- The HIPAA Security Rule requires HIPAA covered entities and business associates to implement policies and procedures regarding the secure disposal and re-use of electronic devices and media containing ePHI so that ePHI cannot be retrieved, advised the July 2018 OCR Cybersecurity Newsletter.
OCR stressed that improper disposal of electronic devices and media puts the ePHI stored on them at risk and could lead to data breaches. This could cost the organization in terms of regulatory fines, breach notification expenses, lawsuits, consultant and legal fees, and loss of business.
To reduce the risk of data breaches, OCR recommended that healthcare organizations consider the following questions in preparing a risk analysis:
- What data is maintained by the organization and where is it stored?
- Is the organization’s data disposal plan up to date?
- Are all asset tags and corporate identifying marks removed?
- Have all asset recovery-controlled equipment and devices been identified and isolated?
- Is data destruction of the organization’s assets handled by a certified provider?
- Have the individuals handling the organization’s assets been subjected to workforce clearance processes and undergone appropriate training?
- Is onsite hard drive destruction required?
- What is the chain of custody?
- How is equipment staged/stored prior to transfer to external sources for disposal or destruction?
- What are the logistics and security controls in moving the equipment?
“Devices or media that need to be replaced should be decommissioned and disposed of securely to ensure that either the devices or media are destroyed or any confidential or sensitive information stored on such devices or media has been removed. Decommissioning is the process of taking hardware or media out of service prior to the final disposition of such hardware or media,” said OCR.
In decommissioning devices or media, organizations should ensure that devices and media are securely erased and destroyed or recycled, that inventories are accurately updated to reflect the status of devices and media that have been decommissioned or slated for decommissioning, and that data privacy is protected using proper migration to another system or destruction of data.
OCR advised HIPAA covered entities and business associates to take the following steps when developing policies and procedures for decommissioning electronic devices and media: determine and document the appropriate methods to dispose of hardware, software, and the data; ensure that ePHI is properly destroyed and cannot be recreated; ensure that ePHI previously stored on hardware or electronic media is securely removed such that it cannot be accessed and reused; identify removable media and their use (tapes, CDs/DVDs, USB thumb drives); and ensure that ePHI is removed from reusable media before they are used to record new information.
OCR's Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals provides information on how to dispose of PHI securely.
PHI disposed of following this guidance is not considered “unsecured” PHI and, therefore, would not be subject to HIPAA breach notification requirements. PHI is considered to have been disposed of in a secure manner when the media on which the PHI is stored or recorded has been destroyed.
Paper, film, or other hard copy media should be shredded or destroyed such that the PHI cannot be read or reconstructed. Redaction is not a means of data destruction, according to OCR.
Electronic media shoud be cleared, purged, or destroyed consistent with NIST Special Publication 800-88 Revision 1, Guidelines for Media Sanitization.
The NIST publication is designed to assist organizations and system owners in making media sanitization decisions based on the categorization of confidentiality of their information.
“It is important that the organization ensure that no easily re-constructible residual representation of the data is stored on the media after it has left the control of the organization or is no longer going to be protected at the confidentiality categorization of the data stored on the media,” the NIST publication concluded.