by the AHIMA Privacy and Security Practice Council
Healthcare organizations have had a long-standing commitment to protect the privacy of patient health information during all phases of record creation, maintenance, storage, and final disposal. This responsibility is further required by federal and state laws and regulations, as well as by accreditation standards that specifically address the protection of patient information through the entire life cycle of the record-including disposal.
However, with tremendous resources and energies focused on compliance with HIPAA privacy and security standards, HIM professionals can sometimes lose sight of the big picture and be unaware of other critical external regulatory and accrediting influences. One example is the Life Safety Code, which guides the disposal of paper health records.
Exploring Different Disposal Methods
The HIPAA privacy and security rules have encouraged more aggressive assurances of appropriate reuse, disposal, and destruction of both paper and electronic protected health information (PHI). HIPAA’s requirement that paper records be disposed of in a manner that leaves no possibility for reconstruction of PHI has led to various disposal options, including burning, shredding, pulping, and pulverizing (recycling).
One popular method for the appropriate disposal of paper PHI is locked containers or shred bins, which organizations use to collect confidential paper waste for disposal at a later time. These bins are usually large containers or boxes placed strategically throughout the organization with openings or slots large enough to accommodate multiple sheets of paper.
The boxes are locked, and access is controlled by whomever is responsible for proper destruction of the contents. Responsibility may be internally assigned to the environmental services or housekeeping department or externally outsourced to a vendor (or business associate). The bins may be supplied by the organization or made available through a vendor.
From a HIPAA perspective, as with many other regulations and standards, these shred bins satisfactorily address an important step in safeguarding the privacy and security of PHI until final disposal and destruction.
The rationale for privacy protocol, however, isn’t always about HIPAA or what we know to be true as HIM professionals. There are other regulations and standards outside of the traditional HIM environment that must be considered, such as fire safety codes.
The Life Safety Code
Published by the National Fire Protection Association, the Life Safety Code (LSC) is a set of fire protection requirements that cover “construction, protection, and occupancy features necessary to minimize danger to life from fire, including smoke, fumes, or panic.”1
Healthcare organizations participating in Medicare and Medicaid programs must be in compliance with the LSC if they are not participating in accreditation by the Joint Commission or the American Osteopathic Association’s Healthcare Facilities Accreditation Program.
According to the Centers for Medicare and Medicaid Services, “In most cases, the State Survey Agency schedules the LSC survey to coincide with the health survey” (licensure and Medicare or Medicaid certification); “however, the timing of the LSC survey is left to the discretion of the agency.”2 The state survey agency determines whether the LSC survey occurs before, after, or simultaneously with the health survey.3 The Joint Commission surveys compliance to the LSC through its Management of Environment of Care standards.
What the Standard Says
LSC 184.108.40.206 addresses trash containers, setting limits based on size and density. Specifically, “containers cannot exceed a capacity of 32 gallons” unless they are placed in areas designated as hazardous. In healthcare settings, hazardous areas must be protected by sprinklers or fire barriers rated at one hour. Doors to hazardous areas must be self-closing or latching.4
Privacy officers and HIM professionals must be aware of this particular LSC standard, as shred bins are typically placed in areas that are convenient to staff, such as on nursing units, near copy machines, and in well-traveled hallways. Since these areas generally do not meet the definition of hazardous areas as defined by the LSC, the size of such bins placed in these areas may not exceed 32 gallons-a compliance factor that may be overlooked.
Privacy officers and HIM professionals are responsible for ensuring that shred bins are used, placed properly in the organization, and meet LSC size and setting requirements.
As noted, HIPAA and HIM operations are not the only motivating factors for the proper disposal of health records. Privacy officers and HIM professionals can raise internal awareness of other external regulations, standards, and codes that overlap with traditional privacy and security regulations and standards. Lack of awareness of these external influences may result in citations by state survey agencies, the Joint Commission, or other accrediting and licensing agencies. The following recommendations will assist privacy officers and HIM leaders in ensuring compliance beyond HIPAA and federal and state privacy and security regulations:
- Review all contracts with external vendors to determine the size of the shred bins the vendor intends to place in the facility
- Establish a HIPAA-compliant business associate agreement with vendors
- Determine ideal physical locations for shred bins and ensure that size is consistent with the setting (hazardous versus nonhazardous areas)
- Consult with internal facility or plant operations and environmental services or housekeeping leaders, as well as the organization’s safety officer, for additional guidance with regard to the LSC and any other external considerations that may influence use of shred bins (e.g., access, egress, pick-up)
- Continue to monitor the use of shred bins and containers during walk-through privacy audits to ensure ongoing compliance to the Life Safety Code
- National Fire Protection Association. “NFPA 101: Life Safety Code.” Available online at www.nfpa.org/aboutthecodes/AboutTheCodes.asp?DocNum=101.
- Centers for Medicare and Medicaid Services. “Life Safety Code Requirements.” Available online at www.cms.hhs.gov/CertificationandComplianc/11_LSC.asp
- National Fire Protection Association. Life Safety Code 8.4.
Lead authors: Nancy Davis, MS, RHIA, is director of privacy at Ministry Health Care and cochair of AHIMA’s 2007 Privacy and Security Practice Council (firstname.lastname@example.org). Anita Buescher, RHIA, CHP, is the privacy officer at Sutter Health. Nadia Fahim-Koster, CHPS, is the information privacy and security director at Promina Gwinnett Health System. Aviva Halpert, MA, RHIA, CHP, is chief HIPAA officer at Mount Sinai Medical Center. Beth Hjort, RHIA, CHPS, is a professional practice manager at AHIMA. James Lantis, Jr., MHA, RHIA, is the director of HIM at Henry Medical Center.
AHIMA Privacy and Security Practice Council.
"Beyond HIPAA: Don't Forget Regulations Such as the Life Safety Code"
Journal of AHIMA