Pittsburgh has earned nationwide acclaim for its “Eds and Meds.” It’s the cluster of universities, healthcare providers, and hospitals that serve patients, pursue critical research, and drive our regional economy.
These institutions and companies process millions of data points every day, including Protected Health Information (PHI). Protected Health Information is considered individually identifiable information that relates to a patient’s health condition, the services provided to that patient, and billing details that are held by a “Covered Entity” who must comply with the Health Insurance Portability and Accountability Act (HIPAA).
Proper disposal of sensitive documents and electronics that formerly contained electronic health records is not only sound practice but also mandated by HIPAA. That’s where Steel City Shredding comes in. We provide HIPAA compliant medical record shredding services for hospitals, healthcare providers, health insurance companies, and business associates throughout the Greater Pittsburgh region. They rely on us for mobile, on-site medical record shredding for paper documents, electronics at the end of their lifecycle, and e-waste.
To get a better sense of how important it is for your company to have secure document shredding solutions, let’s first get a refresher on the elements of HIPAA.
A Helpful Overview of HIPAA
If you’ve ever visited a doctor, you’ve probably heard the acronym HIPAA, which stands for the Health Insurance Portability and Accountability Act. This piece of legislation, signed into law in 1996, provides protections for patients’ Protected Health Information and electronic Protected Health Information (ePHI).
HIPAA has several elements.
- The Privacy Rule safeguards most individually identifiable health information whether it’s on paper, stored and transmitted electronically, or delivered verbally by a Covered Entity (CE) or Business Associate (BA). We’ll go over what qualifies as a “Covered entity” and “Business Associate” later in this article.
- The Security Rule maintains national standards for the safekeeping of electronic Protected Health Information.
- The Breach Notification Rule requires that any Covered Entity or Business Associate under HIPAA must provide a timely disclosure—no later than 60 days—if they experience a breach of Protected Health Information.
HIPAA states that most medical records must be retained for a minimum of six years from the date of their creation, or their last use. Individual states have document retention laws, and if a state’s retention period is longer, it supersedes the six-year minimum set by HIPAA. For instance, Pennsylvania’s medical record retention period is seven years for licensed doctors and hospitals.
Once a sensitive document with Protected Health Information or a digital device with electronic Protected Health Information no longer needs to be retained, it must be securely disposed of to remove the liability of being leaked, stolen, or misused. As Pittsburgh’s most secure document shredding solution, Steel City Shredding complies with all HIPAA, FACTA, and PCI DSS (Payment Card Industry Data Security Standard) standards.
What Types of Companies Must Comply with HIPAA?
The two main classifications for HIPAA are “Covered Entities” and “Business Associates”.
A Covered Entity is divided into three categories: health care providers, health plans, and healthcare clearinghouses.
- Healthcare providers include doctors, psychiatrists, dentists, chiropractors, pharmacies, and assisted living facilities.
- Health plans are made up of health insurance companies, government programs like Medicare and Medicaid, and health maintenance organizations (HMOs).
- Healthcare clearinghouses act as an intermediary between a healthcare provider and a health insurance company by converting raw medical data into a standardized format and processing claims.
A Business Associate performs certain services on a covered entity’s behalf. If this service involves the access or use of Protected Health Information, then the Business Associate must comply with HIPAA. Examples of a Business Associate are case management companies, IT solutions, and legal services, to name a few. The U.S. Department of Health and Human Services provides a helpful guide for classifying what qualifies as a Business Associate.
Covered Entities and Business Associates oftentimes don’t have the capability to dispose of their sensitive documents and e-waste on their own. That’s why HIPAA compliant medical record shredding services from Steel City Shredding are the fast, affordable, and secure means to ensure Protected Health Information is never exposed.
What Is Considered Protected Health Information?
Earlier we gave a brief overview of Protected Health Information, but let’s dive deeper, because electronic and paper medical records have many unique identifiers:
- Names
- Dates of birth
- Physical addresses
- Social security numbers
- Medical record numbers
- Account numbers
- Health plan beneficiary numbers
- Bill details and payment information
- Phone numbers
- Email addresses
- Vehicle information like VINs and license plate numbers
- Web URLs and IP addresses
- Biometric identifiers like fingerprints or retinal scans
That’s enough sensitive information that, if taken, could upend a patient’s life in a matter of seconds. In the hands of malicious actors, electronic Protected Health Information can be sold on the dark web, exploited to steal identities, or used in cyberattacks. On a consumer level, this data can be put up for sale to data brokers for use in marketing and advertising efforts without the individual’s consent.
Patient privacy is paramount, and without HIPAA compliant medical shredding services, Protected Health Information is vulnerable to unauthorized access and distribution.
Protected Healthcare Information Breaches in Pennsylvania
The Department of Health and Human Services is obligated under the Health Information Technology for Economic and Clinical Health Act (HITECH) to post a list of data breaches involving Protected Health Information that includes 500 or more patients.
In 2024 alone, Pennsylvania had 28 different breaches, with a total of 3,191,666 records exposed. From outside cyberattacks to unauthorized access by former employees, breaches can upset a finely-tuned organization in an instant and shatter the privacy of thousands of patients.
If you’re a Pittsburgh-area healthcare provider, health insurance company, or business associate of a covered entity, you can’t afford to be slack in your disposal process. The HIPAA compliant medical record shredding services from Steel City Shredding complement all your data protection and cybersecurity efforts. Because if disposal of sensitive medical documents and e-waste is lax, a mountain of Protected Health Information is put at risk.
Imagine if your company faced a breach because hard drives containing electronic health records were not securely shredded. Then what if a disgruntled employee stole those hard drives and vindictively leaked the Protected Health Information on social media? You’d face blistering press coverage, a possible HIPAA audit, and hard questions from your company’s executive team, not to mention state and federal authorities.
Insider threats are among the leading causes for data breaches. In 2015, Montefiore Medical Center in New York found that a clerk stole the electronic Protected Health Information of more than 12,500 patients and sold it to an identity theft ring. No company expects nightmare scenarios to happen to them—until they do.
That’s why it’s essential to not allow paper and e-waste disposal to be a weak point in your defenses. Let Steel City Shredding ensure that you and your Business Associates’ HIPAA compliance is airtight.
HIPAA Guidelines for Disposal of Protected Health Information
The Department of Health and Human Services recommends that inactive medical records should be pulped, pulverized, burned, or shredded. Electronic and digital devices should first have their data deleted, overwritten, or altered. Then, the physical device can be shredded.
Steel City Shredding can perform HIPAA compliant medical record shredding services for all of the following (and more).
- Sensitive paper documents
- Laptops and computers
- USB drives and storage media
- Hard drives and solid state drives
- Cell phones and tablets
- Printers and copiers
- Servers and networking equipment
- Data tapes and backup tapes
- X-Rays and medical imaging film
- Microfiche and microfilm
Whatever your needs, we have the capabilities to completely destroy sensitive materials. Steel City Shredding can also dispose of paper, electronics, and other physical media like ID badges and security cards that may not fall under HIPAA but are still sensitive to your business and need shredding.
What Defines A HIPAA Compliant Shredding Company?
Steel City Shredding abides by all HIPAA regulations, and we take seriously our fiduciary responsibility to our healthcare clients. Here are some of the ways we stand out.
NAID AAA Certified Shredding Company
Our NAID AAA certification from the National Association of Information Destruction independently verifies our compliance with all known data protection laws. As part of this certification, we undergo scheduled and surprise audits conducted by security professionals.
Certified Shredding Specialists
The Steel City Shredding team is highly skilled and receives ongoing training to meet the evolving needs of our clients. You can have absolute confidence that our team is organized, efficient, and committed to proper procedure.
Top of the Line Equipment
When you see our mobile shredding truck pull up, you’ll know that the shredders inside are equal to any task. Whether it’s paper, e-waste, or specialized physical media, it will be permanently destroyed.
Chain of Custody Documentation
From collection to destruction, Steel City Shredding maintains a transparent, continuous line of accountability.
- We provide locked collection bins to keep your documents secure.
- We will perform on-site shredding services with our mobile shredding trucks. You can even watch the shredding process if you’d like.
- We supply an official certificate of destruction documenting the secure disposal of your sensitive medical records.
The chain of custody for Protected Health Information is a long one, and we promise to be the unbreakable link at the end of it, delivering HIPAA compliant medical record shredding services for your company.
Commitment to Sustainability
At Steel City Shredding, we recycle 100% of your shredded paper and all eligible e-waste. This reduces your carbon footprint, saves precious resources, and prevents the harmful health effects associated with unrecycled e-waste.
Choose Pittsburgh’s Most Secure Document Shredding Solution
Data breaches have become the new highway robbery. Medical patients and consumers alike have grown weary of receiving letters in the mail notifying them that their personal information has been exposed. No individual wants to go through the time-consuming, peace-of-mind-robbing process of recovering their identity.
With that in mind, the ethical principle of “Do No Harm” now extends to how your healthcare company maintains, transmits, and disposes of Protected Health Information. Patients come to you for treatment or insurance coverage, not to have their privacy violated. Steel City Shredding can help you protect against that grim possibility.
By nature, the disposal of sensitive medical records and electronic media requires extra vigilance. When something has been labeled for the trash, human nature can fall victim to a sense of indifference. Then diffusion of responsibility sets in. It’s at the end of its usefulness. It’s unwanted. It’s not my problem. As you well know, your paper medical records and e-waste aren’t trash in the eyes of data thieves or team members with ulterior motives. To them, it’s a window of opportunity to exploit and profit for nefarious purposes.
Steel City Shredding is your partner for reducing risk and addressing this security gap. Because in the end, we’re much more than a shredding service.
We are an extension of your data protection protocols.
We are a strong line of defense, serving as a credible partner at the end of your chain of custody.
We are a force multiplier, allowing you to serve your patients instead of dedicating time and budget to in-house document shredding and e-waste disposal.
Quote for HIPAA Compliant Medical Record Shredding Services
Flexibility and affordability come standard when you do business with Steel City Shredding.
We can do a one-time purge, a regular scheduled shredding service for ongoing needs, or even a custom service tailored to your unique requests.
Whichever you choose, you’ll enjoy upfront pricing with no hidden fees. Our competitive rates give Pittsburgh-area healthcare providers and medical insurance companies great value. And in the end, investing in a HIPAA compliant medical shredding service costs far less than the budget that would be spent on responding to a data breach, notifying customers, and restoring your reputation.
So, let Steel City Shredding be your added layer of security and trusted partner for medical document destruction. To discuss your shredding needs, call us at 412-496-1240 or contact us for a quote.
Note to Reader: The information found in this article is not comprehensive nor intended to serve as legal advice. For further guidance on the complexities of HIPAA, please seek legal counsel or direction from the appropriate federal and state agencies.