In newsletter guidance, the Department of Health and Human Services (HHS) offered additional guidance on disposing of electronic devices and media containing protected health information (PHI) in a manner that avoids causing a breach under the Health Insurance Portability and Accountability Act (HIPAA).
HHS's Office for Civil Rights (OCR) has issued newsletter guidance on disposing of electronic devices and media that may contain protected health information (PHI) subject to HIPAA (OCR Cybersecurity Newsletter (July 2018); see HIPAA Privacy, Security, and Breach Notification Toolkit). The newsletter addresses procedures for securely decommissioning and disposing of devices or media that need to be replaced. In general, these procedures involve either:
Destroying the devices or media.
Removing any confidential or sensitive information stored on the devices or media.
Numerous negative consequences may follow for a HIPAA covered entity (CE) or business associate (BA) that sustains a breach. These consequences include having to:
HHS defines "decommissioning" as the process of taking hardware or media out of service before its final disposition. A CE's or BA's decommissioning procedures should ensure that:
Devices and media are securely erased, and securely destroyed or recycled.
Inventories are accurately updated to reflect the current status of:
decommissioned devices and media; and
devices and media scheduled for decommissioning.
Data privacy is protected by appropriately migrating the data to another system or totally destroying it.
Destroying and Disposing of PHI
HIPAA's Security Rule requires CEs and BAs to implement policies and procedures concerning the disposal and re-use of hardware and electronic media containing PHI in electronic form (ePHI) (45 C.F.R. § 164.310(d)(2)(i)-(ii); see Practice Note, HIPAA Security Rule: Device and Media Controls). As part of their policies and procedures for the final disposition of hardware and electronic media containing ePHI, CEs and BAs should:
Determine and document the appropriate methods for disposing of hardware, software, and the data itself.
Ensure that ePHI is properly destroyed and cannot be recreated.
Confirm that ePHI previously stored on hardware or electronic media is securely removed so that it cannot be accessed and reused.
PHI is considered to have been disposed of in a secure manner when the media on which the PHI is stored or recorded is destroyed in one of the following ways:
Paper, film, or other hard copy media are shredded or destroyed, so that the PHI cannot be read or otherwise cannot be reconstructed. (Redaction is expressly excluded as a means of data destruction.)
Risk Analysis Considerations in Disposing of Electronic Devices and Media
A CE's or BA's analysis of disposal issues should encompass the full spectrum of electronic devices and media that may contain PHI, including:
Desktop and laptop computers, tablets, and smartphones.
Copiers and servers.
Hard drives, USB drives, and electronic storage devices.
To minimize the risk of breach involving data stored on electronic devices or media that are scheduled for final disposition, a CE's or BA's analysis should consider the following issues:
What data is maintained by the CE or BA, and where is it stored?
Is there a current data disposal plan in place?
Have asset tags and corporate identifying marks been removed?
Has the CE or BA identified and isolated all asset recovery-controlled equipment and devices?
Is on-site destruction of hard drives required?
What is the chain of custody?
How is equipment staged and stored before being transferred to external sources for disposal or destruction?
What are the logistics and security controls in moving the equipment?
Regarding the individuals and entities involved in the disposal process (which could include subcontractors), a CE or BA should consider the following questions:
Is data destruction of the CE's or BA's assets handled by certified providers?
As HHS notes in this guidance, improperly disposing of electronic devices and media can result in a HIPAA breach of PHI from which invasive government investigations and expensive settlement agreements may follow. In one well-known enforcement action from the disposal context, for example, a health plan was required to pay $1.2 million after it disclosed the ePHI of almost 345,000 individuals by failing to properly erase photocopier hard drives before returning the photocopiers to a leasing company (see Legal Update, Health Plan Pays $1.2 Million HIPAA Settlement for Impermissible Disclosures of E-PHI Involving Photocopiers). Given the speed at which current technology may become obsolete, CEs and BAs may want to consider HHS's procedures for decommissioning – an issue that hasn't received as much attention in reported settlement agreements – as part of their approach for disposing of electronic devices and media.