HIPAA Media Disposal: Hard Drive Destruction

HIPAA Security Standards and Physical Safeguards

Hard Drive Destruction: Guidance from the Centers for Medicare & Medicaid Services (CMS) on the rule titled “Security Standards for the Protection of Electronic Protected Health Information,” found at 45 CFR Part 160 and Part 164, Subparts A and C. This rule, commonly known as the Security Rule, was adopted to implement provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). We provide businesses in Orange County, Los Angeles and San Jose, California secure and certified HIPAA Compliant document shredding and hard drive shredding.  How to destroy HIPAA media.

This page is meant to be a technical summary of HIPAA Legislation:  Physical Safeguards.

Please see HIPAA Compliant Hard Drive Destruction for a real world understanding of how to destroy and recycle computer hard drives

HIPAA Requirements for Electronic Media Disposal

  1. Electronic media that contains EPHI should be rendered “unusable and/or inaccessible”
  2. One method is to “physically damage it [hard drive] beyond repair, making the data inaccessible”
  3. Document the “receipt and removal of hardware and electronic media that contains EPHI”

The Security Rule defines physical safeguards as “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” The standards are another line of defense (adding to the Security Rule’s administrative and technical safeguards) for protecting EPHI.

To view the HIPAA Security Series goto: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/physsafeguards.pdf

DEVICE AND MEDIA CONTROLS – STANDARD 164.310(d)(1)

The Device and Media Controls standard requires covered entities to:

“Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information, into and out of a facility, and the movement of these items within the facility.”

As referenced here, the term “electronic media” means, “electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card…” This standard covers the proper handling of electronic media including receipt, removal, backup, storage, reuse, disposal and accountability. Sample questions for covered entities to consider:

  1. Are policies and procedures developed and implemented that govern the receipt and removal of hardware and electronic media that contain EPHI, into and out of a facility, and the movement of these items within the facility?
  2. Do the policies and procedures identify the types of hardware and electronic media that must be tracked?
  3. Have all types of hardware and electronic media that must be tracked been identified,

The Device and Media Controls standard has four implementations specifications, two required and two addressable.

  1. Disposal (Required)
  2. Media Re-Use (Required)
  3. Accountability (Addressable)
  4. Data Backup and Storage (Addressable)

DISPOSAL (R) – § 164.310(d)(2)(i)

The Disposal implementation specifications states that covered entities must:

“Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.”

When covered entities dispose of any electronic media that contains EPHI they should make sure it is unusable and/or inaccessible. One way to dispose of electronic media is by degaussing. Degaussing is a method whereby a strong magnetic field is applied to magnetic media to fully erase the data. If a covered entity does not have access to degaussing equipment, another way to dispose of the electronic is to physically damage beyond repair, making the data inaccessible. Sample questions for covered entities to consider:

  1. Are policies and procedures developed and implemented that address disposal of EPHI, and/or the hardware or electronic media on which it is stored?
  2. Do the policies and procedures specify the process for making the hardware or electronic media, unusable and inaccessible?
  3. Do the policies and procedures specify the use of a technology, such assoftware or a specialized piece of hardware, to make EPHI, and/or the hardware or electronic media, unusable and inaccessible?
  4. Are the procedures used by personnel authorized to dispose of EPHI, and/or the hardware or electronic media?

MEDIA RE-USE (R) – § 164.310(d)(2)(ii)

Instead of disposing of electronic media, covered entities may want to reuse it. Media Re-Use, a required implementation specification for this standard, states that covered entities must:

“Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.”

In addition to appropriate disposal, covered entities must appropriately reuse electronic media, whether for internal or external use. Internal re-use may include re-deployment of PCs or sharing floppy disks. External re-use may include donation of electronic media to charity organizations or local schools. In either of these instances, it is important to remove all EPHI previously stored on the media to prevent unauthorized access to the information.

Covered entities should consider the following when developing a re-use procedures. Sample questions for covered entities to consider:

  1. Are procedures developed and implemented for removal of EPHI from electronic media before re-use?
  2. Do the procedures specify situations when all EPHI must be permanently deleted or situations when the electronic media should only be reformatted so that no files are accessible?

To view the HIPAA Security Series goto: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/physsafeguards.pdf