How to properly dispose of PHI: How using a local shredding company can keep you HIPAA compliant.
What are the risks of improper disposal of PHI?
Imagine paying a $50,000 dollar fine for improper destruction of Patient Health Information (PHI). We are going to create a real-world scenario where a company improperly disposes of its PHI. Jane Doe owns a small practice in Los Angeles that specializes in urology. Jane and her colleagues are great at what they do, but margins are thin. Jane’s team always does its best to help the business save money in practical ways. Instead of using a NAID-AAA Certified Shredding Service, Jane figured she could save a few hundred dollars by throwing her documents into a dumpster. Jane brushes off the incident, but a month later, she is facing a HIPAA audit for improper disposal of PHI and facing up to $50,000 in fines!
Why Does Proper Disposal of PHI Matter?
Patient Health Information (PHI) is any information in the medical record or designated record set that can be used to identify an individual, and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment. Here are some examples of PHI:
Names
All geographic subdivisions smaller than a state (e.g., street address, city, county, precinct, ZIP code — with exceptions for the initial three digits in certain cases)
All elements of dates (except year) directly related to an individual (e.g., birth date, admission date, discharge date, date of death)
Telephone numbers
Fax numbers
Email addresses
Social Security numbers
Medical record numbers
Health plan beneficiary numbers
Account numbers
Certificate/license numbers
Vehicle identifiers and serial numbers (including license plate numbers)
Device identifiers and serial numbers
Web Universal Resource Locators (URLs)
Internet Protocol (IP) address numbers
Biometric identifiers (e.g., finger and voice prints)
Full-face photographic images and any comparable images
Any other unique identifying number, characteristic, or code (except as permitted for re-identification)
Proper disposal of PHI is critically important to maintain HIPAA compliance. Why is it important? Improper disposal can lead to unauthorized access by others. This potentially exposes your patients to identity theft, discrimination, employment issues, reputational harm, or other serious privacy violations. A leak of PHI puts your patients at risk, your reputation at risk, and your business at risk.
What is proper disposal as defined by the HIPAA Privacy Act?
There are a few methods you can use for the proper disposal of paper documents according to the Department of Health and Human Services. Click here for an HHS article on proper disposal.
For PHI on paper records, the HHS recommends shredding, burning, pulping, or pulverizing. Any method that renders the paper unreadable, indecipherable, and unable to be reconstructed.
For labeled prescription bottles or bags with PHI, you should store them in opaque bags in a secure area until they are able to shred. For shredding of non-paper products, visit our Product Destruction Service Page.
For PHI stored on electronic media, the HHS recommends clearing, purging, or destroying the media. We do not provide clearing or purging services, but we do offer destruction! Click Here to learn more about our hard drive shredding program.
For the most up-to-date information on HIPAA compliance methods and requirements, please visit HHS.gov
Common mistakes when handling PHI in-house.
You can absolutely stay compliant with proper destruction in-house, but it often comes with its own risk. Most often, companies will rely on in-house shredders to destroy their documents. There are a few downsides to this method. First, many of the shredders used in offices lack the security of industrial shredders. Depending on the type of shredder you use, the documents can almost always be reassembled. We recommend watching this video from the inside addition, where they try to reassemble documents from an office shredder. Click Here to watch.
Another thing to consider is the lack of documentation when shredding in-house. When you shred with a NAID-AAA company, you will always be provided with a Certificate of Destruction (COD). This established a record of responsible disposal, protecting you in the case of an audit.
Why Professional Shredding is the Best Practice.
When it comes to protecting PHI, the best practice is to always use professionals. When choosing a company, make sure they are NAID-AAA certified. This is the benchmark in data security and puts strict requirements on shredding companies. When using a NAID-AAA company, they will be using a cross cut shredder, this renders the paper unreadable. After the paper is shredded, it is mixed with thousands of other documents and stored in a locked container until it arrives at a facility for recycling. There is a strict chain of custody that shredded and non-shredded paper follows. To learn more about the chain of custody, Click Here. You can rest easy knowing that all of your paper will be recycled into new paper products, helping to create a green and cleaner world for all of us!
Should you use a Local Company or a National Provider?
Unless you run a nationwide company yourself, a local shredding provider is always going to be the better option! Let’s list a few reasons why you should use a local service.
Faster Response Times: Local companies only have a few service areas they cover makeing it much quicker to get to you! When you use a local shredding company, you can get your service within 24-48 hours in most cases! For instance, our company services the Greater Los Angeles Area, San Bernardino, Orange County, Riverside, and San Diego 5 days a week!
Personalized Service: One of the perks of using a smaller company is that they can provide more tailored services to meet your needs. For example, if you have a specific time you need your service, or if you have your shredding on the second floor of your building. Most national providers don’t have the flexibility to fit your needs as a customer, and if they do, just know you will be ridiculously upcharged!
Lower Risk of Cancelation: Like any service buisness things happen and mistakes are made. However, the odds of getting rescheduled or having your pick up canceled by a national company are sky high! In my years in the shredding business, I have seen hundreds of customers come to us because they consistently get their service canceled by their national company. Local shredding companies are much more reliable when it comes to on-time pickups and quality service!
Cost-Effective: Using a local shredding company is almost always going to save you money! Almost every time I see a bill from a national company like Iron Mountain or Shred-It, the bill is 2-3 times more than what other local companies or we charge! Needless to say, with less overhead, local providers are able to give you a much better price!
HIPAA Compliance: You get the same HIPAA compliance with a local company as a national provider, as long as they are NAID-AAA Certified! This makes it a no-brainer for healthcare companies and hospitals to use local companies!
Step-By-Step Guide: How to Dispose of PHI
Let’s make it easy for you to dispose of your PHI with a step-by-step guide!
Assess your PHI Inventory and retention requirements:
Most documents need to be stored for 6 years. For more info on HIPAA retention requirements, here is a link to an article from The HIPAA Journal. Click Here
Develop/ Update your disposal and destruction policies and train staff:
Update your internal policies to have a 100% shredding policy and make sure staff are properly trained on where to discard old papers.
Choose a NAID-AAA Shredding Provider:
No matter where you are, there are many great local NAID-AAA certified providers. Our mobile shredding service covers all of Southern California!
Schedule your On-site Shredding:
An On-site Shredding service is the most secure way to shred! Our mobile shred trucks come to your location and shred all of your documents before leaving. All of our trucks are equipped with HD cameras so you can view the shredding live! To get a quote today, Click Here!
File your COD and feel confident that your PHI has been destroyed:
With any NAID-AAA certified company, you will receive a Certificate of Destruction (COD). This is for your records to show that you have a responsible track record of document shredding.
Follow these 5 easy step and you will have a HIPAA-compliant shredding program that will protect you and your customers’ PHI!
The Bottom Line With PHI
Proper Disposal of PHI and medical records is more than just a regulatory requirement. It is a fundamental responsibility that safeguards patient privacy, maintains trust in your practice, and shields your organization from severe financial, legal, and reputational consequences. HIPAA requires that PHI be rendered unreadable, indecipherable, and incapable of reconstruction before disposal, and improper methods. Partnering with a local, NAID AAA-certified shredding company provides verifiable compliance through:
On-site mobile shredding that minimizes handling risks
Witnessed destruction
A documented Certificate of Destruction for your records
Eco-friendly recycling that aligns with sustainability goals
For healthcare providers in Southern California, choosing a trusted local provider means faster response times, personalized service, and stronger accountability compared to distant national chains. Don't leave compliance to chance. Implementing a clear PHI disposal policy, training your team, and regularly scheduling secure shredding services ensures you stay audit-ready while prioritizing what matters most: protecting your patients.
Ready to simplify HIPAA-compliant document destruction? Contact our NAID-certified team at Mobile Shredding Services today for a free, no-obligation quote on convenient, on-site shredding tailored to your practice's needs. With over 40 years of shredding experience, there is no better choice. Click Here to get Started!
