- HSM
- Shredding
- Other
- Information about data protection
- Professional Groups
- Destroying patient files
Destroying Patient Records –
Three Tips for GDPR-Compliant Disposal in Medical Practices
“Patient Records in the Trash” –
Improperly disposed health data makes unpleasant headlines and damages the trust between doctor and patient. In addition, high fines may be imposed under GDPR.
With these three simple tips, you’ll be on the safe side when destroying patient data.
1. Do not outsource the destruction of patient records to a service provider
2. Destroy patient records where they are stored in the medical practice
3. Purchase GDPR-compliant document shredders for the medical practice
1. Do not outsource the destruction of patient records to a service provider
Many medical practices hand over their sensitive patient data to a service provider for destruction after the legal retention periods have expired. This supposedly outsources responsibility and the tedious effort. The problem: According to GDPR, the medical practice is still liable for violations, even if the fault clearly lies with the service provider.
In addition: The more stations the sensitive data passes through, the greater the risk that someone gains unauthorized access – with all the consequences for doctor, practice, and patient. Effort and costs for external disposal are often underestimated as well.
So, it’s better to shred them yourself!
2. Destroy patient records where they are stored in the medical practice
Patient data lying around in the medical practice waiting to be shredded is not a good idea from a data protection perspective. The rule here is: The fewer stations such sensitive data passes through and the fewer people have access to it, the safer.
As a rule of thumb, it is recommended to have one document shredder per desk and one for the reception area. This way, patient records that are no longer needed can be destroyed immediately in compliance with data protection regulations. This also reduces coordination effort, prevents misunderstandings with legal consequences, and creates space.
Don’t let data waste out of your hands – destroy it right on the spot!
3. Purchase GDPR-compliant document shredders for the medical practice
Shredding is not all the same. Special data protection requirements apply to the destruction of sensitive patient data. Such medical records fall under Protection Class 3 of 3 as defined in DIN 66399 and ISO/IEC 21964, meaning they require a very high level of security. When purchasing document shredders for a medical practice, make sure they comply with at least Security Level P-5.
This means that a DIN A4 sheet is shredded into approximately 2,079 particles. Restoring such a destroyed sheet would only be possible with considerable effort. Depending on the equipment, modern shredders can also securely destroy other media in addition to paper, such as CDs, USB sticks, films, and foils.
Choose a document shredder that meets data protection requirements!
