HIPAA Data Destruction Requirements

HIPAA, the Health Insurance Portability and Accountability Act, has made major changes in the way that health care providers and facilities that maintain patient records conduct their day-to-day affairs such as destroying ePHI. Ever since the law was passed by Congress in 1996, organizations have been struggling to keep up with the ever-changing regulations and requirements, and one of the most challenging areas that needs to be addressed is the HIPAA compliant hard drive destruction requirements for the disposal of protected health information.

A monetary penalty or fine is the least of your financial worries as a consequence of HIPAA non-compliance, because corrective action plans (CAPs) can be extremely costly. –

 

HSS HIPAA

How Best to Destroy Computer Hard Drives that Contain EPHI?

Though the federal government’s privacy and security rules don’t specify a preferred method of disposal of PHI, they do require that organizations that are covered under the law take “reasonable” action to safeguard the information from the beginning of the disposal process through to the end. Acceptable hard drive and digital media disposal methods include destruction through shredding, incineration, melting and pulverizing, but additional precautions should also be taken with reference to making sure that a contract for the work has been put in place.

“For practical information on how to handle the disposal of computers and digital media containing ePHI – consult NIST 800-88, Guidelines for Media Sanitization” – Department of Health and Human Services

What is “reasonable” and “prudent”?

Vague terms such as “encouraged,” “consider,” and “prudent” are giving entities that fall under these requirements pause: Is “encouraged” the government’s way of warning that failure to do so would be viewed as noncompliance, or negligence? The ambiguous nature of the statement has led many to decide that erring on the side of caution is their wisest course of action, and are turning to on-site data destruction rather than simply erasing hard drives or allowing a vendor to remove the patient health information to an off-site location for remote destruction.

Among the protections that HIPAA provides is the safeguarding of Electronic Protected Health Information, or EPHI, which is a catch-all term for individually identifiable health information either created or received by a health care facility or health care provider. It can pertain to a patient’s past, present and future physical and mental health and any care or payments provided in relation to their health. That covers just about all records that a health care facility or provider maintains, and in order to be in compliance they must take action regarding the information that resides on their computer hard drives, their back up tapes, and more.

Organizations wishing to comply with these rules may be tempted to come up with their own safeguards and methods, but are often confounded and concerned by one outstanding statement found within the HIPAA rules.

“covered entities are encouraged to consider the steps that other prudent health care and health information professionals are taking to protect patient privacy in connection with record disposal.”

HIPAA Data Disposal Requirements

Electronic media that contains EPHI should be rendered “unusable and/or inaccessible”.

  1. One method is to “physically damage it [hard drive] beyond repair, making the data inaccessible”
  2. Document the “receipt and removal of hardware and electronic media that contains EPHI”.
  3. EPHI and electronic media such as computer hard drives should be rendered unusable and/or the data should be inaccessible.
  4. All digital media coming into or leaving the custody of the covered entity should be properly inventoried and reported.
  5. If hiring a business associate to perform data destruction services, the covered entity must enter into a written contract or agreement.
  6. EPHI should remain in the custody of or supervised by an authorized employee.