Did you know that a significant number of hard drives bought on the second hand market still contain personal information? Even despite obvious indications that someone had attempted to overwrite the information. The HIPAA Privacy Rule requires that, “covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI).” This means that your practice must have safeguards in place that limit any disclosure of PHI.
The HIPAA Security Rule further requires implementation of policies and procedures regarding the secure disposal and re-use of electronic devices and media containing electronic PHI (ePHI) so that it can not be retrieved:
"Implement policies and procedures to address the final disposition of [ePHI] and/or the hardware or electronic media on which it is stored."
If hard drives, CD-ROMs, and other media storage devices are not properly erased or destroyed, ePHI can be easily recovered. You must make sure your patients’ ePHI is inaccessible before the devices that it is stored on are destroyed, given away, sold, or discarded. Beyond smashing your hard drives with a hammer (which, we do not recommend because toxic chemicals could be released), what steps should you take to erase sensitive files and information?
Note: The Privacy and Security Rules do not require a particular disposal method. It is up to you to determine what steps are reasonable and appropriate to safeguard your patients’ PHI through disposal, and implement policies and procedures to carry those out.
Before You Destroy Records
Just as important as actually destroying your patients’ digital medical records, when necessary, is the preparation that is required. HIPAA requires training on disposal for any employee involved in disposing of PHI, or who supervises employees who dispose of PHI. This includes part-time employees and volunteers.
Your facility is required to have a digital media management plan that governs the receipt and removal of hardware and electronic media that contain ePHI into and out of your facility, as well as their movement within your facility. This plan should include a destruction plan and include how the equipment is staged/stored prior to transfer, if a third party vendor is used. All digital media leaving your facility should be properly inventoried and recorded to establish accountability and a secure chain-of-custody.
Finally, if you plan on using a third party to handle or dispose of confidential patient information, you are required to execute a Business Associate Agreement.
This comprehensive guide to media sanitization can help you develop policies and procedures for managing your digital media throughout its life cycle, including information disposition, sanitization, and control decisions.
Can’t I Simply Press the “Delete” Button and Reformat?
Pressing the “delete” button or reformatting does not remove data from a computer’s hard drive. This will only erase the index and freely available software can still access the information. The hard drive must be properly sanitized—that is, all of the information must be removed. In general, proper disposal methods may include:
- Clearing - using software or hardware products to overwrite media with non-sensitive data
- Purging - degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains
- Destroying - disintegration, pulverization, melting, incinerating, or shredding
Can I Recycle or Reuse Computers with ePHI?
Computers or other electronic media that store ePHI may be reused, but only if certain steps (such as the ones above) have been taken to remove the stored information. In addition to appropriate disposal, the media should be appropriately reused, whether internally or externally.
Internal reuse may include redeployment of PCs or sharing storage media. External reuse may include donation of electronic media to charity organizations or schools, once all ePHI is removed.
Who Should Destroy ePHI?
Some medical practices may relegate destroying hard drive data to their IT departments. Since that task is not their primary mission, it is often put on the back burner. The longer the information remains accessible, the more likelihood there is that a data breach will occur. Also, it becomes easier to mistake a hard drive that contains files for one that has been sanitized.
Some organizations routinely receive drives that were said to be free of data but contained thousands of files. Using a secure document destruction service is a good way to make sure your digital files are properly destroyed. You will receive a document of destruction that guarantees your records were securely managed and destroyed.
When hiring a third party vendor to manage your facility’s digital media destruction, HIPAA requires due diligence on your part. Do research, ask for referrals from trusted peers, and properly vet your document destruction service. TriHaz Solutions can guarantee the secure transfer, handling, and destruction of your practice’s ePHI.