| | |

How to Dispose of Electronic Protected Health Information Under HIPAA

Improper disposal of either paper or electronic protected health information is a HIPAA violation. HIPAA requires organizations to implement and follow administrative, technical, and physical safeguards. These types of violation lead to investigation by the Office of Civil Rights (OCR) and substantial civil money penalties.

July 6, 2021 HealthReach Community Health Centers experienced a breach of 122,340 individual’s electronic protected health information (ePHI) when stored drives were improperly disposed of by an employee at a third-party data storage facility. Data included patient names as well as addresses, dates of birth, Social Security numbers, medical record numbers, health insurance information, lab test results, treatment records, and financial account information. The investigation by the OCR is still pending, but the fines are sure to be in the hundreds of thousands, and include an extensive corrective action plan (CAP). A CAP is an aggressive enforcement action the Office for Civil Rights (OCR) takes in response to a HIPAA-covered entity or business associate that has egregiously violated HIPAA laws. It often requires your organization to perform a closely monitored security risk analysis and develop a risk management plan. OCR may also require your organization to hire a third party to monitor your compliance, adding an addition burden. CAPs can over several years, during which time, your organization must regularly report to OCR and undergo audits. Every step of the CAP has to be done according to the OCR’s strict timeline. If you fail to carry out the terms of a CAP, it’s a breach of the resolution agreement.

The Department of Health and Human Services provides guidance on the proper disposal of PHI, both physical records and electronic protected health information (ePHI).

HHS stated, “In determining what is reasonable, covered entities should assess potential risks to patient privacy, as well as consider such issues as the form, type, and amount of PHI to be disposed. For instance, the disposal of certain types of PHI such as name, social security number, driver’s license number, debit or credit card number, diagnosis, treatment information, or other sensitive information may warrant more care due to the risk that inappropriate access to this information may result in identity theft, employment or other discrimination, or harm to an individual’s reputation.”

HIPAA Requirements

The HIPAA Privacy Rule “requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI), in any form,” HHS states in its FAQ about PHI disposal.

“This means that covered entities must implement reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI, including in connection with the disposal of such information.”

The HIPAA Security Rule requires covered entities to implement policies and procedures for the removal of electronic PHI from electronic media before that media can be re-used, in addition to policies for how electronic PHI is stored and deleted.

It is imperative that your organization maintains appropriate disposal policies and procedures, and provides training to the entire workforce regarding the disposal of PHI.

HIPAA is fairly flexible when it comes to organizations choosing what safeguards to implement to ensure that information is disposed of properly. Organizations must assess their individual circumstances and make decisions about how to reasonably dispose of PHI.

DISPOSAL OF ePHI  

HHS recommends using software or hardware product to overwrite sensitive data with non-sensitive data. Two additional methods for disposing of ePHI is to physically destroy the media, or expose the media to a strong magnetic field to which disrupts the recorded magnetic domains.

The National Institutes for Standards and Technology (NIST) provides guidelines your organization should follow: the NIST Special Publication 800-88, Guidelines for Media Sanitization.

NIST emphasizes the importance of safeguarding used media, “In order for organizations to have appropriate controls on the information they are responsible for safeguarding, they must properly safeguard used media. An often rich source of illicit information collection is either through dumpster diving for improperly disposed hard copy media, acquisition of improperly sanitized electronic media, or through keyboard and laboratory reconstruction of media sanitized in a manner not commensurate with the confidentiality of its information.”

The NIST guidance provides organizations with information on different types of sanitization, roles and responsibilities, and decision-making trees. The guidance can help organizations dispose of hard copies or electronic media, both of which require sanitization efforts before disposal.

“The security categorization of the information, along with internal environmental factors, should drive the decisions on how to deal with the media,” the document notes. “The key is to first think in terms of information confidentiality, then apply considerations based on media type.”

Once these determinations are made, covered entities can move forward with clearing, purging, or destroying media. Organizations may also be able to use Cryptographic Erase (CE) to sanitize the target data’s encryption key, rendering it unreadable by preventing read-access.

Regardless of the method chosen, it is critical that your organization safeguards sensitive information throughout its lifecycle, even when your organization is simply storying information.

REUSING, DISPOSING OF COMPUTERS

Your organization can reuse computers. HHS encourages organizations to take steps to ensure that ePHI is destroyed or removed from the device before it is reused.

For instance, donating old computers can be a blessing, before doing so, our organization should ensure that all electronic PHI is wiped from the device before donating.

Your organization can partner with a business associates to assist in the disposal of ePHI. Keep in mind, using a third-party vendor requires you to have a signed business associate agreement (BAA) with the vendor to maintain HIPAA compliance.

“An organization may choose to dispose of media by charitable donation, internal or external transfer, or by recycling it in accordance with applicable laws and regulations if the media is obsolete or no longer usable. Even internal transfers require increased scrutiny, as legal and ethical obligations make it more important than ever to protect data such as Personally Identifiable Information (PII),” NIST states.

“No matter what the final intended destination of the media is, it is important that the organization ensure that no easily re-constructible residual representation of the data is stored on the media after it has left the control of the organization or is no longer going to be protected at the confidentiality categorization of the data stored on the media.”

OTHER KEY DISPOSAL CONSIDERATIONS

The following are questions highlighted in a 2018 newsletter by the HHS Office for Civil Rights (OCR) that your organization should consider when determining how to properly protect and dispose of electronic data:

  • What data is maintained by the organization and where is it stored?
  • Is the organization’s data disposal plan up to date?
  • Are all asset tags and corporate identifying marks removed?
  • Have all asset recovery-controlled equipment and devices been identified and isolated?
  • Is data destruction of the organization’s assets handled by a certified provider?
  • Have the individuals handling the organization’s assets been subjected to workforce clearance processes and undergone appropriate training?
  • Is onsite hard drive destruction required?
  • What is the chain of custody?
  • How is equipment staged/stored prior to transfer to external sources for disposal or destruction?
  • What are the logistics and security controls in moving the equipment?

Leave a Reply