Q&A: Disposal of printed PHI

Q: If employees are working remotely and accessing protected health information (PHI) not only on their computers and mobile devices, but printing it as well, how should they safely dispose of the printed PHI?

A: Printed PHI needs to be fully and completely destroyed. If it gets in the wrong hands, it is a breach that needs to be reported to OCR. The best way to destroy the paper is to provide remote workers with a crosscut shredder, at minimum. It is a good idea to periodically remind employees of the rules around printing PHI. This may include a statement that printing PHI is by exception only and a definition of an exception.

Editor’s note: Chris Apgar, CISSP is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS.