How to Properly Dispose of Electronic PHI Under HIPAA

December 28, 2022 - Improper disposal of protected health information (PHI), whether a paper record or a digital file, can result in HIPAA violations and significant fees.

For example, in 2020, the New Jersey Division of Consumer Affairs and the New Jersey attorney general reached a settlement with Wakefern Food Corp and two associated ShopRite supermarkets to resolve violations of HIPAA and the NJ Consumer Fraud Act, stemming from improper records disposal.

In 2016, reports found that ShopRite had failed to properly dispose of electronic devices that were used to collect signatures and purchase information from pharmacy customers. Wakefern had allegedly disposed of the devices in unsecured dumpsters without destroying the data stored on them.

The devices contained names, contact details, driver’s license numbers, birthdates, prescription numbers and type, dates and times of pickup or delivery, and customer zip codes. Wakefern paid more than $209,000 in civil penalties to resolve the violations.

Thankfully, HHS and the National Institute of Standards and Technology (NIST) maintain thorough guidance on how to dispose of electronic PHI and sanitize media before disposal.

Below, HealthITSecurity will dive into several key considerations for properly disposing of electronic PHI, such as digital files. A previous article discussed the process of disposing of physical PHI.

HIPAA Requirements

The HIPAA Privacy Rule “requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI), in any form,” HHS states in its FAQ about PHI disposal.

“This means that covered entities must implement reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI, including in connection with the disposal of such information.”

The HIPAA Security Rule requires covered entities to implement policies and procedures for the removal of electronic PHI from electronic media before that media can be re-used, in addition to policies for how electronic PHI is stored and deleted.

As previously mentioned in HealthITSecurity’s guide to disposing of physical PHI, HIPAA is quite flexible when it comes to organizations choosing what safeguards to implement to ensure that information is disposed of properly. Covered entities should assess their individual circumstances and make appropriate determinations about how to reasonably dispose of PHI.

“In determining what is reasonable, covered entities should assess potential risks to patient privacy, as well as consider such issues as the form, type, and amount of PHI to be disposed,” HHS continues.

“For instance, the disposal of certain types of PHI such as name, social security number, driver’s license number, debit or credit card number, diagnosis, treatment information, or other sensitive information may warrant more care due to the risk that inappropriate access to this information may result in identity theft, employment or other discrimination, or harm to an individual’s reputation.”

Disposing of PHI Stored Electronically  

For PHI stored on electronic media, HHS recommends using software or hardware products to overwrite sensitive media with non-sensitive media, exposing the media to a strong magnetic field to disrupt the recorded magnetic domains, or physically destroying the media.

Organizations should follow the guidelines outlined in the NIST Special Publication 800-88, Guidelines for Media Sanitization.

“In order for organizations to have appropriate controls on the information they are responsible for safeguarding, they must properly safeguard used media,” NIST stresses in the guidance.

“An often rich source of illicit information collection is either through dumpster diving for improperly disposed hard copy media, acquisition of improperly sanitized electronic media, or through keyboard and laboratory reconstruction of media sanitized in a manner not commensurate with the confidentiality of its information.”

The NIST guidance provides organizations with information on different types of sanitization, roles and responsibilities, and decision-making trees. The guidance can help organizations dispose of hard copies or electronic media, both of which require sanitization efforts before disposal.

“The security categorization of the information, along with internal environmental factors, should drive the decisions on how to deal with the media,” the document notes. “The key is to first think in terms of information confidentiality, then apply considerations based on media type.”

Once these determinations are made, covered entities can move forward with clearing, purging, or destroying media. Organizations may also be able to use Cryptographic Erase (CE) to sanitize the target data’s encryption key, rendering it unreadable by preventing read-access.

Regardless of the method chosen, it is crucial that organizations safeguard sensitive information throughout its lifecycle, even when that information is no longer useful to the entity.

Reusing, Disposing of Computers

HHS notes that a covered entity may reuse or dispose of computers that store electronic PHI only if certain steps have been taken to ensure that the PHI is destroyed or removed from the device before it is reused.

For example, if an entity was looking to donate old computers, it would have to ensure that all electronic PHI was wiped from the device before donating.

Covered entities may hire a business associate to purge or destroy electronic media.

“An organization may choose to dispose of media by charitable donation, internal or external transfer, or by recycling it in accordance with applicable laws and regulations if the media is obsolete or no longer usable. Even internal transfers require increased scrutiny, as legal and ethical obligations make it more important than ever to protect data such as Personally Identifiable Information (PII),” NIST states.

“No matter what the final intended destination of the media is, it is important that the organization ensure that no easily re-constructible residual representation of the data is stored on the media after it has left the control of the organization or is no longer going to be protected at the confidentiality categorization of the data stored on the media.”

Other Key Disposal Considerations

In a 2018 newsletter, the HHS Office for Civil Rights (OCR) outlined key questions that covered entities may want to ask themselves when determining how to properly protect and dispose of electronic data:

• What data is maintained by the organization and where is it stored?
• Is the organization’s data disposal plan up to date?
• Are all asset tags and corporate identifying marks removed?
• Have all asset recovery-controlled equipment and devices been identified and isolated?
• Is data destruction of the organization’s assets handled by a certified provider?
• Have the individuals handling the organization’s assets been subjected to workforce clearance processes and undergone appropriate training?
• Is onsite hard drive destruction required?
• What is the chain of custody?
• How is equipment staged/stored prior to transfer to external sources for disposal or destruction?
• What are the logistics and security controls in moving the equipment?

It is crucial that covered entities maintain appropriate disposal policies and take care to provide training to employees on how to dispose of PHI.