How to Properly Dispose Protected Health Information (PHI)

by  InstaCode Institute
February 27th, 2017

HIPAA requires covered entities to properly dispose of Protected Health Information (PHI) in the following manner:

The problem is that most of us are not computer gurus who can decipher all the technical requirements in the official Medial Sanitation guidelines. So the question becomes, "just what is acceptable and what is unacceptable?" To help address this problem, the U.S. Department of Health and Human Services, Office for Civil Rights has released an FAQ which answers the following questions:

  1. What do the HIPAA Privacy and Security Rules require of covered entities when they dispose of
    protected health information? 
  2. May a covered entity dispose of protected health information in dumpsters accessible by the public? 
  3. May a covered entity hire a business associate to dispose of protected health information?
  4. May a covered entity reuse or dispose of computers or other electronic media that store electronic protected health information?
  5. How should home health workers or other workforce members of a covered entity dispose of protected health information that they use off of the covered entity’s premises? 
  6. Does the HIPAA Privacy Rule require covered entities to keep patients’ medical records for any period of time?

We strongly encourage all healthcare providers and their staff to read through their non-technical answers to ensure your practice is in compliance.


On February 2015, the NIST announced the first revision of the official Guidelines for Media Sanitization. This announcement explains that the new revision describes three types of media sanitization – Clear, Purge, and Destroy. There is a VERY helpful flowchart which shows when each type should be used.

We highly recommend all covered entities to review this announcement in a training session with all their staff. Print out the flowchart and post it where it can be seen as a reminder. Don't forget to record this training session in your Compliance Manual.

Also, don't forget to review your Policies and Procedures to ensure that they are updated to include this information. If you have an Information Technology (IT) department or service, be sure they review the technical specifications of the official Guidelines to ensure that you are in compliance. This IT department  should also issue an official report which should be included in your Compliance Manual as well.



How to Properly Dispose Protected Health Information (PHI). (2017, February 27). Find-A-Code Articles. Retrieved from

© InnoviHealth Systems Inc

Article Tags  (click on a tag to see related articles)

Publish this Article on your Website, Blog or Newsletter

This article is available for publishing on websites, blogs, and newsletters. The article must be published in its entirety - all links must be active. If you would like to publish this article, please contact us and let us know where you will be publishing it. The easiest way to get the text of the article is to highlight and copy. Or use your browser's "View Source" option to capture the HTML formatted code.

If you would like a specific article written on a medical coding and billing topic, please Contact Us.


innoviHealth Systems, Inc.
62 East 300 North
Spanish Fork, UT 84660
Phone: 801-770-4203 (9-5 Mountain)
free demo
request yours today
for any budget
sign IN
welcome back!

Thank you for choosing Find-A-Code, please Sign In to remove ads.