March 15, 2010
Pick of the Litter
By Annie Macios
For The Record
Vol. 22 No. 5 P. 10
Recent IT advances coupled with ramped-up government regulations bring new significance to choosing a document destruction vendor.
With the abundance of paper and electronic protected health information (PHI) residing in the nation’s healthcare facilities, what can a provider do when it comes time to destroy these confidential records? And what steps can be taken to ensure that the document destruction is done in a secure, compliant, cost-effective manner that will protect not only the PHI but also the facility in the event of a breach?
Choosing a reliable document destruction vendor can be a daunting task, but arming yourself with the right knowledge before entering into a contract can make all the difference.
Rules of Engagement
Edward Shay, a partner at Post & Schell law firm in Philadelphia, recommends performing basic due diligence when selecting a document destruction vendor. “Ask around and find a vendor who has experience in healthcare, who understands the sensitivity of healthcare information, and who has a good reputation. Then the next step would be to negotiate some sort of services agreement with the vendor, including a written agreement that lays out terms and conditions,” he says.
Rachel Nosowsky, senior counsel at Miller, Canfield, Paddock and Stone, PLC in Ann Arbor, Mich., says the first order of business for healthcare entities is to make sure staff—especially those in charge of request for proposals (RFPs) and contracts—understand current document destruction guidelines and standards, as well as the privacy and security rules that govern the handling of PHI.
The HITECH Act has a section devoted to enhanced security and privacy protection for PHI. “It reflects a perceived public dissatisfaction with HIPAA because HIPAA doesn’t apply to all entities,” says Nosowsky. For example, the law applies to practitioners, health plans, and their vendors through the business associate provision but leaves out a significant number of players, including those selling services such as PHRs on their own accord, according to Nosowsky.
“So now the stakes are higher than they used to be,” she says. “When dealing with a rule as expansive as HIPAA, you want to get your contract right to offer your facility the right protection. But first you must inform the people within your operation about what those stakes are.”
To be at ease with the ultimate decision, experts recommend following suggested best practices.
“Conduct an RFP process, do the typical background checks and reference checks, and check the relevant sanctions lists to ensure that vendor isn’t on them,” Nosowsky says. “You should also require the vendor to comply with minimum standards for ongoing background checks of its employees. Ensure the pricing quote includes the promise that the vendor will comply with guidelines as they are updated. Within the RFP, ask the vendor to specify up front any exceptions to the covered entity’s standard contract.”
Next, it is important to discuss with the vendor what type of destruction will occur given the nature of the documents.
HITECH requires the Office for Civil Rights (OCR) to issue guidance describing the “technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals.” This includes properly destroying PHI. Because the breach notification rule does not apply to information that is properly destroyed, understanding the guidelines and the practicalities of compliance is important.
According to the National Institute of Standards and Technology (NIST) Guidelines for Media Sanitization, there are two primary types of media in common use: hard copy and electronic or soft copy. Hard copy includes paper printouts, printer and facsimile ribbons, and drums. The NIST notes that these types of media are often the most uncontrolled. Information contained in these formats, if tossed into recycle bins or trash containers, risks accidental disclosure by exposing it to “dumpster divers” and overcurious employees.
Electronic media include the bits and bytes contained on hard drives, disks, memory devices, phones, mobile computing devices, and networking equipment, among others. In healthcare facilities, information systems capture, process, and store information using a wide variety of media. These data are located not only on the intended storage media but also on devices used to create, process, or transmit this information. The NIST suggests that to mitigate the risk of unauthorized disclosure of information and to ensure its confidentiality, efficient and effective management of information created, processed, and stored by an IT system throughout its life, from inception through disposal, must be a top priority for providers.
Shay says paper documents should be shredded, whereas disposition of electronic records requires more thought. The provider must be aware that it is not only the electronic record that needs to be destroyed or deleted but also perhaps the media that created and stored the record. For example, CDs, hard drives, and laptops may have to be pulverized. For this reason, it’s important to include destruction of the medium in the contract language and specify a time frame for completion of the process.
“For paper records, the hard copy must be destroyed so that the PHI cannot be read or reconstructed. Redaction is not adequate,” says Nosowsky. On the electronic side, she recommends using a vendor that will destroy records according to the NIST guidelines.
Shay recommends healthcare facilities review the NIST’s Special Publication 800-88: Guidelines for Media Sanitization, which assists organizations in making practical sanitization decisions based on the level of confidentiality of their information.
Another aspect to consider is what sort of physical security the vendor will supply in transporting the record. “Really be specific to ensure it will be protected,” says Shay. “For example, at our law firm our document destruction vendor places locked trash bins on each floor, so anyone who has confidential information that needs to be destroyed can put it in the slot and every two weeks they pick it up and shred it on the spot.”
Record retention statutes that legislate healthcare facilities must keep certain medical records for 10 to 20 years can add a layer of complication to vendor agreements. As a result, storage stipulations are sometimes included in contracts.
Since its inception in 1996, HIPAA has been maligned for its lack of bite. Critics say the privacy and security rules have not been enforced as designed, pointing out that healthcare organizations face little fear of incurring significant penalties. The HITECH Act may change all that, according to Nosowsky.
“Previously, there was no federal requirement for covered entities to report or notify patients or health plan members of a privacy breach. So Congress, through new HIPAA rules, created breach notification requirements,” she notes, adding that HITECH also holds business associates directly accountable for compliance with certain privacy and security protections in addition to covered entities. “Now the government can go directly after business associates if there is a breach of these rules,” Nosowsky explains.
The new rules have also substantially increased the penalties that may be assessed under HIPAA, raising them from a limit of $100 per violation and $25,000 per year to $50,000 per violation and $1.5 million per year.
In constructing the contract itself, consider using the same language as HIPAA and referencing the OCR guidelines and the NIST standards, says Nosowsky. Also, require the vendor to use these standards, as well as any updates that may be issued, throughout the entire term of the contract.
Take advantage of HITECH, Shay says, by making the vendor a business associate, which in effect makes it subject to comply by law in the event of a security breach or face penalties. “So with a business associate, if a covered entity finds that a breach of confidentially turns up, the covered entity must report it to the OCR and would have right of action against the vendor who didn’t perform in compliance with their services contract,” he says.
Nosowsky notes that under HIPAA and HITECH, a violation by an agent can be attributed to the covered entity and, according to the enforcement rule, an entity can be charged for the actions of its agents. “And the covered entity cannot clearly or easily decide who is or is not an agent under common law,” she notes.
Therefore, the more a facility can distance itself from an agency relationship, the better off it will be. As a result, Nosowsky recommends including provisions specifying that the vendor is not an agent of the covered entity, and that actions of the vendor that are not in compliance with applicable HIPAA/HITECH requirements and any additional contract specifications are “outside the scope of the engagement” for the covered entity.
“So basically you’re saying, ‘You’re on your own’ if they don’t comply with the standards,” she adds. This may assist the covered entity in making the argument that the vendor is not its agent, which can be helpful in the event of a breach or enforcement action.
Nosowsky also notes that the generic compliance provisions often found in general contracts do not bind a vendor to comply with agency guidance, making it important to be specific in the language used when constructing the contract.
In the event there is a problem, consider requiring the vendor to indemnify the healthcare provider for any liability related to a breach. It is also a good idea to require the vendor to carry an adequate level of insurance and include a clause for notification should its insurance lapse. Also, require the vendor to report any breach quickly—within five days is ideal. “Strong indemnification and insurance language in the contract is important in the event the vendor violates its obligations,” says Nosowsky.
A Practical Perspective
Andrew Lenardon, director of strategic accounts for Toronto-based Shred-it, shares several practical ideas healthcare facilities can use when choosing a document destruction vendor.
Lenardon notes that the majority of all security breaches are insider issues. Healthcare providers can take simple steps to mitigate insider access to PHI by using locked, nonpliable containers that can’t be moved unless absolutely necessary but are still readily available. He also suggests clients have a “shred-all” policy rather than leaving the decision as to what will be destroyed to employee discretion.
Balancing cost management with risk avoidance is another important area of consideration. “In today’s healthcare environment, cost is king, but document destruction is not the area to trim. Up front, cost reduction can seem like the right thing to do, but cutting costs in this area can be short-sighted because the risks associated with proper compliance are high, as are the penalties for a breach,” says Lenardon. Insourcing may appear to be an attractive option, but having no audit trail, the risks associated with employee noncompliance, and the fact that equipment can break down must be taken into consideration when assessing the balance between cost and risk avoidance.
Lenardon says there are many advantages to having a vendor perform document destruction on site, including issues related to HIPAA regulations, as well as ensuring proper compliance. “Anyone that provides on-site destruction offers a better chain of custody and lessens a facility’s risk. With the HIPAA act, if the destruction work is done on the premises, the vendor is considered part of the workforce and you don’t need a business associate agreement,” says Lenardon. “While we still recommend having your vendors sign business associate agreements, this says a lot about the reduction in risk when you have documents destroyed on premises.” In addition, many healthcare organizations want assurance that their material has been properly destroyed, which on-site destruction facilitates.
Healthcare facilities must also find a vendor that can accommodate their changing requirements for document destruction. “If you need a vendor to meet certain destruction specifications, audit them to make sure they can do what your destruction metrics require,” says Lenardon. For example, if a facility is currently using a standard shred size but their requirements change to a smaller size, be sure to find a vendor with the ability to perform those tasks, even if there isn’t currently a need. This will eliminate the need to switch vendors should document destruction requirements change.
Facilities also often try to balance security with the environmental impact of their destruction methods. “Seeking a way to lessen environmental impact is important, but don’t do so if it means taking on additional risk through such activities as additional hand sorting, holding on to certain documents until enough is collected, or using a destruction that is possibly hundreds of miles away, thereby increasing the risk for a breach,” says Lenardon, who recommends selecting a vendor that doesn’t put a facility at risk in this manner but at the same time remains environmentally friendly by optimizing the service route or frequency of destruction.
Lenardon says none of these measures matter if all employees aren’t compliant with a facility’s policy on how to handle PHI. “The policy must come from the top. Hospital administrators must define the policy and employees must know that they are each responsible to abide by it,” he says.
During the vendor selection process, include more than just someone from the procurement department on the decision-making team to make certain cost isn’t the only issue considered. “You need to include individuals from risk management, physical security, information security, and the compliance department; include the people in the decision making who will be accountable in the event of a breach,” says Lenardon.
By laying out a well-constructed contract with a reputable company and with the right provisions included from the beginning, it is more likely a healthcare facility will find a vendor that will ensure the security and proper destruction of its medical records, both paper and electronic.
— Annie Macios is a freelance writer based in Doylestown, Pa.