The Health Insurance Portability and Accountability Act (HIPAA) enacted in 1996, established industry standards for handling protected health information (PHI). PHI is any individually identifiable health information such as patient names, addresses, date of birth, and billing information, to name a few. HIPAA law extends to proper disposal of PHI. The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), the enforcement arm of HIPAA, released guidance on the disposal of electronic devices and media in its July 2018 Cybersecurity Newsletter.
Disposal of PHI on Electronic Devices and Media
Before electronic devices can be disposed of, healthcare organizations must ensure that all electronic protected health information (ePHI) has been removed. This applies to any device that is capable of storing PHI including laptops, desktop computers, cell phones, tablets, zip drives, portable hard drives, DVDs, CDs, and backup tapes. Additionally, other equipment that has an internal hard drive capable of storing data such as printers, photocopiers, and fax machines, must be properly disposed of.
The HHS requires organizations to have policies and procedures in place on the disposal of PHI and the re-use of electronic media and hardware containing PHI. When creating policies and procedures the HHS recommends the following:
- Determine and document the appropriate methods to dispose of hardware, software, and the data itself.
- Ensure that ePHI is properly destroyed and cannot be recreated.
- Ensure that ePHI previously stored on hardware or electronic media is securely removed such that it cannot be accessed and reused.
- Identify removable media and their use (tapes, CDs/DVDs, USB thumb drives).
- Ensure that ePHI is removed from reusable media before they are used to record new information.
For the proper disposal of PHI on electronic media, organizations must ensure that media has been purged, cleared, or destroyed in accordance with the National Institute of Standards and Technology (NIST) Special Publication 800-88 Revision 1, Guidelines for Media Sanitization.
NIST defines sanitization methods as follows:
- Clear applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques; typically applied through the standard Read and Write commands to the storage device, such as by rewriting with a new value or using a menu option to reset the device to the factory state (where rewriting is not supported).
- Purge applies physical or logical techniques that render Target Data recovery infeasible using state of the art laboratory techniques.
- Destroy renders Target Data recovery infeasible using state of the art laboratory techniques and results in the subsequent inability to use the media for storage of data.
Methods of Sanitization for Disposal of PHI
NIST further explains the four most popular methods of sanitization for disposal of PHI including overwriting user-addressable storage space, Cryptographic Erase, Degaussing, and destruction of data.
Overwriting sensitive data with non-sensitive data uses the standard read and write commands for the device. Overwriting may not address all of the areas in which sensitive data is stored and can only be used on devices that are not damaged. When considering overwriting data for disposal of PHI, organizations must ensure that the device that they are clearing is capable of being overwritten and if overwriting data will adequately dispose of PHI.
Cryptographic Erase leverages the encryption of target data by enabling sanitization of the target data’s encryption key. This leaves only the ciphertext remaining on the media, effectively sanitizing the data by preventing read-access. Using this method, data is unreadable without a decryption key. Cryptographic Erase should not be used if sensitive data was stored on the device before encryption was enabled.
Degaussing renders a Legacy Magnetic Device purged when the strength of the degausser is carefully matched to the media coercivity. The coercivity of a device can be determined by referring to the device manufacturer. Degaussing renders devices unusable, however, should be used in combination with other techniques for devices with flash memory-based storage or for magnetic devices that have other means of storage.
Destruction refers to disintegrating, pulverizing, melting, incinerating, or shredding. These methods completely destroy media and should only be used if other methods of sanitization are ineffective.
Organizations working with PHI must have policies and procedures in place for the disposal of PHI. It is important to have a list of assets that includes what type of data is stored on the device, enabling organizations to determine which type of sanitization method should be used for each device. Healthcare entities may choose to use a third-party contractor for the disposal of PHI. The contractor would be considered a business associate under HIPAA, as such there must be a signed business associate agreement in place before they are permitted to dispose of electronic media.
Do You Need Assistance with HIPAA Compliance?
Compliancy Group can help! Our cloud-based compliance software the Guard™ has everything you need to vet your vendors, document your due diligence, and provide you with business associate agreements. Find out how Compliancy Group can help you Achieve, Illustrate, and Maintain™ HIPAA compliance!