What is the Health Insurance Portability and Accountability Act (HIPAA)?

Enacted in 1996, HIPAA is a federal law that was created to prevent abuse of personal health information (PHI), including unauthorized access. HIPAA applies to any and all organizations or individuals ("Covered Entities"), who retain or collect health related information. Examples include hospitals, doctors, dentists, insurance companies, counselors, billing centers and collection agencies.

The HIPAA Privacy Rule requires that organizations "maintain reasonable and appropriate, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information" (PHI). PHI includes names, contact information, account numbers, license numbers, dates of birth and other information.


On February 17, 2009, President Obama signed the American Recovery and Revitalization Act of 2009 (ARRA) into law. Title XIII of the Recovery Act, known as the Health Information Technology for Economical and Clinical Health (HITECH) Act, encourages the advancement of health information technology and broadens HIPAA privacy and security requirements.

Most notably, the legislation makes business associates, and not just the covered entities to which they provide services, directly subject to HIPAA's privacy and security requirements as well as the penalties for violating those requirements. Additionally, business associates that experience a data breach are required to notify the covered entity with which they have contracts.

Each state's Attorney General has clear and explicit authority to enforce HIPAA, with a new tiered penalty structure - amounts ranging from $25,000 to as much as $1.5 million - depending on the "intent" behind the violation.

How do I comply?

Organizations covered under HIPAA, regardless of size, must implement policies and procedures to ensure PHI is properly safeguarded and not improperly disclosed. While HIPAA does not mandate a method for destruction, "shredding prior to disposal" is identified as an appropriate safeguard. In addition, covered entities are required to enter into a contract known as a Business Associate's Agreement with vendors who have access to PHI that incorporates the provisions of ARRA/HITECH.

How can Ohio Mobile Shredding help?

  • As an authorized NAID® Information Destruction Compliance Toolkit representative we can help you develop information the information destruction policies and procedures required for compliance.
  • We provide you with a Confidential Destruction Agreement warranting Protected Health Information (PHI) is destroyed in accordance with NAID Certified® standards and practices and Reasonable Care requirements.
  • We provide you with a Business Associate's Agreement, drafted by a leading privacy attorney in Washington, D.C., that incorporates the necessary provisions required by ARRA/HITECH.
  • Because compliance with HIPAA requires safe disposal of more than just documents, we provide certified destruction of your hard drives, microfilm, fiche and other types of data.
  • Our EasyShred service provides you with consistent, reliable, and cost-effective shredding and ensures PHI is safeguarded and destroyed in accordance with the HIPAA Privacy Rule. Compliance is achieved in 5 easy steps:
    1. We help you write information destruction policies and procedures (This step is optional)
    2. We provide your offices with free lockable document disposal containers that prevent unauthorized access to sensitive information
    3. On a schedule that suits your needs, our bonded and insured shredding specialists shred the PHI quickly and securely
    4. With every service visit, we provide you with a numbered Accountability Receipt documenting a chain of custody and a chronological history of your shredding practices – a shredding "log" for your records
    5. We provide you with a Certificate of Destruction: a third-party verification that your information was completely and confidentially destroyed in accordance with NAID Certified® specification and the HIPAA Privacy Rule