In 2018, OCR settled with Filefax Inc. for $100,000 after the company left medical records — paper records containing protected health information — sitting in an unlocked vehicle. That case was a sharp reminder that HIPAA paper record requirements are just as enforceable as electronic safeguard mandates. Yet in my work with covered entities, I consistently find that organizations invest heavily in cybersecurity while leaving filing cabinets unlocked and fax cover sheets unattended.

The digitization of healthcare has not eliminated paper. Far from it. Intake forms, consent documents, printed lab results, prescription pads, and referral letters still circulate in nearly every practice. If your organization handles any form of HIPAA paper records, you are subject to the same Privacy Rule and physical safeguard requirements that govern electronic PHI.

Why HIPAA Paper Records Still Trigger OCR Enforcement

OCR does not differentiate between a stolen laptop and an improperly discarded box of patient files. Under the Breach Notification Rule (45 CFR §§ 164.400–414), any unauthorized access to unsecured protected health information — regardless of format — requires breach analysis, notification, and potential reporting to the Department of Health and Human Services.

Healthcare organizations consistently underestimate the volume of paper PHI they generate. Think beyond the chart room: sign-in sheets at the front desk, printed encounter notes carried between exam rooms, and sticky notes with patient callback numbers all qualify as HIPAA paper records containing PHI.

Between 2019 and 2024, OCR investigated hundreds of complaints involving improper disposal and unauthorized disclosure of paper-based protected health information. The penalties ranged from corrective action plans to six-figure settlements. The pattern is clear: paper compliance gaps are enforcement targets.

Physical Safeguard Requirements for Paper PHI

The HIPAA Security Rule's physical safeguard standards (45 CFR § 164.310) are often associated with server rooms and workstation security, but the Privacy Rule extends protections to every medium — including paper. Your organization must implement reasonable safeguards to prevent unauthorized use or disclosure of all PHI, paper included.

Here is what that looks like in practice:

  • Locked storage: Filing cabinets, chart rooms, and any area containing paper PHI must be secured when unattended. Key or badge access controls should be documented.
  • Clean desk policies: Printed PHI should never be left visible on desks, counters, or printer trays. Implement a policy requiring staff to clear workspaces at the end of each shift.
  • Fax safeguards: Fax machines that receive PHI should be located in restricted areas. Verify recipient fax numbers before sending and use cover sheets with confidentiality notices.
  • Minimum necessary standard: Under 45 CFR § 164.502(b), only the minimum amount of PHI required for a given purpose should appear on any printed document. Avoid printing full records when a summary will suffice.

HIPAA Paper Disposal: Shredding Is the Baseline, Not the Best Practice

Improper disposal of paper records is one of the most common HIPAA violations OCR investigates. Simply tossing patient documents in a recycling bin or standard trash can constitutes a breach if those records are identifiable.

The HHS Guidance on Disposal of PHI specifies that covered entities and business associates must render PHI "unreadable, indecipherable, and otherwise unable to be reconstructed." For HIPAA paper records, that means cross-cut shredding, pulping, or incineration.

If you contract with a document destruction vendor, that vendor is a business associate under HIPAA. You must have a signed Business Associate Agreement in place before they handle a single page of PHI. I have seen organizations assume their shredding company "just handles it" — without a BAA, you own the liability for every page they mishandle.

Document Retention and Destruction Schedules

HIPAA does not prescribe a universal retention period for medical records — that falls to state law. However, HIPAA does require that policies and procedures, training records, and certain administrative documents be retained for six years from the date of creation or last effective date (45 CFR § 164.530(j)). Build your destruction schedule around the more restrictive of federal and state requirements.

The Workforce Training Requirement Most Organizations Underestimate

Under 45 CFR § 164.530(b), every member of your workforce must receive training on your organization's privacy policies and procedures. That training must address paper PHI handling — not just electronic systems. A nurse who leaves a printed patient summary on a break room table creates the same exposure as a misconfigured patient portal.

Effective HIPAA paper training should cover:

  • How to identify paper documents that contain PHI
  • Proper storage, transport, and handoff procedures
  • Disposal protocols including shredding bin locations
  • Incident reporting when paper PHI is found unsecured

If your current training program glosses over physical records, it is incomplete. A comprehensive HIPAA training and certification program should address both electronic and paper-based PHI scenarios with practical, role-specific examples your staff will actually remember.

Conduct a Risk Analysis That Includes Paper

Your HIPAA risk analysis — required under 45 CFR § 164.308(a)(1)(ii)(A) — should account for every location where PHI exists. That includes paper stored on-site, in transit, at off-site storage facilities, and in the hands of business associates. Map the full lifecycle of your paper records: creation, use, storage, transport, and destruction.

Ask your team these questions during your next risk assessment:

  • Where are paper records stored overnight?
  • Who has physical access to those storage areas?
  • Are sign-in sheets visible to other patients in the waiting area?
  • How are printed records transported between facilities?
  • Is there a documented chain of custody for paper PHI leaving the premises?

If you cannot answer these questions with documented policies, you have a compliance gap that OCR would flag during an investigation.

Update Your Notice of Privacy Practices

Your Notice of Privacy Practices must accurately describe how your organization safeguards PHI — and that includes paper. If your NPP only references electronic health records and digital communications, it fails to reflect the full scope of your PHI handling practices. Review your NPP annually and ensure it accounts for paper intake forms, printed records, and physical mail containing patient information.

Build Paper Compliance Into Your Broader HIPAA Program

Paper is not a legacy problem — it is a current one. Every covered entity and business associate that touches physical documents containing protected health information must treat those documents with the same rigor applied to electronic data.

Start by auditing your physical environment. Walk through your office and look for exposed PHI on desks, in open bins, and near shared printers. Then formalize your policies, train your workforce, and document everything. If you need a structured starting point, HIPAA Certify's workforce compliance platform can help you build and track a training program that covers paper, electronic, and verbal PHI protections — all in one place.

OCR does not accept "we forgot about paper" as a defense. Neither should your compliance program.