HIPAA compliant computer disposal

The HIPAA privacy rule requires healthcare entities to create and follow policies for safely disposing of protected health information (PHI), including ePHI on electronic devices. Proper HIPAA compliant computer disposal involves fully erasing ePHI from any device before it's discarded or reused. Computers, along with electronic media like mobile devices, tablets, portable drives, optical discs, and even multifunction printers and fax machines, all need to be handled with the same care.

Responding to outdated guidance

In 2005, the Department of Health and Human Services (HHS) published a series of security guides to support HIPAA compliance, including guidelines for computer disposal. These guides mainly focused on policies and security recommendations methods like applying strong magnetic fields (degaussing) or physically destroying hardware to make ePHI inaccessible. HHS later published a FAQ in 2009 that referred to the original guides and advised healthcare organizations to consult an additional guideline, which was last updated in 2014. It outlined methods like pulverization and incineration to destroy hardware used to handle ePHI.

However, the recommendations are now outdated. With advances in computer hard drives, concerns have been raised that certain destruction techniques can leave recoverable data. For example, modern hard drives can store significant amounts of data in tiny fragments, raising doubts about the effectiveness of current practices. 

Developing disposal policies and procedures

To achieve HIPAA compliance, healthcare organizations must establish policies and procedures for the disposal of electronic media containing ePHI. These guidelines should address the following elements:

Inventory and asset tracking

Maintain a detailed inventory of all devices with access to ePHI, documenting the type of data stored on each device and its location within the organization. Keeping a thorough asset list helps healthcare entities avoid overlooking any devices during the disposal process.

Sanitization methods

The HIPAA regulations, in alignment with the National Institute of Standards and Technology (NIST) guidelines, prescribe specific sanitization methods for the secure removal of ePHI. These methods include clearing, purging, and destruction, each with its unique approach and level of data security.

Verification and documentation

Healthcare organizations must implement rigorous verification and documentation processes to confirm the complete removal of ePHI from electronic media. Obtaining written confirmation from the disposal vendor or maintaining detailed records of the sanitization methods used for each device can be part of this process.

Vendor selection and oversight

Many healthcare entities lack the in-house capabilities to properly dispose of ePHI-containing devices. In such cases, the use of third-party disposal contractors is permitted, but these vendors must be vetted and closely monitored as HIPAA business associates.

Read more: How to develop HIPAA compliance policies and procedures

NIST guidelines for HIPAA compliant computer disposal

The National Institute of Standards and Technology (NIST) has established guidelines for media sanitization, which serve as the foundation for HIPAA compliant computer disposal practices. These guidelines outline three primary methods of sanitization:

Clearing

Clearing uses standard read-and-write commands to overwrite user-addressable storage locations with non-sensitive data, making it suitable for devices that are not physically damaged and can be effectively overwritten.

Purging

Purging involves physical or logical techniques that make the recovery of target data infeasible, even with advanced laboratory methods, often used for devices with technologies like solid-state drives (SSDs).

Destruction

Destruction involves the complete annihilation of electronic media, rendering data recovery impossible. It is typically reserved for devices that cannot be effectively cleared or purged, or when the risk of data exposure is too high.

Read also: How to properly dispose of electronic PHI under HIPAA

The role of third-party disposal contractors

Many healthcare organizations lack the in-house expertise and resources to properly dispose of ePHI-containing devices. In these cases, using third-party disposal contractors is a common practice. These vendors are considered business associates under HIPAA and must be carefully vetted and monitored to ensure compliance.

Before engaging a disposal contractor, healthcare entities must have a signed business associate agreement (BAA) in place. This contractual agreement outlines the responsibilities and obligations of the vendor in safeguarding ePHI during the disposal process. Regular audits and oversight are also beneficial to verify the contractor's adherence to HIPAA requirements.

Read also: What is a business associate agreement 

FAQs

What is HIPAA compliant computer disposal?

It's the process of securely disposing of computers containing protected health information (PHI) in accordance with HIPAA regulations.

Why is HIPAA compliant disposal important?

To prevent unauthorized access to sensitive patient data and avoid potential legal and financial penalties.

Do I need to keep records of disposed computers?

Yes, maintain documentation of the disposal method, date, and the employee who performed it.

What are the consequences of non-compliant disposal?

Potential data breaches, hefty fines, legal action, and damage to reputation.

See also: HIPAA Compliant Email: The Definitive Guide