronic format, that are beyond their retention period.
    • Destruction should be done at least annually based on a proper written retention schedule that encompasses federal and state regulations.
    • The policies and procedures and the destruction schedule should demonstrate that records are destroyed in the normal course of business, as consistency and documentation are key components of record management.
    • A destruction program that documents both appropriate retention and destruction of documents protects the facility/organization from legal liability.
    • At least annually, every facility should review the documents on the retention guideline and destroy records as appropriate.
    • It is recommended that the Executive Director/Administrator be notified and approve of records/documents to be destroyed.


  • Guidelines for Destruction of Paper Records
    • Paper-based records containing personally identifiable data must be destroyed in a manner that makes it impossible to reconstruct and read the information.
    • Records and protected health information cannot be disposed of in the garbage containers without some type of shredding or obliteration.
    • Documents awaiting destruction should be housed in secure collection containers, with specific attention to location of the container and the locking capabilities.
    • Acceptable methods used today include shredding, incineration pulping and pulverization.
    • In addition to the original records, secondary or incidental documents (duplicates, carbon copies, misprints, worksheets, and documents containing billing statements) must also be destroyed.


  • On-Site Destruction of Paper Records
    • The health information management staff should oversee any shredding of documents at the facility.
    • Cross cut shredders have a higher degree of security than strip-shred.
    • A business associate agreement with the destruction company should detail the location of the destruction, method of destruction and require proof of destruction.


  • Off-Site Destruction of Paper Records
    • If the records are destroyed off-site through a destruction company, a business associate agreement should detail the safeguarding practices while the PHI is in transit, time that will elapse between acquisition and destruction, method of destruction and require proof of destruction.


NOTE: Check specific state laws prior to setting up any document destruction program.


Contact Greenway Shredding & Recycling Today

All of Greenway’s document shredding services are HIPAA-compliant.

Greenway Shredding & Recycling is a family-run business that is locally owned and operated. We offer services with NO CONTRACTS because we want to earn your business.

Greenway is committed to providing shredding and recycling services with superior value. We want to be your preferred shredding service provider. All our document destruction services are HIPAA-compliant. Our staff is friendly, dependable, and trustworthy.

Request a quote today! Email or call (502) 749-0390.