- PHI security is an integral part in protecting patient privacy and confidentiality. As such, HIPAA provides ample guidance on how covered entities may maintain PHI security via the HIPAA privacy rule. The HIPAA privacy rule seeks to provide covered entities with procedures to safeguard PHI while still making it accessible when necessary and appropriate.
However important it is that entities adhere to HIPAA privacy regulations while storing PHI, it is equally important that they consider PHI security while moving from facility to facility and when disposing of PHI. For example, when a healthcare provider changes facilities, it is important that they understand how to properly dispose of or transfer PHI. Perhaps the provider opts to scan in paper files to make the move easier. However, it is still critical that the provider understand the correct method for disposing of the paper files as neglecting to do so could result in health data breach.
This week, HealthITSecurity.com will discuss the protocols put in place by HIPAA for the proper disposal of PHI.
In what cases should covered entities dispose of PHI?
As mentioned earlier, there are times when paper copies of health records are essentially rendered useless after having been scanned into an electronic database. In the case of facility relocation, HIPAA mandates that these otherwise unused documents be adequately destroyed, and not simply left behind or disposed of in a public receptacle.
“[T]he HIPAA Security Rule requires that covered entities implement policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored, as well as to implement procedures for removal of electronic PHI from electronic media before the media are made available for re-use,” a HIPAA frequently asked questions sheet states.
This means that in the event that a healthcare organization is changing locations, or simply looking to dispose of unused healthcare documents, the organization must implement adequate technical and physical safeguards to ensure that this data is not being disposed of incorrectly.
What are HIPAA’s guidelines for disposing of PHI?
Although HIPAA requires all covered entities to undertake adequate measures to ensure PHI security while disposing of health records, HIPAA does not specifically state how entities should do so. Instead, it states that measures must be appropriate for the specific conditions and should render documents completely unreadable.
“Covered entities must review their own circumstances to determine what steps are reasonable to safeguard PHI through disposal, and develop and implement policies and procedures to carry out those steps. In determining what is reasonable, covered entities should assess potential risks to patient privacy, as well as consider such issues as the form, type, and amount of PHI to be disposed,” HIPAA says.
Although HIPAA does not provide a specific method by which entities should dispose of health records, it does provide a series of suggestions.
In general, examples of proper disposal methods may include, but are not limited to:
• For PHI in paper records, shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.
• Maintaining labeled prescription bottles and other PHI in opaque bags in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI.
• For PHI on electronic media, clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding).
How does HIPAA address PHI on electronic devices?
HIPAA states that PHI on electronic devices (ePHI) may also be disposed of, so long as entities take the proper measures to destroy the data. These measures include completely erasing the PHI or completely destroying the medium and device on which the data is stored.
“Depending on the circumstances, appropriate methods for removing ePHI from electronic media prior to reuse or disposal may be by clearing (using software or hardware products to overwrite media with non-sensitive data) or purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains) the information from the electronic media,” HIPAA states.
If the entity does not plan on using the device again in the future, HIPAA suggests completely destroying it. Tactics for destroying devices can include “disintegrating, pulverizing, melting, incinerating, or shredding the media.”
Following guidelines for handling PHI is a critical part of maintaining health data security. When changing facilities, disposing of old paper files, or getting rid of ePHI, it is important that providers understand proper security measures, as well. Doing so greatly increases PHI security and decreases the chance of health data breach.