HIPAA Data Destruction Requirements

NAID AAA Certified hard disk drive destruction

HIPAA, the Health Insurance Portability and Accountability Act, has made major changes in the way that health care providers and facilities that maintain patient records conduct their day-to-day affairs such as destroying ePHI. Ever since the law was passed by Congress in 1996, organizations have been struggling to keep up with the ever-changing regulations and requirements, and one of the most challenging areas that needs to be addressed is the HIPAA compliant hard drive destruction requirements for the disposal of protected health information.

Among the protections that HIPAA provides is the safeguarding of Electronic Protected Health Information, or EPHI, which is a catch-all term for individually identifiable health information either created or received by a health care facility or health care provider. It can pertain to a patient’s past, present and future physical and mental health and any care or payments provided in relation to their health. That covers just about all records that a health care facility or provider maintains, and in order to be in compliance they must take action regarding the information that resides on their computer hard drives, their back up tapes, and more.

HIPAA DATA DESTRUCTION

Organizations wishing to comply with these rules may be tempted to come up with their own safeguards and methods, but are often confounded and concerned by one outstanding statement found within the HIPAA rules.

“covered entities are encouraged to consider the steps that other prudent health care and health information professionals are taking to protect patient privacy in connection with record disposal.”

Health & Human Services

Shredded Hard Drives

What is “prudent”?

Vague terms such as “encouraged,” “consider,” and “prudent” are giving entities that fall under these requirements pause: Is “encouraged” the government’s way of warning that failure to do so would be viewed as noncompliance, or negligence? The ambiguous nature of the statement has led many to decide that erring on the side of caution is their wisest course of action, and are turning to on-site data destruction rather than simply erasing hard drives or allowing a vendor to remove the patient health information to an off-site location for remote destruction.

How Best to Destroy Computer Hard Drives that Contain EPHI?

Though the federal government’s privacy and security rules don’t specify a preferred method of disposal of PHI, they do require that organizations that are covered under the law take “reasonable” action to safeguard the information from the beginning of the disposal process through to the end. Acceptable hard drive and digital media disposal methods include destruction through shredding, incineration, melting and pulverizing, but additional precautions should also be taken with reference to making sure that a contract for the work has been put in place.

Government Regulations Require

  • 1. Implement reasonable safeguards to limit incidental, and to avoid prohibited, uses and disclosures of PHI, including the disposal of such information
  • 2. Implement policies and procedures to address the final disposition of electronic PHI and the media on which it is stored
  • 3. Implement procedures for removal of electronic PHI from digital media
  • 4. Ensure that the workforce members receive training and follow the disposal policies; members who supervise other, who dispose of PHI must also receive training on the disposal process

HIPAA Disposal Requirements

  • Electronic media that contains EPHI should be rendered “unusable and/or inaccessible”.
  • One method is to “physically damage it [hard drive] beyond repair, making the data inaccessible”.
  • Document the “receipt and removal of hardware and electronic media that contains EPHI”.
  • EPHI and electronic media such as computer hard drives should be rendered unusable and/or the data should be inaccessible.
  • All digital media coming into or leaving the custody of the covered entity should be properly inventoried and reported.
  • If hiring a business associate to perform data destruction services, the covered entity must enter into a written contract or agreement.
  • EPHI should remain in the custody of or supervised by an authorized employee.