Securing Health Record Disposal

The nature of the information about identifiable individuals contained in health records means that the majority of documents handled by healthcare organisations are confidential and highly sensitive. As a result it is of the upmost importance that any processing – including holding, obtaining, recording, using, disclosing, disposal and destruction – is carried out in accordance with the Data Protection Act (DPA). At this point it is worth mentioning that the DPA applies to personal information in general. Therefore, the principals discussed also apply to employee records, such as finance and personnel.

Retention Policies

Under the freedom of information legislation it is particularly important that the disposal of medical records – defined as the point in their lifecycle when they are either transferred to an archive or destroyed – is undertaken in accordance with established retention policies. Local retention schedules are usually based on internal requirements and are the responsibility of each individual healthcare organisation. Record retention periods should not be shorter than the minimum period set out in the Department of Health’s Records Management Code of Practice.

While the destruction of records is a serious and irreversible act, the continuing cost of storage and archiving of records for long periods must not be under estimated. Once records (including all copies) have reached the end of their administrative life and been selected for destruction, the process should be undertaken in a secure manner and in accordance with the DPA. It is the sole responsibility of each individual healthcare organisation to ensure the method utilised for destruction provides adequate safeguards against accidental loss or disclosure of records.

As well as being publically named and shamed, non compliance with the DPA heralds serious consequences and can result in criminal prosecution, non-criminal enforcement, audit or a monetary penalty notice of up to £500,000. The simplest and most cost effective way to ensure the highest levels of security and DPA compliance is for healthcare establishments to procure the services of a professional shredding company. This will allow healthcare organisations to reduce administration time and make financial savings as well as have complete confidence in the security levels of the disposal.

Procurement process
The sensitive and confidential nature of health records means that security is of the upmost importance throughout the procurement process. A shredding supplier at the very least should operate to ISO9001:2008 incorporating BS EN15713:2009, the European standard for the destruction of confidential information. A superior supplier will also put in place all the necessary confidentiality contracts. Before appointing a supplier it is crucial to validate all accreditations and confirm how they will keep information secure prior to shredding.

As standard an accredited supplier will provide locked secure consoles that can be strategically located and vary in size according to individual site requirements. In addition, confidential shredding bags should be supplied, to ensure any overflow of information from one-off purges or archive clearances is kept secure. These bags need to feature a peel and seal lip as well as the ability to be shredded and recycled along with confidential information. The customer service operators who handle the confidential information collections should only arrive at pre-agreed intervals, be uniformed, carry identification and been vetted to BS7858 with a ten year background check. 

Ask the right questions
It will pay dividends to seek out a shredding partner that can offer single source agreements for multi-site organisations. Before any formal agreement is entered into, the shredding supplier should offer a free review that includes a full proposal of the current and proposed situation. This should also take into account any regular record appraisal policies, including archive clearances that are already in place. To ensure that the shredding service remains competitive and as efficient as possible, it is recommended that regular reviews are undertaken throughout the duration of the service agreement.

Bear in mind that the single largest cost when using a secure shredding service is the placement of the secure consoles and frequency with which they are emptied. To ensure the most cost effective service, it is important to find a provider that can offer rapid response times and a degree of flexibility with the methods of document destruction.

Destruction methods
On-site and off-site shredding are the two main methods of document disposal and both offer healthcare establishments different benefits. On-site shredding is carried out by mobile shredding trucks which travel to the premises to shred documents. An accredited provider will be comfortable with allowing the records manager to witness the shredding process and upon completion present a certificate of destruction, which is confirmation that the information has been shredded.            

The certificate forms part of the necessary information that is maintained and preserved by the records manager about the destruction of records. For these reasons on-site shredding is often the preferred method for health organisations.

Once the information has been shredded it is compacted into the back of the truck and the paper is baled and sent for recycling. The main benefit of on-site shredding is that it offers the records manager peace of mind that all confidential documents are destroyed before the operator leaves the premises.

Off-site shredding involves a slightly different process and is better suited to larger or one-off consignments, such as periodical archive clearances. Customer service operators remove the confidential information from the consoles, bags or locked bins into a secure vehicle.

A secure process should ensure that the vehicle is never left unattended or unlocked at any time. Prior to leaving the site, the operator will provide a certificate describing exactly what has been removed. Within 24 hours of collection, the information is shredded via large industrial shredders, baled and dispatched for recycling. A certificate of destruction is subsequently issued.

A superior shredding provider will also ensure that all baled paper is sent to UK or European paper mills for recycling. A reputable supplier should be able to comply with any specific recycling requirement that contributes to an environmental policy.

For more information