The Health Insurance Portability and Accountability Act (HIPAA) enacted in 1996, established industry standards for handling protected health information (PHI). PHI is any individually identifiable health information such as patient names, addresses, date of birth, and billing information, to name a few. HIPAA law extends to proper disposal of PHI. The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), the enforcement arm of HIPAA, released guidance on the disposal of electronic devices and media in its July 2018 Cybersecurity Newsletter.
Disposal of PHI on Electronic Devices and Media
Before electronic devices can be disposed of, healthcare organizations must ensure that all electronically protected health information (ePHI) has been removed. This applies to any device that is capable of storing PHI including laptops, desktop computers, cell phones, tablets, zip drives, portable hard drives, DVDs, CDs, and backup tapes. Additionally, other equipment that has an internal hard drive capable of storing data such as printers and photocopiers must be properly disposed of.
The HHS requires organizations to have policies and procedures in place on the disposal of PHI and the re-use of electronic media and hardware containing PHI. When creating policies and procedures the HHS recommends the following:
- Determine and document the appropriate methods to dispose of hardware, software, and the data itself.
- Ensure ePHI is properly destroyed or be recreated
- Ensure ePHI storage on hardware or electronic media is securely removed and cannot be accessed or reused
- Identify removable media and their use (tapes, CDs/DVDs, USB thumb drives)
- Ensure ePHI is removed from reusable media before used to record new information
The proper disposal of PHI on electronic media, organizations must ensure that media has been cleared or destroyed in accordance with the National Institute of Standards and Technology (NIST) Special Publication 800-88 Revision 1, Guidelines for Media Sanitization.
NIST defines sanitization methods as follows:
- Clear applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques; typically applied through the standard Read and Write commands to the storage device.
- Purge applies physical or logical techniques that render Target Data recovery infeasible using state of the art laboratory techniques.
- Destroy renders Target Data recovery infeasible using state of the art laboratory techniques and results in the subsequent inability to use the media for storage of data.
Methods of Sanitization for Disposal of PHI
NIST explains four popular methods of sanitization for disposal of PHI including overwriting user-addressable storage space, Cryptographic Erase, Degaussing, and destruction of data.
Overwriting sensitive data with non-sensitive data uses the standard read and write commands for the device. Overwriting may not address all of the areas where sensitive data is stored. Overing writing may only be used on devices that are not damaged. When overwriting data for disposal of PHI, organizations are to ensure the device cleared is able to overwritten and to be adequately disposed of PHI.
Cryptographic Erase leverages the encryption of target data by enabling the sanitization of the target data’s encryption key. This leaves only the ciphertext remaining on the media, effectively sanitizing the data by preventing read-access. Using this method, data is unreadable without a decryption key.
Degaussing renders a Legacy Magnetic Device purged when the strength of the degausser is matched to the media coercivity. The device’s manufacturer can determine the coercivity. Degaussing renders devices unusable. In addition, best when in combination with other techniques for devices with flash memory-based storage or for magnetic devices that have other means of storage.
Destruction refers to disintegrating, pulverizing, melting, incinerating, or shredding. These methods completely destroy media and should only be used if other methods of sanitization are ineffective.
Organizations working with PHI must have policies and procedures in place for the disposal of PHI. This way it will allow organizations to determine which type of sanitization method should be used for each device. Healthcare entities may choose to use a third-party contractor for the disposal of PHI. The contractor would be considered a business associate under HIPAA, as such there must be a signed business associate agreement in place before they are permitted to dispose of electronic media.
Do You Need Assistance with HIPAA Compliance?
Compliancy Group can help! Our cloud-based compliance software the Guard™ has everything you need! In order to vet your vendors, document your due diligence and provide you with business associate agreements. Find out how Compliancy Group can help you Achieve, Illustrate, and Maintain™ HIPAA compliance!