Let me tell you what keeps me up at night.
After 16 years helping thousands of healthcare organizations and businesses across the Midwest maintain HIPAA and PII compliance, I've seen every mistake in the book. But one trend has emerged in the last several years that genuinely concerns me — and most of the organizations making this mistake don't even know they're doing it.
They've gone paperless. Or at least, mostly paperless. And they've concluded that means they're safe.
They're not. In fact, they may be at greater risk than ever before.
Here's the counterintuitive truth that most companies haven't fully reckoned with: as the volume of paper in your office decreases, the sensitivity of what remains on paper increases.
Think about what still gets printed or scribbled down today. It's not shipping invoices or meeting agendas. It's the records that matter most — patient diagnoses, prescription information, insurance details, Social Security numbers, handwritten notes from a physician. The mundane stuff moved to the cloud. The sensitive stuff still finds its way onto paper.
So when that paper gets improperly disposed of — tossed in a recycling bin, thrown in the trash, left on a desk — the probability that it contains protected health information (PHI) or personally identifiable information (PII) is dramatically higher than it was a decade ago. The risk per sheet of paper has never been greater.
This isn't a hypothetical concern. It's the pattern I see repeatedly across organizations of every size.
Many healthcare organizations believe they're compliant because they have a shredder in the break room. They're not.
HIPAA, FACTA, GLBA, and Sarbanes-Oxley don't just recommend secure destruction of medical records — they effectively mandate a documented, provable paper trail for that destruction. And here's the line I tell every client who thinks their office shredder is enough:
If you can't prove you destroyed it, in the eyes of the law, you didn't destroy it.
That's not hyperbole. That's how regulators and courts treat the question. When a covered entity comes under audit, investigators don't just want to see a written records retention and destruction policy — they want evidence that the policy is being executed consistently, reliably, and verifiably.
An in-house shredder cannot provide that evidence. A Certificate of Destruction from a certified third-party destruction provider can.
A Certificate of Destruction (COD) is more than a receipt. It is your primary legal defense in the event of a data breach or compliance audit. It documents:
This matters enormously. While your organization is always ultimately responsible for the data it generates, a COD creates a documented chain of custody showing when the physical paper left your control and entered the hands of a certified professional. It demonstrates that your organization took reasonable, documented steps to protect patient and client information — which is the standard regulators look for.
Without it, you're operating on a "trust me" basis. And "trust me" doesn't hold up in court.
Many smaller practices and businesses assume buying a shredder is the economical choice. When you run the actual numbers, it rarely is.
Consider a typical office shredding 5,000 sheets per month. A mid-range office shredder runs around $500. At 6 sheets every 10 seconds, that's roughly 2.5 hours of employee time per month — time that comes at a real cost, typically around $62.50/month for an hourly employee. Over the three-year lifespan of the equipment, you're looking at approximately $2,750.
A professional shredding service covering the same volume runs closer to $1,755 over the same period — a savings of nearly $1,000.
And that calculation doesn't include:
According to the National Association for Information Destruction (NAID), smaller offices carry a disproportionate compliance burden — a burden that often leads employees to simply bypass shredding altogether. A locked, secure collection container serviced by a certified provider eliminates this risk entirely.
Paper records are only part of the problem. When I ask clients where else sensitive information is being stored, the list is usually longer than they expect:
The smaller the device, the more information it can hold — and the more catastrophic the exposure when it's improperly discarded. This is an area where the gap between what organizations think they're managing and what they're actually managing is often enormous.
This isn't theoretical. The Office for Civil Rights (OCR) has made it abundantly clear through enforcement actions that improper disposal of medical records carries severe financial and reputational consequences.
CVS Pharmacy agreed to a $2.25 million HIPAA settlement — one of the earliest major enforcement actions — for improperly disposing of PHI.
Parkview Health was fined $800,000 for failing to securely dispose of paper records containing PHI.
New England Dermatology and Laser Center disposed of specimen containers with patient-identifying labels in regular dumpsters for nearly a decade. The result: the PHI of over 58,000 patients was exposed, and the practice settled with OCR for $300,640.
A medical billing practice in 2013 was fined $140,000 after the former owners dumped 67,000 medical records in a public dump.
These aren't rogue actors or large hospital systems with complex IT failures. They are ordinary practices making ordinary assumptions about disposal — and paying extraordinary prices for it.
Under HIPAA, fines for improper disposal range from $100 to $50,000 per violation, with an annual cap of $1.5 million per violation category. In cases of willful neglect that goes uncorrected, fines can reach $50,000 per incident. Beyond the financial penalties, there are corrective action plans, mandatory retraining, credit monitoring costs for affected patients, and — perhaps most damaging of all — the reputational harm of a public breach notification.
One of the most common compliance gaps I see is organizations that have a vague sense they should be destroying old records, but no formal schedule in place.
The right answer varies by document type, regulatory body, and industry-specific guidelines. As a general principle: keeping information longer than required increases your risk. Every extra day that unnecessary PHI exists in your office is another day it can be lost, stolen, or improperly disposed of.
Your record retention policy should account for regulatory requirements, industry-specific guidelines, and your own operational needs — and it should be executed on a consistent, documented schedule. The Shredder has developed a comprehensive Document Retention Guide covering recommended retention periods across business, insurance, tax, personnel, and other document categories. [Download it here in our Resource Center.]
The key insight: scheduled, certified destruction on a regular cadence is fundamentally safer than sporadic, reactive purging. When destruction is routine, it gets done. When it's an occasional project, it gets postponed — and records pile up.
One reason organizations default to in-house shredding is that they assume working with a professional service is complicated, expensive, or disruptive. In our experience, the opposite is true. Here's how The Shredder's process works:
Step 1 — Consult. We start with a comprehensive needs assessment. We identify your material categories, evaluate what container types and sizes make sense, determine placement within your facility, and establish the right service frequency. Nothing is assumed; everything is tailored.
Step 2 — Design. We build a solution around you, not the other way around. You choose your containers and equipment. We provide transparent pricing with the flexibility to adjust as your needs evolve. Our goal is to save you money while protecting your compliance.
Step 3 — Implement. Equipment is deployed to your location. We confirm every detail — service setup, schedule, and account configuration — before we leave.
Step 4 — Service in Motion. From here, the process runs in a continuous cycle: you fill the secure containers, we arrive on your preset schedule to collect and shred on-site, and we provide your Certificate of Destruction. We monitor and adjust based on your changing needs.
That's it. No complexity. No disruption. No compliance gaps.
Here's something I'll say plainly, because I think it matters: all certified shredding services are roughly equivalent in what they do mechanically.
What separates a great partner from a vendor is whether they actually show up and answer the phone when you call.
At The Shredder, when you call us, a person picks up. We've built our business — serving thousands of organizations across the Midwest for over 16 years — on the belief that our clients' compliance and peace of mind deserve a human being on the other end of the line, not a call center or an automated email response. Our competitors are often large national companies more focused on scale than service. We're focused on you.
You shouldn't have to choose between compliance and a good experience. You can have both.
If your organization is moving toward a paperless model, that's smart. But don't make the mistake of assuming reduced paper volume means reduced risk. The records still being printed, scribbled, and filed are your most sensitive ones — and they deserve a disposal process that's certified, documented, and defensible.
In-house shredding is not that process. It never was.
You have options beyond the large national chains. A certified, locally accountable partner who knows your business, answers your calls, and provides a Certificate of Destruction every single time is not a luxury — it's the minimum standard your patients, clients, and legal obligations require.
If you're ready to close the gap between where your compliance program is and where it needs to be, we're here to help — and we'd love to make it easy.
Contact The Shredder today at www.the-shredder.com or call 515.280.3013.
The Shredder is a NAID AAA Certified secure document destruction provider serving healthcare organizations and businesses across the Midwest. This article is intended for informational purposes and does not constitute legal advice. Consult a qualified legal professional regarding your specific compliance obligations.