What Healthcare Organizations Should Look for in a Shredding Company
According to the World Health Organization (WHO), “Health workers are people whose job it is to protect and improve the health of their communities.” Protecting the community’s Protected Health Information (PHI) is part of that responsibility, and it is more complicated than it may seem.
The organizations that are most effective at protecting PHI have outsourced their shredding to a local, professional shredding company. But how do you know that the shredding company is legally compliant and meets the standards of your healthcare organization and team?
Here is our helpful guide to choosing the best shredding company for your healthcare organization.
Trained and Experienced
Look for a professional shredding company that trains their staff to understand and comply with Health Insurance Portability and Accountability Act (HIPAA) and all other federal and state data privacy laws. They should have a team of experienced and knowledgeable shredding technicians that you can trust will protecting PHI throughout the shredding process.
HIPAA has three main rules for protecting sensitive patient health information:
- The Privacy Rule requires that PHI handled by covered entities or their associates be protected while still allowing for the flow of information needed for the individuals’ health care and protecting public health.
- The Security Rule protects electronic PHI (ePHI) that covered entities create, use, receive and maintains.
- The Breach Notification Rule requires covered entities and business associates to provide notification of a PHI breach.
If your shredding provider is non-compliant, your healthcare organization will be liable for any data breaches, so it’s critical to partner with the right company.
Chain of Custody
Maintaining a secure chain of custody for PHI is a foundation of HIPAA compliance. Data must be tracked from creation or collection, creating a record of where it is stored, each time it is accessed, and when it is destroyed. This is process is known as “cradle to grave.”
When you use a third-party organization to handle patient data, you are still responsible for its protection. Choose a shredding company that continues the secure chain of custody through the destruction process and provides you with a Certificate of Destruction to prove your compliance.
A Certificate of Destruction should contain the following information:
- The date of destruction.
- Your organization’s name and address.
- A workorder number that references the workorder you received on the day of service with the location, date, time, and initials of the driver or technician that performed the shredding service. This certificate is required by both state and federal privacy laws.
ShredLink understand and complies with all state and federal laws including HIPAA. We provide recurring scheduled shredding and one-time purge shredding services to healthcare organizations throughout Southeast Louisiana. Give us a call at 504-885-0186 or complete the form on this page to talk with our experts about your HIPAA-compliant shredding needs.