HIPAA Requirements for Disposing of Electronic Devices

Every industry is susceptible to data breaches, but healthcare providers are especially vulnerable. Healthcare data breaches have risen over the last decade. In response, the Department of Health and Human Services’ Office for Civil Rights (OCR) has stepped up HIPAA-compliance enforcement, handing out unprecedented fines to covered entities for not following HIPAA breach notification guidelines.

In its July 2018 Cybersecurity Newsletter, OCR reminded HIPAA-covered entities about HIPAA rules for disposing of electronic devices and media. In this blog, we review these rules and discuss best practices for decommission devices and destroying data.

The HIPAA Security Rule

The HIPAA Security Rule requires that covered entities implement policies and procedures to address the final disposition of electronic protected health information (ePHI) and/or the hardware or electronic media on which it’s stored. Electronic devices capable of storing ePHI may include the following:

• Portable hard drives
• Backup tapes
• Desktop computers
• Laptops and tablets
• Servers
• Mobile Phones
• Fax machines
• Photocopiers
• Printers

Covered entities that fail to follow HIPAA Security Rule final disposition requirements may be fined by the OCR or face civil lawsuits.

Risk Analysis

The OCR reminds covered entities to conduct a risk analysis to address ePHI stored on electronic devices. The following questions should be considered in a risk analysis:

• What data is maintained by the organization, and where is it stored?
• Is the organization’s data disposal plan up to date?
• Are all asset tags and corporate identifying marks removed?

A qualified data security partner can audit your data management and disposal process to ensure your organization meets HIPAA Security Rule requirements.

Device Decommissioning and Data Destruction

In the same July 2018 Cybersecurity Newsletter, OCR also stresses that “Devices or media that need to be replaced should be decommissioned and disposed of securely to ensure that either the devices or media are destroyed, or any confidential or sensitive information stored on such devices or media has been removed.” OCR highlights the following method for the disposal of electronic devices with ePHI:

• Electronic media must be cleared, purged, or destroyed consistent with NIST Special Publication 800-88 Revision 1, Guidelines for Media Sanitization such that the PHI cannot be retrieved.

Given these requirements, it’s important to partner with a certified data destruction provider who meets media degaussing and erasure and data destruction standards set by the following organizations:

• National Association of Information Destruction (NAID)
• National Institute of Standards and Technology (NIST)
• Department of Defense (DOD)
• Environmental Protection Agency (EPA)

Reclamere’s Data 360 Security Program (DS360) offers a comprehensive data destruction and security solution for ensuring your healthcare organization complies with HIPAA requirements.

For more information, please call us at 814-684-5505 or complete the form on this page.