As a HIPAA Business Associate or Covered Entity, you may rely on shredding services to make it easy to safely destroy papers and electronic media. But how do you really know what they’re doing with your paper ? How can you be sure that you’re not exposed to bigger risks by giving them your sensitive papers? And how can you be sure that your shredding service isn’t going to cause more problems that it solves?
As part of your compliance with your HIPAA business associate agreement (or GLBA and state privacy laws), you can’t just trust that your shredding service is doing all of the right things. You need to be sure. These six tips will help you to evaluate your current shredding service, or pick a new one.
1. Check your shredding service HIPAA Business Associate agreement.
Any good shredding service should be willing to sign a contract that commits to taking privacy and security seriously, that gives you (the customer) a right to inspect their facility and their document handling processes, and that they will also abide by the same privacy and security laws (HIPAA, GLBA, etc.) that affect your company. In the healthcare space, as you know, this is called a HIPAA Business Associate Agreement. If they’re not willing to sign such an agreement, it’s a sign that you should talk to other shredding services.
2. Is your shredding service NAID certified?
NAID (the National Association for Information Destruction) certifies that shredding services actually know what they’re doing. It’s completely voluntary; shredding services don’t have to have NAID certification, but it’s a quick way for you to get a level of comfort that shredding services take privacy and confidentiality seriously. They offer a solid 9 minute video about the certification process. My favorite part is that NAID does random, unannounced audits of shredding services as part of the certification. One important note, though — NAID certification is by site, not by company. Make sure you confirm the certification for the site that will be doing your shredding, not just the company.
3. What kind of insurance does your shredding service carry?
Most shredding services are going to carry general liability insurance, and some articles recommend that it should be in the $2 million range. Another thing to consider, though, is whether or not shredding services also have data breach insurance that will cover your expenses (like remediation, notification, etc.) in the event that they’re at fault for a breach of your data. This is definitely a question to ask during the sales/contract negotiation process. And also make sure it’s written into any contract / HIPAA Business Associate agreement that you sign with the shredding service.
4. Your procedures are important too.
Make sure that your staff know what’s expected of them. Never store sensitive papers outside of locked containers. Never store locked containers outside of your building. Have someone accompany the people from the shredding service between your office and their truck. As part of your HIPAA Business Associate agreement, your customers may ask to see these procedures during an audit.
5. Good shredding services have a strong chain of custody.
Do you know what happens when they roll away one of those locked bins? If not, you should. If they bring it out to a truck and do the shredding right there, then that’s the best case scenario (especially if one of your employees goes with them). But do they bring papers back to the warehouse for shredding? Then you need to get down and dirty and REALLY understand what happens to make sure that someone doesn’t grab a stack of papers from your bin. Do they weigh them before and after? Transport them in locked containers? Videotape all interaction with paper? Ask them to walk you through, step by step, exactly what happens to your documents. Your HIPAA Business Associate agreement gives you the right to do this.
6. What happens AFTER the shredding is done?
Shredding is not complete destruction of paper — someone who is properly motivated can still put the pieces back together. If the paper is brought to a third party recycler after it’s shred, how do shredding services know what happens there? They should have a plan in place to audit any vendors they work with, or better yet they should do the recycling within their own facility.
What should you do next?
Get some free help! Check out our free 42-Point Checklist for ways to make your practice HIPAA compliant.
Talk to us!
Have questions or feedback? Please share them in the comments below.
Like this article? Share it!