Computer Disposal Not Simple When PHI Involved
By Greg Freeman
Disposing of an old, unneeded computer usually is as easy as chucking it in the dumpster out back or giving it away to charity. But not when it might contain protected health information (PHI).
HIPAA strictly controls how covered entities can dispose of such hardware, says Deborah A. Cmielewski, JD, partner with the Schenck Price law firm in Florham Park, NJ. PHI on electronic media needs to be purged, destroyed, or cleared (overwritten) according to National Institute of Standards and Technology standards.
“Even in this day and age, it is shocking how many regulated entities routinely discard computers, drives, and disks by throwing them into a dumpster behind the building because it is quick and easy, or an untrained staff member does not realize the potential impact of the mistake,” she says “In addition, it’s not uncommon to hear of providers who send someone out into the courtyard with a hammer and utilize the seemingly quick and easy method of ‘destroying’ the device.”
A prudent provider engages a data destruction vendor that specializes in HIPAA-compliant disposal of PHI on computers and similar devices, Cmielewski says. That entity will deliver a certificate of destruction and peace of mind along with it. Remember to sign a business associate agreement with the vendor, ensuring that it maintains the appropriate physical, administrative, and technical safeguards as required by HIPAA, she advises.
Regulated entities need to implement policies and procedures that address the final disposition of PHI contained in electronic media, and they need to document their specific disposal policies, she says. If an outside vendor will dispose of computers, a designated individual should transport the devices to the disposal facility or arrange for timely pickup of the devices. Failure to adhere to those policies should result in disciplinary action, up to and including termination, Cmielewski says.
HIPAA’s requirements on hardware disposal apply to hard drives (or other devices in computers); any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory cards; and any other device on which PHI is stored, says Elizabeth L.B. Greene, JD, partner with Mirick O’Connell in Worcester, MA. Notably, PHI also can be stored on other electronic devices that need to be disposed of in a HIPAA-compliant manner, including but not limited to fax and copy machines, tablets, and cell phones, she says.
Policies and procedures should include a process for confirming the electronic PHI (ePHI) has been removed in a HIPAA-compliant manner, and a plan for documenting the method used, the date of removal, the process for confirming the data is securely destroyed or protected, and the identity of who performed these checks, she says. Covered entities and their business associates must train their workforce in the policies and procedures for proper disposal of hardware and electronic media and ensure compliance by their workforce with those policies and procedures, she notes.
“While HIPAA does not dictate a particular disposal method, the covered entity and business associates cannot abandon hardware or electronic media on which PHI is stored or dispose of it in a way that does not safeguard the PHI,” Greene says. “In assessing disposal methods that reasonably safeguard ePHI, a covered entity and business associate must assess the potential risks associated with the specific types of personal information stored on the hardware or electronic media being disposed of, and consider the form, type, and amount of PHI involved.”
If the PHI contains sensitive information that would create the risk of identity theft, breach of privacy, discrimination, or reputational harm, including but not limited to PHI related to mental healthcare or substance use disorders/treatment, more care should be taken in disposing of the hardware or electronic media on which this PHI is stored, Greene says.
Covered entities and business associates must maintain the policies and procedures to address the final disposition of hardware or electronic media on which PHI is stored for six years from the date of its creation or when it was last in effect, whichever is longer, Greene says. They also must periodically review this documentation, and update it as needed in response to environmental or operational changes affecting the PHI’s security, she says.
Covered entities and business associates must assess whether it is reasonable and appropriate in their environment to implement and maintain a record of the disposal of hardware or electronic media that houses PHI, Greene says. If it is reasonable and appropriate to maintain such records, they must do so.
“If they find it would not be reasonable and appropriate to do so, they must document why not and implement an equivalent alternative measure, if reasonable and appropriate,” Greene says.
Sources
- Deborah A. Cmielewski, JD, Partner, Schenck Price, Florham Park, NJ. Telephone: (973) 540-7327. Email: [email protected].
- Elizabeth L.B. Greene, JD, Partner, Mirick O’Connell, Worcester, MA. Phone: (508) 860-1514. Email: [email protected].
Greg Freeman has worked with Relias Media and its predecessor companies since 1989, moving from assistant staff writer to executive editor before becoming a freelance writer. He has been the editor of Healthcare Risk Management since 1992 and provides research and content for other Relias Media products. In addition to his work with Relias Media, Greg provides other freelance writing services and is the author of seven narrative nonfiction books on wartime experiences and other historical events.
Disposing of an old, unneeded computer usually is as easy as chucking it in the dumpster out back or giving it away to charity. But not when it might contain protected health information.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.