Aug 23 2012

Wisconsin DHS Issues Memo Outlining Requirements for Confidentiality and Disposal of Health Care Records

Yesterday, the Wisconsin Department of Health Services Department of Quality Assurance (DQA) released a memorandum outlining requirements for the confidentiality and proper disposal of records containing protected health information (PHI).  Yesterday’s DQA memorandum, DQA Memo 12-015, supersedes department’s previous memorandum, DSL-BQA-00-014. 

The DQA notes that once record retention requirements expire, records must be disposed of in a manner that meets both federal and state standards.  In addition, providers who cease operations are responsible for ensuring that they and their business associates continue to comply with all federal and state standards for protecting the confidentiality of PHI. 

The memorandum outlines HIPAA-based health care record disposal requirements, which include ensuring that PHI is rendered unusable, unreadable, or indecipherable prior to disposal of records. The DQA notes HHS approved destruction methods:

  • Paper, film, labels, or other hard copy media should be shredded or destroyed such that PHI cannot be read or otherwise reconstructed.

  • In accordance with National Institute of Standards and Technology Special Publication 800-88, Guidelines for Media Sanitization, electronic media should be cleared, purged, or destroyed such that PHI cannot be retrieved.

In addition to these federal requirements, Wisconsin health care providers and their business associates must also follow Wisconsin confidentiality laws.  Under state statute, confidentiality requirements apply to all patient health care records in paper and electronic form, including all records on which written, drawn, printed, spoken, visual, electromagnetic, or digital information is recorded or preserved, regardless of physical form or characteristic.  Under state standards, proper disposal of records containing personally identifiable requires a manner such that no unauthorized person can access the personal information.

Penalties for violations of HIPAA standards for confidentiality and proper disposal of health care records include fines up to $1.5 million, jail time, and/or investigation by the U.S. Department of Health and Human Services (HHS). Penalties for violating Wisconsin confidentiality laws (including violations by entities not subject to HIPAA) include fines up to $1,000 per incident or occurrence.