HHS's Office for Civil Rights (OCR) has issued newsletter guidance on disposing of electronic devices and media that may contain protected health information (PHI) subject to HIPAA (OCR Cybersecurity Newsletter (July 2018); see HIPAA Privacy, Security, and Breach Notification Toolkit). The newsletter addresses procedures for securely decommissioning and disposing of devices or media that need to be replaced. In general, these procedures involve either:

(See Practice Note, Disposing of HIPAA PHI for Group Health Plans.)

Numerous negative consequences may follow for a HIPAA covered entity (CE) or business associate (BA) that sustains a breach. These consequences include having to:

A breach may also result in an HHS investigation, enforcement action, and settlement agreement, which may require a CE or BA to pay significant penalties and satisfy an onerous list of compliance requirements (some of which may take several years to carry out) (see Practice Notes, HIPAA Enforcement: Penalties and Investigations and HIPAA Enforcement: Settlement Agreements).

HHS defines "decommissioning" as the process of taking hardware or media out of service before its final disposition. A CE's or BA's decommissioning procedures should ensure that:

HIPAA's Security Rule requires CEs and BAs to implement policies and procedures concerning the disposal and re-use of hardware and electronic media containing PHI in electronic form (ePHI) (45 C.F.R. § 164.310(d)(2)(i)-(ii); see Practice Note, HIPAA Security Rule: Device and Media Controls). As part of their policies and procedures for the final disposition of hardware and electronic media containing ePHI, CEs and BAs should:

PHI that is disposed of consistent with existing HHS guidance on rendering PHI unusable, unreadable, or indecipherable is not:

(See Practice Note, Disposing of PHI for Group Health Plans.)

PHI is considered to have been disposed of in a secure manner when the media on which the PHI is stored or recorded is destroyed in one of the following ways:

A CE's or BA's analysis of disposal issues should encompass the full spectrum of electronic devices and media that may contain PHI, including:

To minimize the risk of breach involving data stored on electronic devices or media that are scheduled for final disposition, a CE's or BA's analysis should consider the following issues:

Regarding the individuals and entities involved in the disposal process (which could include subcontractors), a CE or BA should consider the following questions:

As HHS notes in this guidance, improperly disposing of electronic devices and media can result in a HIPAA breach of PHI from which invasive government investigations and expensive settlement agreements may follow. In one well-known enforcement action from the disposal context, for example, a health plan was required to pay $1.2 million after it disclosed the ePHI of almost 345,000 individuals by failing to properly erase photocopier hard drives before returning the photocopiers to a leasing company (see Legal Update, Health Plan Pays $1.2 Million HIPAA Settlement for Impermissible Disclosures of E-PHI Involving Photocopiers). Given the speed at which current technology may become obsolete, CEs and BAs may want to consider HHS's procedures for decommissioning – an issue that hasn't received as much attention in reported settlement agreements – as part of their approach for disposing of electronic devices and media.