HIPAA and the New York State Public Health Law require only that records be destroyed in a secure manner, one of which is shredding or using a reputable shredding service to perform that function. Typically, the shredding company picks up the material at your office. However, it is permissible to deposit material in a secure receptacle that is not accessible to the general public, but only to the qualified shredding company personnel. You should have what is called a “HIPAA business associate contract” with the disposal company that spells out their responsibilities to maintain the security of the receptacles and the protection of the records from any disclosure prior to final destruction. You cannot just deposit records in a dumpster or a recycling box of some kind. You need to be confident that the particular company will keep the material secure and their deposit boxes are not accessible to any unauthorized persons. All of that should be in the HIPAA business associate contract. If they are familiar with HIPAA as they state, they should have a HIPAA business associate agreement on file that they can readily use. Otherwise, even if their box is secure, but somehow the records get out in the public view due to any negligence on their part, you will bear the entire burden for that event.
Acknowledgement: a very knowledgeable General Counsel friend