• 5
  • For Physicians
  • 5
  • A Comprehensive Guide for Physicians and Hospitals for Safe and Compliant Medical Record Shredding Services

A Comprehensive Guide for Physicians and Hospitals for Safe and Compliant Medical Record Shredding Services


Medical record shredding is a critical process in healthcare organizations to ensure the privacy and security of patient information. It is not only a best practice but also a legal requirement under laws such as the Health Insurance Portability and Accountability Act (HIPAA). This guide provides an overview of best practices, service providers, and laws and regulations related to medical record shredding.

Best Practices

1. Retention and Destruction Schedule

The difference between HIPAA and state regulations for medical record retention lies in the scope and specifics of the retention period requirements. HIPAA, the federal Health Insurance Portability and Accountability Act, sets a general retention requirement for HIPAA-related documents, which must be retained for six years from the date they were last in effect or from the date of their creation, whichever is later. However, HIPAA does not specify retention periods for medical records themselves.

State regulations, on the other hand, provide specific retention periods for medical records and can vary significantly from state to state. For example, some states may require medical records to be retained for five years, while others may require them for ten years or more. In cases where state laws require a longer retention period than HIPAA, the state laws take precedence.

Additionally, state laws may have particular requirements for different types of records or for records pertaining to minors. For instance, some states require that records for minor patients be kept for a certain number of years after the patient reaches the age of majority.

Healthcare providers must comply with both HIPAA and their respective state laws, adhering to the longer retention period if there is a discrepancy between the two. It is important for healthcare providers to be aware of and understand both sets of regulations to ensure compliance and avoid potential penalties.

2. Secure Storage Before Shredding

Before shredding, documents should be stored in secure containers to prevent unauthorized access. This includes protection methods like fire suppression and climate-control systems, on-premise video surveillance, and locked facilities.

3. On-Site Shredding

On-site shredding is a common method for medical record destruction. A shredding truck equipped with an industrial shredder comes directly to your location to shred the documents. This allows you to witness the document destruction yourself, ensuring the process is secure and compliant.

4. Certificate of Destruction

After the shredding process, the service provider should issue a Certificate of Destruction. This document provides proof of compliance and contains detailed information about the shredding process.

5. Regular Assessment of Destruction Plan

Regularly reassess your destruction plan to ensure your office is using the best document destruction methods.

Service Providers

Here is a non-complete list of companies that provide medical record shredding services:

  • Shred-it: Shred-it offers medical shredding services for healthcare facilities, hospitals, independent doctors’ networks, and solo healthcare practitioners. They provide secure data destruction services and have a large service footprint in North America.
  • Shred Nations: Shred Nations provides compliant document management and record shredding services. They offer a suite of services to help practices safeguard their patients’ information.
  • PROSHRED Security: PROSHRED provides medical record shredding services for healthcare facilities, hospitals, clinics, nursing homes, and healthcare professionals. They are the only on-site shredding company in the US that is ISO 9001 certified.
  • Record Nations: Record Nations offers full-service scanning and storage for medical records nationwide. They partner with trusted providers that are HIPAA and HITECH compliant.
  • MedPro Disposal: MedPro Disposal offers HIPAA-compliant data and document destruction services. They provide services for hard drives and paper patient records.
  • Vital Records Control (VRC): VRC provides document management solutions tailored for various industries, including healthcare.
  • Access: Access is a leading provider of commercial document destruction services. They offer on-site and off-site shredding, as well as recycling and disposal programs.

Please note that while all these companies provide medical record shredding services, the specifics of their offerings may vary. It’s important to research each provider to determine which one best fits your needs.

Laws and Regulations

HIPAA Compliance

HIPAA specifies the level to which patient information must be destroyed before it is disposed of. It also outlines timelines under which shredding must occur. HIPAA doesn’t specifically say shredding is the only option for data destruction, but it does require proof of compliance, which shredding services offer by providing certificates of destruction.

Accountability and Training

Any person involved in the destruction of Protected Health Information (PHI) must be trained on disposal policies and procedures. Accountability is essential to reduce potential breaches or non-compliance.


Even if you work with a third-party shredding service, the responsibility and liability for ensuring total compliance in document destruction falls to you, the healthcare facility.

By following these best practices and regulations, healthcare providers can ensure that patient information remains confidential and protected. It’s not just a matter of legal compliance; it’s about building and maintaining trust with patients who expect their sensitive information to be handled with care.