Every year, hundreds of healthcare data breaches expose the protected health information (PHI) of millions of patients. While a breach can happen for many reasons, the incorrect disposal of hardware that contains PHI is one risk that healthcare providers cannot afford to overlook. HIPAA IT compliance requires that any PHI your organization stores on electronic devices must be disposed of following certain guidelines. If disposed of incorrectly, your organization and patients could be at risk.
Healthcare providers can use the guidance and tips in this blog to help maintain best HIPAA IT compliance practices when disposing of hardware that contains PHI. Let's begin by examining which devices you'll need to consider.
Devices to Include
To protect data that's stored on electronic devices and media, it's best to first conduct a full risk analysis of your organization's IT infrastructure and administrative, physical, and technical safeguards. A healthcare-focused IT firm can create an inventory of all your organization's electronic devices that may contain PHI, which will help to determine the best ways to dispose of devices. You may be surprised to see some device types on this list.
At a minimum, you'll likely need to include the following devices on your disposal list:
- Desktop computers
- Mobile phones
- Portable hard drives
- USB drives
- Zip drives
- CDs, DVDs, and backup tapes
In addition, you won't want to miss any additional devices that store patient data on internal hard drives. Regularly overlooked devices that can store PHI include:
- X-ray machines
- Fax machines
- CT and MRI machines
How to Properly Dispose of Hardware with PHI
When it's time to dispose of hardware that contains PHI, how can your organization do so while maintaining HIPAA IT compliance? While there is not one preferred method, healthcare providers must follow regulations set by the U.S. Department of Health & Human Services (HHS). It's helpful if you develop a plan and procedures specific to your organization.
According to HHS, any devices with PHI cannot be disposed of in a dumpster that's accessible by the public. One exception is if the PHI "… has been rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed prior to it being placed in a dumpster."
The HIPAA Privacy and Security Rules have several disposal requirements that organizations must follow. Below are a few guidelines for the proper disposal methods for hardware.
PHI on electronic media — Consistent with NIST Special Publication 800-88 Revision 1, Guidelines for Media Sanitization, devices must be cleared (using software or hardware products to overwrite media with non-sensitive data), purged (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroyed (disintegration, pulverization, melting, incinerating, or shredding). Don't forget that asset tags and corporate identifying marks should also be removed.
Depositing PHI in locked dumpsters — Depending on the size and type of your organization, devices containing PHI should be disposed of in dumpsters that are only accessible by authorized persons, such as appropriate refuse workers.
Business associate agreement for third-party contractors — If your organization chooses to work with a third party to dispose of electronic devices that contain PHI, you must ensure that a business associate agreement is entered into with the vendor before work begins. Anyone who may handle these devices should be aware of their responsibilities as it relates to properly disposing of these items.
Physical security controls — These should be put in place to ensure the devices cannot be stolen or accessed by unauthorized individuals. Security controls include the safe transportation of devices until all data is destroyed.
How to Train Staff on Proper Disposal
Using the information above as a starting point, your organization's staff must be trained on how to properly dispose of hardware. Below are a few recommendations for training your staff. Keep in mind that every healthcare provider is different, so training should be customized to suit your needs.
- Include staff members who are directly disposing of PHI, anyone who supervises others who dispose of hardware, and any volunteers.
- When you deliver HIPAA compliance training, which is typically provided annually, it makes sense to include information about the proper disposal of hardware. For any new staff, it's crucial that this training be provided not long after hire to avoid mistakes that could jeopardize compliance.
- Your practice's training should cover the devices that may contain PHI as well as the policies and procedures that are in place to properly dispose of these devices.
- Staff should be made aware if your organization has a depository or bin where hardware should be placed while it awaits disposal.
Since HIPAA training requirements are complex, many healthcare providers choose to partner with a healthcare IT specialist to help strengthen training and ensure that staff receive timely and current compliance information from experts in HIPAA IT compliance.
Common Device Disposal Mistakes That Healthcare Providers Make
Now let's review some common mistakes associated with device disposal to help ensure your organization avoids making them.
Training home healthcare workers — If your organization employs home healthcare workers, it's crucial that they are trained and aware of how to correctly dispose of devices that may have PHI on them. While there isn't a specified way for home healthcare workers to dispose of hardware, they should be trained with the rest of your staff and follow your organization's policies and procedures.
Reusing hardware with PHI— Another area that organizations may overlook is the reuse of hardware that previously stored electronic protected health information. Some organizations may assume that either these devices should not be used again or forget to properly dispose of PHI before they are reused. If your organization uses reusable devices, all PHI that's stored on the devices should be securely and complete erased before reuse.
Simple deletion of data isn't enough — Before reusing or disposing of hardware, some organizations may think that deleting all the data or even formatting the hard drive is enough. But if you approach clearing data the wrong way, it can leave some data behind or even make it possible to retrieve all of the data. When devices store PHI, any failure to fully wipe a drive will put your practice and patients at risk, so it's important to have the appropriate procedures in place to correctly clear and purge any data.
How Long Should You Keep Devices With PHI?
According to the HIPAA Security Rule, you should keep PHI and any devices containing this data for at least six years, though different states may have rules in place that require you to keep them longer.
In addition, the HIPAA Privacy Rule states that organizations must "… apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records and other protected health information (PHI) for whatever period such information is maintained by a covered entity, including through disposal."
Penalties and Risks for Improper Disposal
Even if your organization is doing all that it can to best ensure HIPAA IT compliance, if devices are not disposed of correctly, your organization can face potential penalties. Those penalties and associated risks and expenses are likely to get much worse if a data breach occurs. They can include the following:
- 1.Patients will need be notified of the breach and, depending on the information that may have been accessed, your practice may need to pay for credit monitoring, identity theft protection, legal counsel, and more.
- 2.Investigations may be conducted, which can bring significant financial penalties.
- 3.Patients whose data was exposed may file a lawsuit, which can result in paying a settlement along with legal fees.
- 4.HIPAA fines and penalties are another concern for healthcare providers if they haven't implemented the appropriate safeguards for devices that may contain PHI. An organization may be fined thousands to millions of dollars depending on the severity of a breach.
Protect Your Organization With a HIPAA IT Compliance Expert
While HIPAA rules and requirements, including those concerning the disposal of devices that store PHI, can be difficult to navigate, healthcare providers must work to ensure HIPAA IT compliance to protect themselves and their patients.
Underdoing a HIPAA risk assessment is a good place to start. Healthcare organizations are increasingly partnering with healthcare IT specialists to ensure a thorough review of their operations to identify vulnerabilities and areas in need of improvement. To learn more about how a healthcare IT professional like Medicus IT can support your practice in achieving and maintaining HIPAA IT compliance, request a free assessment today.