It doesn’t require covered entities to shred. Really, it doesn’t. It does, however, require covered entities to protect PHI and specifically uses shredding as one of several examples of appropriate safeguards for PHI. Here is the pertinent text:

We do not prescribe the particular measures that covered entities must take to meet this standard, because the nature of the required policies and procedures will vary with the size of the covered entity and the type of activities that the covered entity undertakes. (That is, as with other provisions of this rule, this requirement is “scalable.”) Examples of appropriate safeguards include requiring that documents containing protected health information be shredded prior to disposal, and requiring that doors to medical records departments (or to file cabinets housing such records) remain locked, and limiting which personnel are authorized to have the key or passcode. We intend this to be a common sense, scalable, standard.

This is the only place paper shredding is mentioned in the text of the law.

HIPAA also establishes penalties for willful or accidental release of PHI:

“SEC. 1177. (a) OFFENSE. — A person who knowingly and in violation of this part —

(1) uses or causes to be used a unique health identifier;

(2) obtains individually identifiable health information relating to an individual; or

(3) discloses individually identifiable health information to another person,

shall be punished as provided in subsection (b).

(b) PENALTIES. — A person described in subsection (a) shall —

(1) be fined not more than $50,000, imprisoned not more than 1 year, or both;

(2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and

(3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.”