OCR Reminds Healthcare Companies the Proper Disposal of Electronic Devices and Media

The Department of Health and Human Services’ Office for Civil Rights, in the July edition of its Cybersecurity Newsletter, reminded HIPAA covered entities about HIPAA Rules for disposing of electronic devices and media and has issued new guidance to help healthcare organizations avoid exposing the electronic protected health information (ePHI) of patients.

Before any electronic device is scrapped, decommissioned, resold or returned to a leasing firm, ePHI stored on the device must be securely and permanently erased.

The HIPAA Rules for disposing of electronic devices cover all devices and media where ePHI is stored, including desktop and laptop computers, servers, mobile phones, tablets, zip drives, portable hard drives, and DVDs, CDs, and backup tapes.

Healthcare companies likewise should be careful disposing of other electronic devices such as photocopiers, fax machines, and printers, as they can have internal hard drives that may contain ePHI.

If policies and procedures are not developed and implemented to cover the secure disposal of ePHI, data breaches are likely to occur. The cost of resolving those breaches can be considerable. Healthcare organizations will need to conduct an investigation, computer forensics experts may need to be hired, as well as breach response and public relations consultants. The cost of issuing breach notifications can be considerable, identity theft protection services may need to be arranged, and lawsuits may be filed by breach victims. There is also considerable potential for regulatory fines.

As the Ponemon Institute/IBM Security 2018 Cost of a Data Breach Study showed, breaches can easily cost millions of dollars. The study showed the average cost of a breach of 100,000 healthcare records was $3.86 million, with the cost per exposed healthcare record now $408.

Before a healthcare organization can ensure all ePHI is disposed of correctly, it is first necessary to determine all locations where ePHI is stored. An inventory must be created that includes all equipment and media where ePHI is stored and the list must be updated whenever new copies are created and new equipment is purchased.

The company should also perform a full risk analysis to determine the best way to protect ePHI when electronic devices reach the end of their lifespan.

45 C.F.R. §164.310(d)(2)(i)-(ii) requires organizations to create a data disposal plan. OCR suggests shredding, burning, or pulping paper records to make sure PHI is not readable and cannot be reconstructed. To ensure ePHI is similarly rendered unreadable and indecipherable, healthcare organziations should follow NIST’s Guidelines for Media Sanitization, (Special Publication 800-88 Revision 1). The guidelines suggest electronic devices should be destroyed, purged, degaussed, or cleared to make sure that ePHI is not retrievable. If reusing media, it is necessary to securely erase all data on the media rather than simply overwriting data. Additionally, asset tags and company identifying marks should be removed from devices and media before disposal.

If contracting a third party to dispose of electronic devices, all persons that handle the devices should be made aware of their responsibilities relating to ePHI.  Safe handling and workforce clearance procedures must be observed.

It is also important to consider the chain of custody of devices prior to their destruction and appropriate physical security measures should be implemented to prevent theft of equipment or the accessing of data by unauthorized persons.

The OCR cybersecurity newsletter provides further information on securely disposing of ePHI and PHI.