Healthcare organizations upgrade their electronic devices and hardware all the time. Newer, more sophisticated equipment, laptops, printers, and smartphones are being introduced every day.
If you are storing PHI (protected health information) on your hardware, you must make sure that each and every piece of equipment that stores sensitive information is disposed of properly in order to remain compliant with HIPAA regulations.
Disposing of PHI hardware sounds easy enough, however, there are many aspects to consider when it comes to properly disposing of secure information contained on your hardware devices.
In this article, we’ll guide you through the process of proper device disposal to keep you and your business compliant with HIPAA guidelines.
HIPAA, or The Health Insurance Portability and Accountability Act, sets the standard for PHI protection.
Any company or organization that handles PHI must have security measures in place and adhere to them. There are two main categories of organizations covered by HIPAA: ·
Covered Entities (CEs): This includes anyone that provides treatment, payment, or operations (commonly known as TPO) within a healthcare setting.
Business Associates: This includes anyone outside of the covered entity who may have access to patient information or provides any kind of support in treatment, payment, or operations of the organization.
It’s important to understand what types of hardware you may have in your office that could contain PHI; these include but are not limited to:
Essentially, almost any connected device within a healthcare organization is vulnerable and may contain PHI that needs to be protected and disposed of properly when the time comes.
Under HIPAA law, your organization is required to document its disposal policy in your Security Policies and Procedures. Your organization should maintain an inventory of all your equipment, whether each device can store or access PHI, serial number and other relevant information.
The US Department of Health and Human Services (HHS) recommends the following three techniques for properly removing any sensitive information from workplace hardware. Before you can get rid of the physical device, you must delete any and all PHI related information from the device.
The procedures for securely disposing of PHI include:
1. ClearingClearing, also referred to as overwriting, is the process of replacing PHI on a device with non-sensitive data. This method should be performed, at a minimum, of seven times so that the PHI is completely irretrievable.
2. PurgingYou can purge your organization’s hardware through a method called degaussing. This refers to the process of clearing a device through the use of magnets.
Hard drives rely on magnetic fields to store information; therefore, you can disrupt the equipment’s function and render its data unreadable by using a strong magnetic field.
3. Physical DestructionPhysical destruction is the only surefire way to prevent a leak of PHI data. Destruction of PHI hardware requires pulverizing, burning/melting, disintegrating or shredding.
This method, however, is not always viable. If you have equipment that you would like to clear and re-use, or if your equipment is rented, destroying it may not be feasible.
If your organization is selling or discarding any hardware, you may be tempted to simply erase the hard drive components. Deleting files will not permanently delete PHI. Although the information will no longer be visible to you, it is still there and can be retrieved.
You need secure data destruction that permanently eliminates PHI data from every piece of hardware so that your patients’ information is not put in jeopardy.
There are companies who specialize in the proper disposal of PHI hardware. These companies should offer a HIPAA Certificate of Destruction as validation that the equipment was disposed of properly, and within HIPAA guidelines.
HIPAA law regarding disposal of protected health information dictates that you train your employees on how to properly dispose of PHI. According to HIPAA law, any workforce member who is involved in disposing of PHI or who supervises others who dispose of PHI, must receive proper PHI training.
PHI should be maintained in a secure area, such as a locked depository bin, and disposed of through a qualified vendor.
HIPAA requires businesses to store PHI for six years, sometimes seven years, depending on the state in which you operate. It is important to keep this in mind when you are preparing to dispose of hardware that may have PHI on it that still needs to be retained. Make sure you have a backup plan in place for PHI before disposing of hardware.
Your business reputation depends on your ability to serve your clients or patients. This includes making sure that the personal information they trusted you with is never compromised by improper or careless disposal of hardware.