A covered entity or business associate must remain in accordance with HIPAA 164.310d(1), Physical Safeguards – security procedures need to include: “Device and media controls. Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.”
As you could interpret from these high level HIPAA data disposal requirement standards, HIPAA laws do not require specific steps, being vague as often the case and instructing rather to use “reasonable” safeguards when removing data from electronic devices. In order for healthcare organizations to have appropriate controls on patient data during disposal, they must properly safeguard used media.
Though the standard for disposing electronic patient data is defined vaguely, recent reported incidents and fines for insecure data disposal have increased. Out of 1113 incidents reported on HHS breach report, 46 of them are attributed to improper disposal of paper-based or electronic devices which contained PHI. Read more about the recent breach reports published by HHS here: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
Arguably the most important step in adhering to this HIPAA law requirement is determining electronic data storage devices that need to be disposed securely. Any device requiring electrical power to be capable of storing and/or processing data, such as those containing volatile memory and/or magnetic or optical storage, should be identified as such. This includes but is not limited to personal computers / hard drives, servers, mainframes, Personal Digital Assistants (PDAs), routers, firewalls, switches, tapes, diskettes, CDs, DVDs, cell phones, smart phones, tablets, printers with on board memory, multifunction devices, digital cameras, flash memory cards or SD cards, and Universal Serial Bus (USB) data storage devices.
Though inventorying all the above mentioned devices in a huge hospital setup is very complex, practically speaking, any electronic devices where Protected Health Information (PHI) data is stored need to be tracked. You could consider either using a simple inventory log or more sophisticated online database to keep track of the inventory of devices.
The security categorization of the patient data, along with internal environmental factors, should drive the decisions on how to deal with the media devices. Again, the key is to first think in terms of patient data confidentiality, then by media type.
There are several options available for disposal methods with different types of data, Health care organizations need to determine which method is preferable or needed, based on the confidentiality requirement of the data being disposed. Some of the most widely used methods are:
- a) Overwriting: Overwriting of data means replacing previously stored data with a predetermined pattern of meaningless information. Overwriting is the more cost effective option to securely dispose data, as it allows the reuse of resources when possible.
- b) Physical Destruction: Physical destruction includes but is not limited to disintegration, incineration, pulverization, and melting of the devices. Physical destruction needs to ensure that any possible restoration of the data from the device is not restorable. However, incineration must take place only in a licensed facility. Some of the approaches listed here involve outside professionals.
- c) Cryptographic Sanitizing: Sanitization by cryptography works by first encrypting all data as it is written to the devices. The only way to read or recover data protected in this manner is to use a valid decryption key. Instant and thorough sanitizing occurs when the decryption key is destroyed.
- d) Degaussing: Degaussing is a process whereby the magnetic media is thoroughly disrupted. Stored data in the electronic devices seldom can be used after degaussing, and the devices themselves are often left unusable.
Our advice and recommendations of checklist items to cover to securely dispose patient data:
- Consideration of legal record retention requirements, along with company needs, prior to disposal. In most cases, at least 6-year worth of data is to be maintained before destroying. This requirement might also vary state-to-state.
- Keep the data in a secure area prior to disposal.
- Maintain records of devices where data was securely sanitized. This would include certificate, pictures, or other form of acknowledgement.
- Training of all your staff on how direct disposal and deleting the data directly from the system is not sufficient. This could be combined with your annual HIPAA training of staff.
- Identify the best possible method for securely disposing data discussed in the above categories.
- Ensure backup copies of data are kept in a secure place, in case you ever need to refer to said data.
Examples of specific products / options available
For the list of software available to safely destruct data please click here >>
In addition, attend our complimentary webinar scheduled on 9/24. Register here >>