The HIPAA privacy rule requires healthcare entities to create and follow policies for safely disposing of protected health information (PHI), including ePHI on electronic devices. Proper HIPAA compliant computer disposal involves fully erasing ePHI from any device before it's discarded or reused. Computers, along with electronic media like mobile devices, tablets, portable drives, optical discs, and even multifunction printers and fax machines, all need to be handled with the same care.
In 2005, the Department of Health and Human Services (HHS) published a series of security guides to support HIPAA compliance, including guidelines for computer disposal. These guides mainly focused on policies and security recommendations methods like applying strong magnetic fields (degaussing) or physically destroying hardware to make ePHI inaccessible. HHS later published a FAQ in 2009 that referred to the original guides and advised healthcare organizations to consult an additional guideline, which was last updated in 2014. It outlined methods like pulverization and incineration to destroy hardware used to handle ePHI.
However, the recommendations are now outdated. With advances in computer hard drives, concerns have been raised that certain destruction techniques can leave recoverable data. For example, modern hard drives can store significant amounts of data in tiny fragments, raising doubts about the effectiveness of current practices.
To achieve HIPAA compliance, healthcare organizations must establish policies and procedures for the disposal of electronic media containing ePHI. These guidelines should address the following elements:
Maintain a detailed inventory of all devices with access to ePHI, documenting the type of data stored on each device and its location within the organization. Keeping a thorough asset list helps healthcare entities avoid overlooking any devices during the disposal process.
The HIPAA regulations, in alignment with the National Institute of Standards and Technology (NIST) guidelines, prescribe specific sanitization methods for the secure removal of ePHI. These methods include clearing, purging, and destruction, each with its unique approach and level of data security.
Healthcare organizations must implement rigorous verification and documentation processes to confirm the complete removal of ePHI from electronic media. Obtaining written confirmation from the disposal vendor or maintaining detailed records of the sanitization methods used for each device can be part of this process.
Many healthcare entities lack the in-house capabilities to properly dispose of ePHI-containing devices. In such cases, the use of third-party disposal contractors is permitted, but these vendors must be vetted and closely monitored as HIPAA business associates.
Read more: How to develop HIPAA compliance policies and procedures
The National Institute of Standards and Technology (NIST) has established guidelines for media sanitization, which serve as the foundation for HIPAA compliant computer disposal practices. These guidelines outline three primary methods of sanitization:
Clearing uses standard read-and-write commands to overwrite user-addressable storage locations with non-sensitive data, making it suitable for devices that are not physically damaged and can be effectively overwritten.
Purging involves physical or logical techniques that make the recovery of target data infeasible, even with advanced laboratory methods, often used for devices with technologies like solid-state drives (SSDs).
Destruction involves the complete annihilation of electronic media, rendering data recovery impossible. It is typically reserved for devices that cannot be effectively cleared or purged, or when the risk of data exposure is too high.
Read also: How to properly dispose of electronic PHI under HIPAA
Many healthcare organizations lack the in-house expertise and resources to properly dispose of ePHI-containing devices. In these cases, using third-party disposal contractors is a common practice. These vendors are considered business associates under HIPAA and must be carefully vetted and monitored to ensure compliance.
Before engaging a disposal contractor, healthcare entities must have a signed business associate agreement (BAA) in place. This contractual agreement outlines the responsibilities and obligations of the vendor in safeguarding ePHI during the disposal process. Regular audits and oversight are also beneficial to verify the contractor's adherence to HIPAA requirements.
Read also: What is a business associate agreement
It's the process of securely disposing of computers containing protected health information (PHI) in accordance with HIPAA regulations.
To prevent unauthorized access to sensitive patient data and avoid potential legal and financial penalties.
Yes, maintain documentation of the disposal method, date, and the employee who performed it.
Potential data breaches, hefty fines, legal action, and damage to reputation.
See also: HIPAA Compliant Email: The Definitive Guide