In the News
<< Back to In The News page
An Information Destruction Program You Can Defend - That Will Defend You!
By Robert J. Johnson
Death and taxes are often jokingly referenced as the only sure things in
life. For purposes of this discussion, however, I’d like to, in all seriousness,
offer three others. 1) Hard-copy records of patient information will be created
in abundance and in many different forms. 2) Those records will eventually
outlive their usefulness, some in days, others in years, and will require
destruction. 3) Procedures to protect discarded patient information will
eventually be put to the test.
It is an understatement to say that HIPAA has healthcare information
professionals and institutions evaluating how patient data is handled at every
point. Therefore, it is appropriate to consider elements of an information
destruction program necessary for it to deliver the desired protection.
An information destruction program should include secondary and incidental
records, as well as stored records. The best place to begin building a
thoughtful, comprehensive information destruction program is to determine what
documents it should cover. It is very common to concentrate a program on those
documents that are neatly tucked away on shelves in file rooms and warehouses.
However, secondary and incidental records also constitute a significant risk to
patient privacy. Documents such as duplicate pages of forms, misprints, copies
of billing statements, hand-written memos, dietary menus, prescription slips and
appointment schedules are examples of incidental records that contain patient
information which should be protected by the same physical safeguards afforded
to stored records when they are discarded.
Secure collection containers should be used for the collection of discarded
information. It is easy enough to lock warehouses, storerooms and file cabinets
to protect stored records. However, when a record is discarded, especially
incidental or secondary medical records, they are often deposited in unlocked or
open bins, sometimes even outside with public access. Of course, once those
incidental records are recognized as documents containing patient information,
the danger of this practice is apparent. If it is information requiring
destruction, it must be protected at every point, and the use of unlocked or
open receptacles to collect it is not prudent.
There should be specified, documented criteria used as the basis of selecting
an information destruction contractor. It is safe to say that the use of
information destruction contractors is the prevailing method for institutions to
destroy discarded media. The reality is, however, there are no regulations
governing this service and security procedures can vary considerably. And, while
some contractors do fraudulently represent their security standards, it is more
likely that a problem would result from undisciplined practices. It is,
therefore, important to specify what is required of the contractor in the
selection process.
Among the items to be required of an information destruction contractor are
employee screening, appropriate insurance, written procedures, access
prevention, monitoring and alarm systems, specific particle size, and a
custodial audit trail. Since the vendor for this service has the status of
“Business Associate” as defined by HIPAA, these points should be included as
addendums to the requisite contract.
There are other aspects of contracting an information destruction service
covered in AHIMA’s Practice Brief on records destruction such as the information
to include in the Certificate of Destruction and appropriate methods of
destruction. None of the requirements included there should present a problem to
a legitimate service provider.
The main reason for establishing criteria for selecting the contractor is
that the due diligence of the selection process must be apparent and defendable
in the event that those physical safeguards are ever breached, audited or
challenged.
In response to the varied security procedures of service providers, about 10
years ago several concerned industry leaders formed the National Association for
Information Destruction (NAID). The non-profit trade organization currently has
approximately 240 member companies, all of which subscribe to a strict code of
ethics. Recently, NAID went one step further by introducing a certification
program. And, while certification is too new to be a practical requirement at
this point, its ability to assure on-going compliance and its growing popularity
will make it very useful in the not-too-distant future.
Among the “sure things” introduced at the beginning of this article was the
claim that “procedures to protect discarded patient information will eventually
be put to the test.” At this point in time, HIPAA compliance is a goal. In less
than a year, it will be a requirement. Everyone from risk managers and insurance
companies to government regulators and investigative reporters will be testing
the system. If a program has holes, that is when they will become apparent.
HIPAA is about privacy protection but is also about accountability. Those
accountable for the protection of patient information had better at the very
least, be able to defend their decisions when the system is put to the test.
Robert J. Johnson is the executive director of the Phoenix-AZ-based National
Association for Information Destruction, Inc. With over 20 years experience in
the document destruction industry, he was instrumental in forming the
organization in 1993. As a result of his duties, Mr. Johnson has produced dozens
of articles and scores of presentations on the need for the protection of
discarded information and the elements of quality information destruction
programs. For more information, contact NAID by mail at 3420 E. Shea Blvd.,
#200, Phoenix, AZ 85028, by email at exedir@naidonline.org, or visit NAID’s web
page at www.naidonline.org.
<< Back to In The News page
|
