HIPAA Compliant Hard Drive Destruction

When disposing of digital media containing EPHI, such as recycling unused computer equipment or destroying old computer hard drives, organizations must follow certain rules.  The HIPAA Privacy Rule requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI), including information residing on computer hard drives and backup tapes.  E-Waste Security’s onsite hard drive destruction service helps health providers comply with HIPAA requirements during the computer recycling process.

Disposal of Protected Health Information

Covered entities must implement “reasonable” safeguards under HIPAA regulations to limit the disclosure of EPHI.  What is “Reasonable” ePHI data destruction?

Covered entities are encouraged to consider the steps that other prudent health care information professionals are taking to protect patient privacy in connection with record disposal.

Harold Goldberg

hipaa-logo
  • Implement reasonable safeguards to limit incidental, and to avoid prohibited, uses and disclosures of PHI, including the disposal of such information.
  • Implement policies and procedures to address the final disposition of electronic PHI and the media on which it is stored.
  • Implement procedures for removal of electronic PHI from digital media.
  • Ensure that the workforce members receive training and follow the disposal policies; members who supervise other, who dispose of PHI must also receive training on the disposal process.
Shredded Hard Drives

HOW TO DESTROY COMPUTER HARD DRIVES CONTAINING EPHI

Covered entities must implement “reasonable” safeguards under HIPAA regulations to limit the disclosure of EPHI. The term “reasonable” is ambiguous, and covered entities should error on safe side for data destruction. For example, if physical hard drive shredding is available, erasing hard drives may no longer seem “reasonable” under HIPAA regulations. Also, if on-site data destruction is available, allowing a vendor remove PHI for off-site destruction may no longer be prudent.

Please see HIPAA Security Standards: Digital Data Destruction to read the technical legislation.

ONSITE HARD DRIVE DESTRUCTION PROCESS

HIPAA: RULES FOR DESTROYING HARD DRIVES

Privacy and Security Rules do not require a particular disposal method; however, covered entities must review their circumstances to determine what is “reasonable” to safeguard PHI all the way through the disposal process. Proper digital media and computer hard drive disposal methods include, but are not limited to destroying electronic media by shredding, incineration, melting or pulverizing.

Organizations should assess potential risks to patient privacy and the type and amount of PHI to be disposed of such as, name, social security, drivers license, debit or credit card, diagnosis and treatment.

Hiring an outside vendor to dispose of protected health information is acceptable. When hiring an outside vendor to dispose of protected health information, a covered entity MUST enter into a contract or other agreement with the business contracted to dispose of PHI.

HIPAA ePHI Destruction Summary

Hard Drive Disposal

HIPAA Requirements for ePHI Destruction

  • Demand onsite data destruction for verification
  • Demand physical destruction – shredding is more “reasonable” than erasing
  • Require a Certificate of Destruction with serial number report
  • Hire a NAID Certified vendor
  • Media containing EPHI should be rendered “unusable and/or inaccessible”.
  • One method is to “physically damage it [hard drive] beyond repair, making the data inaccessible”.
  • Document the “receipt and removal of hardware and electronic media that contains EPHI”.
  • EPHI and electronic media such as computer hard drives should be rendered unusable and/or the data should be inaccessible.
  • All digital media coming into or leaving the custody of the covered entity should be properly inventoried and reported.
  • If hiring a business associate to perform data destruction services, the covered entity must enter into a written contract or agreement.
  • EPHI should remain in the custody of or supervised by an authorized employee.