Protect ePHI when Dumping Data Devices

Before the wide-scale introduction of technology to the healthcare industry, the most important thing to remember about disposing of old PHI used to be to lift with your legs to get those dusty storage boxes into the bin for shredding and recycling. Now that most patient data is stored electronically, there’s a lot less heavy lifting involved, but there are more things to remember.

When it comes time to upgrade your computers and technology, it’s important to consider what to do with the data that may be left on the old computers.

Improper data disposal leaves an opening for a potential data breach. Data breaches can be financially prohibitive because of what is required to manage them: notifications to patients and possibly media, potential government investigations, and lawsuits. There is also the cost of loss of confidence with customers.

The HIPAA Security Rule requires HIPAA covered entities and business associates to implement policies and procedures regarding the disposal and re-use of hardware and electronic media containing ePHI [45 C.F.R. §§164.310(d)(2)(i)-(ii)]. When developing policies and procedures for the final disposition of hardware and electronic media containing ePHI, covered entities and business associates should determine and document the appropriate methods to dispose of hardware, software, and the data itself. Keep your risk analysis plans updated. Here is a short list of questions to review regularly.

• Is the data disposal plan up to date?
• What data do we keep and where do we keep it?
• Do we have an up-to-date list of all electronic storage devices? The list should include desktops, laptops, tablets, copiers, servers, smart phones, hard drives, and USB drives.
• Who is contracted for data destruction? Are they certified, trained and cleared?
• What is our chain of custody?

Did we remove all asset tags and identifying marks? Any device or media that will be replaced should be decommissioned and disposed of securely to ensure that any confidential or sensitive information stored on such devices or media has been removed. Decommissioning is the process of taking hardware or media out of service prior to the final disposition of such hardware or media. Steps in this process include:

1. Erase devices and media correctly and securely.
2. Destroy or recycle devices and media.
3. Update technology inventories.
4. Protect patient privacy with proper data migration or destruction of the data.OCR has comprehensive guidance available on their website for disposing of electronic devices and media.* As always, TMC recommends that entities enlist the help of a qualified IT professional.* OCR’s Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals, https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html