All healthcare organizations are required to have policies and procedures in place for the secure disposal of electronic devices and media that contained electronically protected health information (ePHI). Electronic devices include but are not limited to, desktops, laptops, tablets, copiers, servers, storage devices, and smartphones. Neglecting the disposal of these in the proper way creates risks for potential breaches.
In this article we will be covering, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR's) guidance on disposing of electronic devices and media. In addition, we will explain how Healthcare Compliance Pros helps our clients comply with these important HIPAA Security Rule requirements.
What should you consider during your Risk Analysis Process?
The OCR mentions that the improper disposal of electronic devices and media puts the information stored on such devices and media at risk for a potential breach. It also mentions that an organization's risk analysis plays a critical role in determining how best to protect data stored on electronic devices and media that is needing to be disposed of.
To reduce the risk of breaches of data stored on devices or media scheduled for final disposition, the ORC recommends the following:
- What data is maintained by the organization and where is it stored?
- Is the organization's data disposal plan up to date?
- Are all asset tags and corporate identifying marks removed?
- Have all asset recovery-controlled equipment and devices been identified and isolated?
- Is data destruction of the organization's assets handled by a certified provider?
- Have the individuals handling the organization's assets been subjected to workforce clearance processes and undergone appropriate training?
- Is onsite hard drive destruction required?
- What is the chain of custody?
- How is equipment staged/stored prior to transfer to external sources for disposal or destruction?
- What are the logistics and security controls in moving the equipment?
Under HIPAA, healthcare organizations must ensure media that need to be replaced are decommissioned and disposed of securely to ensure that either the devices or media are destroyed, or any confidential or sensitive information stored on such devices or media has been removed.
OCR's guidance describes decommissioning as the process of taking hardware or media out of service prior to the final disposition of such hardware or media. Steps organizations can consider as part of their decommissioning process include:
- Ensuring devices and media are securely erased and then either securely destroyed or recycled;
- Ensuring that inventories are accurately updated to reflect the current status of decommissioned devices and media or devices and media slated to be decommissioned; and
- Ensuring that data privacy is protected via proper migration to another system or total destruction of the data.
Destruction and Disposal of PHI
Healthcare Organizations are also required to implement policies and procedures regarding the disposal and re-use of hardware and electronic media containing PHI in electronic form (ePHI). According to OCR's guidance, healthcare organizations should:
- Determine and document the appropriate methods to dispose of hardware, software, and the data itself.
- Ensure that ePHI is properly destroyed and cannot be recreated.
- Ensure that ePHI previously stored on hardware or electronic media is securely removed such that it cannot be accessed and reused.
- Identify removable media and their use (tapes, CDs/DVDs, USB thumb drives).
- Ensure that ePHI is removed from reusable media before it is used to record new information.
How we can help
Healthcare Compliance Pros provides Media Removal and Media Disposal policies and procedures in our HIPAA Security module. While these policies ensure an organization is compliant with HIPAA requirements, they can also be customized based on specific procedures our clients use in their facilities. Additionally, as part of our Security Risk Analysis process, we will review what current processes are in place to ensure the final disposal of ePHI on any media and/or hardware that the electronic media is stored on.
Please feel free to contact us by email: firstname.lastname@example.org or by phone: 855-427-0427 if you have questions about HIPAA Security Rule requirements such as media removal, media disposal, or conducting a Security Risk Analysis.