According to the Department of Health and Human Services’ FAQ about the Disposal of Protected Health Information, “a covered entity may, but is not required to, hire a business associate to appropriately dispose of protected health information (PHI) on its behalf.”
Related: How to securely dispose of PHI according to HIPAA standards
Legal basis for business associates handling PHI disposal
The legal provisions that govern covered entities when hiring business associates to perform functions involving PHI include:
- 45 CFR § 164.502(e) – This section states that a covered entity may disclose PHI to a business associate only if the business associate provides satisfactory assurances that it will safeguard the information appropriately
- 45 CFR § 164.504(e) – Requires covered entities to enter into a Business Associate Agreement (BAA) with any business associate handling PHI, ensuring compliance with HIPAA
- 45 CFR § 164.310(d)(2)(i)-(ii) – Establishes the requirement for proper disposal of PHI to prevent unauthorized access
Requirements for business associate agreements (BAAs)
The HHS states that, “The business associate contract also serves to clarify and limit, as appropriate, the permissible uses and disclosures of protected health information by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate.”
Therefore, the BAA for the disposal of PHI would:
- Define the scope of the PHI disposal services
- Require the business associate to implement administrative, technical, and physical safeguards to protect PHI
- Outline the business associate’s obligation to report security incidents
- Ensure that any subcontractors also comply with HIPAA requirements
- Require the business associate to return or securely destroy PHI at the termination of the agreement
Methods of proper PHI disposal
According to HHS Guidance, covered entities and business associates must dispose of PHI in a manner that prevents unauthorized access, including:
- For PHI in paper records, shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.
- Maintaining labeled prescription bottles and other PHI in opaque bags in secure areas and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI.
- For PHI on electronic media, clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding).
Related: How to properly dispose of electronic PHI under HIPAA
Risks of non-compliance
Failure to properly dispose of PHI can result in severe penalties:
- Civil Penalties: Fines range from $100 to $50,000 per violation, up to $1.5 million per year for repeated offenses (45 CFR § 160.404).
- Criminal Penalties: Willful neglect can lead to fines up to $250,000 and imprisonment for up to 10 years (42 U.S.C. § 1320d-6).
FAQs
Do business associates need training on PHI disposal?
Yes, business associates must be trained on HIPAA compliant PHI disposal methods to avoid violations.
Can a business associate subcontract PHI disposal to another company?
Yes, but the subcontractor must also comply with HIPAA and have a proper agreement in place.
Who is responsible if a business associate improperly disposes of PHI?
Both the covered entity and the business associate can be held responsible for violations.
