What Are the Proper Guidelines for Shredding Medical Records?

December 23, 2021

In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA), a federal statute that modernized the flow of healthcare information, stipulates how personally identifiable information maintained by both the healthcare and healthcare insurance industries should be protected from fraud and theft, and addressed some limitations on healthcare insurance coverage.

Generally speaking, HIPAA prohibits healthcare providers and healthcare businesses, referred to as, “covered entities,” from disclosing protected information to anyone other than a patient and the patient’s authorized representatives without their consent. HIPAA also states that these entities have an obligation to not only regulate how and with whom they share protected information with, but to avoid, “incidental,” disclosure of protected health information (PHI), including during disposal.

Any documents that contain individually identifiable information are considered protected health information

What Is Considered Protected Health Information?

Any documents that contain individually identifiable information are considered protected health information. Information like names, birthdates, physical addresses, or social security numbers are a few examples of protected health information, and any documents that contain such data must be destroyed.

What Is the Proper Way To Destroy Medical Records?

According to HIPAA, a properly destroyed PHI document is defined as being rendered, “unreadable, indecipherable, and otherwise unable to be reconstructed.” While HIPAA does not require any specific method of disposal, PHI cannot and should not be abandoned in dumpsters or public containers, including recycling bins. Failing to properly dispose of records can lead to civil money penalties, the amount of which is determined by the secretary of the Department of Health and Human Services (HHS)

Because of these requirements, shredding has become a popular disposal method of PHI. To avoid receiving any fines or other punishments pertaining to HIPAA violations, it is important to be mindful of the proper guidelines for shredding medical records.

When Should You Discard Medical Records?

HIPAA requires covered entities to keep medical records for six years from the date of their creation or last use, whichever comes later. If a state requires covered entities to keep a record longer than six years, then their law overrides HIPAA; in Texas, the standard is seven years for doctors’ offices, and ten years for hospitals.

Shredding is the preferred choice for document destruction

Which Is an Acceptable Method for Disposing of Medical Records?

Redaction is expressly forbidden in both the federal and Texas records destruction guidelines; entities cannot simply whiteout any personally identifiable information and toss the file into the trash. As mentioned above, shredding has become the preferred choice for document destruction, with many covered entities opting to use a  mobile shredding service.

With a mobile shredding company, a truck with an industrial-grade shredder comes directly to a given location and shreds any documents containing PHI. Off-site shredding is also a cost-effective alternative for covered entities.

As the name suggests, off-site shredding services come to your location, pick up the medical records, and take them to their facilities for destruction using an industrial shredder. Locked bins are used to secure the documents during transport, and rather than traditional strip shredding, industrial shredders use cross-cut shredding to meet HIPAA regulations of making the information indecipherable.

A reputable medical record shredding company should provide you with a Certificate of Destruction (COD) to document the disposal for your compliance records. Failure to show compliance with HIPAA regulations could result in fines ranging from as low as $100 for an unknowingly committed violation, corrected within 30 days, to $50,000 for willful neglect.

Criminal charges are also a possibility for individuals and covered entities who violate HIPAA regulations. In these cases, penalties can range from a $100,000 fine to up to five years in prison. So, to avoid any potential fines or charges, it is best to pick a trustworthy service.

For digital/electronic files, HIPAA regulations simply require a complete deletion by an authorized IT professional. But, to dispose of the computer that was used to store medical data, it must be physically shredded by a company capable of such a procedure.

The last of the guidelines for shredding medical records is that healthcare services should not send any records that are being cited in an ongoing investigation, legal suit, or are currently being used for treatment to the shredder.

Many entities trust professional services for their medical records shredding.

Secure Document Destruction With MedCycle

MedCycle can help covered entities abide by HIPAA regulations with our secure containers and thorough shredding process. We instantly provide our partners with a Certificate of Destruction via email, making it easy to keep your operations within HIPAA regulations. Contact us today to learn more about the guidelines for shredding medical records, and see how MedCycle can help you.


MedCycle is a full-service biohazard waste disposal company, providing safe and cost effective management of regulated biomedical and hazardous waste. We pride ourselves on our excellent customer service. We value our clients and will do everything possible to meet your needs.