People get rid of electronic devices all the time. There’s always a newer, stronger, more sophisticated version of your laptop, smartphone, or tablet. If you’re dealing with PHI (protected health information), however, you must ensure that each and every electronic device that stores sensitive information is accounted for and disposed of properly.
It sounds easy enough, but it’s important to consider all the aspects of proper electronic device disposal. If you get rid of a device that still has sensitive information stored on it, that information could be the source of a breach and you could be fined, putting your reputation at risk. Health and Human Services Office for Civil Rights devoted their July 2018 newsletter to disposing of electronic devices. This week, our blog summarizes their helpful advice. We will guide you through the process of proper devices disposal for both rented and owned equipment.
Devices That Could Cause a Breach
First, let’s review the types of electronic devices you may have in your office that could cause a breach. Laptops, desktops, smartphones, printers, copiers, USB (thumb) drives, and servers are the most likely culprits. HIPAA law requires you to document your organization’s disposal policy in your Security Policies and Procedures. List each type of electronic media you use, along with the device’s serial number. This list will likely be generated when you complete your company’s Risk Assessment. Remember to include all electronic storage devices1.
Disposing of Digital Media + Electronic Devices
HHS and the US Computer Emergency Readiness Team recommend the following three techniques for removing sensitive information from workplace electronic devices. Remember, several types of office equipment have hard drives (not just laptops and desktops!) These procedures for safely disposing of ePHI must also be applied to discarded printers, copiers, and servers2.
Clearing
This method, which is also referred to as overwriting, relies on the use of software or hardware to replace PHI with random, non-sensitive data. This should be done a minimum of seven times so that ePHI is completely irretrievable.
Purging
Degaussing refers to a method of clearing an electronic device through the use of magnets. Because hard drives rely on magnetic fields to store information, a strong magnetic field has the power to disrupt the equipment’s function and render the data unreadable.
Physical Destruction
This is the most surefire way to prevent leakage of any ePHI, however, this is not always feasible. Of course, you cannot destroy rented equipment or devices that you would like to clear and reuse. Pulverizing, burning/melting, shredding, and disintegrating are all acceptable methods of physical destruction.
Clearing data from mobile phones or tablets is a slightly different process. Follow these steps to erase sensitive information from mobile devices3:
-
- Remove the memory/SIM card.
-
- Go to the devices setting and select Erase All Settings, Factory Reset, Memory Wipe, etc. The language differs from model to model but all devices should have some version of this option.
-
- Destroy the memory/SIM card so that it cannot be used again.
- Deactivate the storage account (Apple ID for iPhones and iPads) associated with the device.
Storing Media Before Destruction
Where will each type of media be located while it awaits destruction? It is important to designate a secure storage place for media and devices containing PHI. For example, a locked closet is an adequate holding place for media before pickup.
Training Employees on Electronic Device Disposal
Under HIPAA 45 CFR 164.306(a)(4), 164.308(a)(5), and 164.530(b) and (i), any workforce member involved in disposing of PHI, or who supervises others who dispose of PHI, must receive training on disposal. This includes all employees and volunteers. As part of training, ensure your employees know about secure depositories or bins where media sits while it awaits destruction.
You must keep a log of the devices in storage. You need to check the log before final action so that you can determine if any of the devices are missing1.
Requirements for Keeping PHI
Make sure you have backed up on another device any PHI that you need to retain. HIPAA requires businesses to store PHI for six years. However, some states require seven years. Make sure you check your state regulations to know the specific guidelines for your business before erasing or destroying stored information.
Ignoring HIPAA rules about proper PHI disposal puts you at risk for hefty fines, potential lawsuits, and bad publicity. Your reputation depends on how well you serve your clients. Make sure the protected health information they’ve trusted you with is never compromised by careless or improper disposal.
1 https://www.totalhipaa.com/proper-disposal-of-phi/
3 https://www.us-cert.gov/sites/default/files/publications/DisposeDevicesSafely.pdf
