top of page

HIPAA Requirements for Disposing PHI: A Guide for Florida Autonomous APRNs

  • Writer: Author: Venus Caruso
    Author: Venus Caruso
  • 6 hours ago
  • 3 min read

As a Florida autonomous APRN, you bear responsibility for safeguarding your patients' protected health information (“PHI”) throughout its lifecycle, including when the time comes to dispose of it. The Health Insurance Portability and Accountability Act (“HIPAA”) Privacy and Security Rules requires secure disposal of PHI, including electronic PHI ("ePHI"), to prevent unauthorized access or impermissible disclosures. Failure to use HIPAA-compliant disposal methods may result in impermissible disclosures, potential data breaches, and penalties.

This post provides an overview of the main HIPAA requirements for the proper disposal of PHI and ePHI followed by acceptable disposal methods for each.  

HIPAA Requirements for Disposing PHI

HIPAA does not require any one specific disposal method. Instead, the Privacy Rule, codified in 45 CFR 164.530(c)(i), requires that you implement reasonable administrative, technical, and physical safeguards to protect PHI and ePHI, including during disposal. This includes having written policies and procedures covering the retention and disposal of PHI and ePHI, as well as training applicable workforce members of your autonomous practice.

The Security Rule, codified in 45 CFR 164.310(d)(2)(i) and (ii), further requires that your policies and procedures cover the disposal of ePHI and the hardware or electronic media on which it is stored. It also requires that you securely and permanently remove all ePHI from all devices and electronic media before they are reused.

Disposal Methods for Paper-Based PHI

For paper-based PHI, such as patient charts, billing forms, and printed reports, some acceptable disposal methods include:

  • Shredding

  • Burning

  • Pulping. This involves soaking shredded or torn paper in water, which may involve chemicals, to break the paper down into an indecipherable pulp mixture.

  • Pulverizing. This involves using industrial machines to grind or crush documents into fine particles or powder.

Each of the methods mentioned above renders the information essentially unreadable, indecipherable, and incapable of reconstruction, in accordance with HIPAA’s disposal requirements.

For efficiency purposes, consider using locked bins for accumulating paper-based PHI and contracting with a disposal vendor who qualifies as a HIPAA business associate. If you use a disposal vendor, remember to obtain a signed Business Associate Agreement (BAA) as required by HIPAA and to ensure HIPAA-compliant handling.

Disposal Methods for ePHI and Devices

For ePHI stored on your computers, tablets, phones, USB drives, external hard drives, servers, or other media, HIPAA requires the ePHI to be securely and permanently removed from those devices or media before they are reused or disposed. Some acceptable disposal methods include:

  • Clearing. This process involves overwriting the media with non-sensitive data using software or hardware tools.

  • Purging. This process involves exposing the media to a strong magnetic field to disrupt recorded data.

  • Destroying. This process involves physical destruction through disintegration, pulverization, melting, or incineration.

It’s important to note that simply deleting files or reformatting drives is generally insufficient because the data contained in the files or drives may be recoverable. Instead, use a HIPAA compliant, certified data destruction service or reputable software tool designed for secure wiping. In each case, ensure you obtain a signed BAA from the service provider as required by HIPAA and to ensure HIPAA-compliant handling.

Closing Remarks

Similar to other HIPAA covered entities, Florida autonomous APRN practices must adhere to the same HIPAA guidelines for disposing PHI, including ePHI. The key takeaway is to ensure that all PHI and ePHI, along with the devices and media they are stored on, are ultimately rendered unreadable, incapable of being reconstructed, and indecipherable to unauthorized individuals during and after their disposal.


If you would like to explore how Venus Caruso can assist you, reach out to schedule a complimentary consultation using the contact form or by emailing venus@carusolawoffice.com.

This post provides general information only and is not, and should not be, construed as legal advice or opinion for any individual matter or circumstance. Laws and regulations can change, and specific situations may require different approaches. Always consult a qualified attorney for advice tailored to your specific circumstances.

Back to Top

BACK TO TOP

The information contained on this website is provided for informational purposes only. Nothing stated in or contained on this website should be taken as legal advice or a legal opinion for any individual matter. Your use of this website, review of information on this website, sending or receiving mail from carusolawoffice.com, or contacting the firm via the website's contact form or by email does not create an attorney-client relationship with Caruso Law PLLC or Venus Caruso. 

Hiring a lawyer is an important decision and should not be solely based on advertisements. 

CARUSO LAW PLLC

1645 Palm Beach Lakes Blvd.

Suite 1200

West Palm Beach, FL 33401

Available by Appointment

E: contact@carusolawoffice.com
T: (561) 437-2972

Caruso Law Favicon White+Blue _edited.pn
Gold colored badge logo with black text saying "Florida Trend's Florida Legal Elite"
  • X
  • LinkedIn

© 2023-2026 Caruso Law PLLC

bottom of page