HIPAA Covered Entities Required to Securely Dispose of ePHI-Laden Devices

Published On February 14, 2019

It goes without saying that the secure destruction of IT assets and PHI is important for many reasons. But when a government entity such as the Office for Civil Rights (OCR) weighs in on the matter, you know it’s serious and that healthcare organizations should put the proper policies, processes, and technologies in place if they haven’t already.

OCR recently released guidance on the disposal of electronic devices and ePHI and reminded covered entities that they are required by the HIPAA Security Rule to have policies and procedures to properly dispose of and re-use any hardware or electronic media containing ePHI.

According to OCR, this includes desktops, laptops, tablets, copiers, servers, smart phones, hard drives, USB drives, and any other kind of electronic storage device.

Avoid the risks of improper disposal of devices with ePHI

Improperly disposing of electronic devices housing ePHI opens healthcare organizations up to potential data breaches which, in turn, can be very costly. This is where a risk analysis becomes critical, OCR said, in determining not only how best to protect data stored on devices but also identify which devices have reached the end of their lifecycle and should be properly disposed of.

OCR stresses that it’s important to monitor the lifecycles of the devices a healthcare organization has and to decommission and securely dispose of devices and the data they hold.

In their guidance OCR suggests that healthcare organizations consider including the following steps in the decommissioning process:

• ensure devices are securely erased and then securely destroyed or recycled

• ensure inventories of devices and the data they hold are accurately updated
• ensure data privacy is privacy is protected via proper migration to another system or total destruction of data

Properly disposing of PHI

OCR also has guidance on how to make sure healthcare organizations are rendering PHI completely unusable, unreadable and indecipherable to any unauthorized individuals.

According to OCR, PHI is considered securely disposed of if paper, film, or other hard copy media have been shredded or destroyed so that PHI can’t be read or reconstructed. For PHI stored on electronic media, PHI has been rendered unusable and unreadable if the media have been cleared, purged or destroyed consistent with NIST guidelines so that PHI can’t be retrieved.

OCR advises healthcare organizations to, when developing policies, make sure covered entities and business associates:

• Determine and document appropriate methods to dispose of hardware, software, and data itself.

• Have processes in place to ensure ePHI is destroyed and can’t be recreated, accessed or reused.
• Identify removable media and their use including tapes, CDs, DVDs, USB thumb drives, etc.
• Ensure ePHI is removed from reusable media before that media is used to record new information.