March 31, 2008
Independent contractors can serve as “hitmen” for healthcare organizations that want to properly dispose of retired medical records.
When healthcare organizations need to destroy confidential papers such as medical records, shredding the documents appears to be the preferred method. The task of shredding outdated or unwanted documents can be outsourced to companies that specialize in document destruction, or some facilities may opt to implement an in-house, do-it-yourself approach. Time, cost, and security are among the major factors to consider when choosing what method makes the most sense for a particular facility.
“More than 50% of healthcare service providers outsource their information or document destruction to a contractor,” says Robert Johnson, executive director of the National Association for Information Destruction (NAID). “The reason to outsource to contractors is it’s more secure and convenient.”
For example, Johnson says shredding 50 pounds of paper in-house in a small shredder may take someone five hours, while outsourcing the job to a contractor can be done more quickly.
Another option is to hire a contractor that shreds documents on site. At Shred-It Indianapolis, clients can actually witness the paper being cross-cut shredded in side-loaded, 24-foot trucks where the shredding compartment is housed in the front of the truck’s box, according to account supervisor Julie Hoskins. A huge, high-speed shredder guarded by cage doors protects clients and workers from the shredder and still allows the operation to be seen, she says. Additionally, there is a viewing window that allows clients to see the shredded material completely destroyed before the truck leaves the premises.
The speed at which the documents are shredded can be a key component in choosing to have someone else shred records and other confidential material. “What our high-speed shredding trucks can shred in 10 minutes would literally take one person on an office shredder 10 hours,” says Hoskins.
The Selection Process
“Doing your homework” is the most important part of choosing a shredding contractor, says Nitza Cruz, sales manager at Safe Shredding, LLC, in Livingston, N.J. “Ask for references— that is very important.” Additionally, facilities should request a copy of the policy and procedures of any prospective shredding contractor. Cruz also recommends asking the following questions:
• What is the employee drug testing policy?
• Are background checks performed?
• How much on-site employee supervision is conducted?
• Do two representatives ride in the truck when documents are picked up?
• Is the truck locked and secure when the drivers are away from it?
It’s also important to find out what kind of equipment the contractor uses to shred documents to ensure the complete destruction of confidential material since different types of shredders perform differently, Cruz says. For example, spaghetti shredders cut documents into long, thin strips that can be reassembled.
Shredding has advanced substantially in the last few years, according to Hoskins, who had an eye-opening experience in 1998 when she took cross-cut shredded material from her office to a private investigator and asked if it was possible to reconstruct the strips. The private investigator told her no and then showed Hoskins a room where two senior citizens were putting strip-shredded documents back together.
Cruz also prefers pierce-and-tear shredders that provide a cross cut generally thought to render the document incapable of being reconstructed. As the importance of shredding has become more widely understood, shredding technology has also evolved. Cruz says hammer mill shredders go a step further and actually turn paper particles to dust, thereby making certain that reassembling the document is impossible.
Outsourcing shredding duties can be faster and potentially less expensive than performing the task in-house. Johnson estimates that for every 15 to 20 minutes a healthcare employee spends feeding a shredder, a contractor could shred the same amount of paper in about one minute. He also points out that the time employees spend at the shredder is time spent away from the task that they were actually hired to do. Johnson says the cost of outsourcing depends on the level of service and the volume of material to be destroyed.
Cruz agrees, adding that a shredding service provider can tailor a program to fit a healthcare provider’s budget. She says shredding services may start as low as $49 per month. “The advantage to outsourcing the shredding is that you will save on time and money from the business standpoint,” she says.
The cost of shredding can be customized so that the service is cost-effective for the client, says Hoskins. Many customers put paper material to be shredded into contractor-supplied secure containers. “Once it is dropped into the locked container, no one has access to it,” she says.
The boxes hold about 100 pounds of paper, or the equivalent of two reams of paper. The openings are large enough to accept 400 sheets of paper at once, so it only takes a minute for clients to dispose of large amounts of paper. To speed up the process, staples, paper clips, and small amounts of plastic—such as binders holding several pages together—do not need to be removed. A small-volume customer with three containers of paper to be shredded can expect to pay between $50 and $100 per month, according to Hoskins.
Besides personal identifying information found in patient medical records and diagnostic information such as the reason for seeking medical care, the diagnosis and treatment plan must also be properly destroyed.
Additionally, Texas Medical Board Rules Chapter 165 cites billing codes such as CPT and ICD-9-CM as also being part of the medical record that must be kept private. Further, the board says supplemental information, amendments, and changes or corrections, as well as records from other medical sources, must also be considered confidential information.
The Texas Medical Association outlines criteria that may help healthcare providers meet their ethical and legal obligations when determining medical records eligible for destruction. For example, patients should be able to collect their old records or have them transferred to another healthcare provider before the documents are destroyed.
Additionally, the Texas Medical Association recommends that patients with active medical files during the last two years have a 30-day notification prior to the expected date of destruction. And if parts of a patient record do not need to be kept for medical reasons, the board mandates that the record be maintained for seven years from the date of the last treatment before being destroyed. The board also notes immunization records are a permanent record and must not be destroyed.
According to the Texas Medical Association, the proper way to destroy medical records is to shred, burn, or recycle them. The AHIMA has issued the following guidelines for the proper destruction of eligible medical records:
• Destroy records so there is no possibility of reconstructing information.
• Develop methods to destroy computerized data permanently and irreversibly.
• Reassess destruction methods annually.
Further, specific documentation of the destruction should include the following:
• date of destruction;
• method of destruction;
• description of disposed series; and
• inclusive dates covered.
Additionally, healthcare facilities should obtain the following:
• a business association agreement for HIPAA compliance;
• a certificate of destruction;
• an individual’s signature; and
• a statement that records were destroyed in the normal course of business.
Finally, the destruction contract should include the following:
• method of destruction and time elapsed between acquisition and destruction;
• confidentiality safeguards;
• indemnification from loss due to unauthorized disclosure; and
• proof of destruction.
HIPAA and State Laws
It is important to recognize that only state laws contrary to federal requirements are eligible for an exemption determination. As defined by the Administrative Simplification rules, contrary means that it would be impossible for a covered entity to comply with both the state and federal requirements or that the provision of state law is an obstacle to accomplishing the full purposes and objectives of the Administrative Simplification provisions of HIPAA.
In general, a state law is “more stringent” than the HIPAA privacy rule if it relates to the privacy of individually identifiable health information and provides greater privacy protections for individuals’ identifiable health information or greater rights to individuals with respect to that information than the privacy rule does. For example, a state law that provides individuals with a right to inspect and obtain a copy of their medical records in a more timely manner than the privacy rule is “more stringent,” according to Health and Human Services.
Cruz says New Jersey responded to mandates to protect personal information beginning January 1, 2006. All businesses were required to take steps to protect personal information relating to any individual, including customers, patients, and employees. These steps include the following:
• Implement, enforce, and monitor document destruction policies and procedures.
• Research, monitor, and manage relationships with suppliers, vendors, and other third parties.
• Limit access to personal information to essential employees.
• Train employees to handle personal information confidentially.
Accepting liability in guaranteeing the privacy of medical documents can be a paradox, says Johnson. “Outsourcing contractors accept liability for damages that occur if they do not perform their professional services,” he says.
On the other hand, healthcare facilities do not give up their responsibility to guard patient privacy. “Medical practitioners cannot transfer their responsibility to protect patient information, but they can make outsourcing contractors liable for damages resulting from them not performing their duties,” says Johnson.
“Any company contracting an information destruction service should require that it provide them with a signed testimonial documenting the date that the materials were destroyed,” says Hoskins. “The certificate of destruction is an important legal record of compliance with a retention schedule. It does not, however, effectively transfer the responsibility to maintain the confidentiality of the materials to the contractor.”
Further, Hoskins says that if private information surfaces after the vendor accepts it, the court is bound to question the process by which the particular contractor was selected. Any healthcare organization not showing due diligence in their selection of a contractor that is capable of providing the necessary security could be found negligent.
“From a risk management standpoint,” says Hoskins, “if information is leaked by the fraud of negligence of a vendor, their obligations are irrelevant. The firm whose information falls into the wrong hands stands to lose the most, either from loss of business, prosecution, or unfavorable publicity. Since a business cannot transfer its responsibility to maintain confidentiality, it must be certain that it is dealing with a reputable company with superior security procedures.”
— Mary Anne Gates is a medical writer based in the Chicago area.
Once documents are shredded beyond recognition, they are sometimes recycled and turned into products for everyone to use. For example, Shred-It Indianapolis recycles the material it shreds for clients, according to account supervisor Julie Hoskins. The shredded material goes to a site where it is bailed into 2-ton blocks and sent to a recycler. The material is then turned into paper products such as paper towels, toilet paper, cereal boxes, and napkins, and the recycled items are sold to the hotel and motel industry.