HIPAA Rules for Disposing of Electronic Devices
Thu, Jul 04, 2019
By: Jim Beran
Healthcare providers must adhere to HIPAA regulations to protect patients’ healthcare information. Even if you plan on disposing of electronic devices yourself, you must understand HIPAA rules or risk being penalized and fined.
Gilmore Services has years of experience with HIPAA-compliant data storage and destruction. Our clients often ask us what we can do to help them with the disposal of their electronic devices. Here’s what you need to know about the HIPAA rules for disposing of electronic devices.
Obligations Regarding the Protection of Personal Health Information
HIPAA rules put strict guidelines in place for the handling and protection of patients’ protected health information (PHI), whether it’s on paper or stored electronically. The rules say that health providers must:
- Put administrative, technical, and physical safeguards in place to protect e-PHI and prevent it from being accessed or used by unauthorized people.
- Implement policies and procedures to properly dispose of electronic PHI and the hardware and/or electronic media on which it’s stored.
- Remove e-PHI from electronic media before they are disposed of or made available for re-use.
- Train workforce members on their written disposal procedures to a level that’s appropriate for their job responsibilities. (This includes employees who dispose of PHI and anybody who supervises them, as well as volunteers.)
Your first duty when disposing of electronic devices is to understand what your responsibilities are and ensuring that any employees who will be involved receive proper training.
Which Electronic Devices Fall Under HIPAA Regulations?
The next thing you must do is to understand which electronic devices fall under HIPAA’s guidelines. The short answer is that any electronic device that is used to collect or store patient healthcare information is covered by HIPAA. That includes:
- Desktop computers
- Mobile phones
- Portable hard drives
- Zip drives
- Electronic storage devices, including CDs, DVDs, and backup tapes
- Fax machines
- Diagnostic equipment
It’s common for companies to ignore fax machines, copiers, and printers because they’re not actively storing information on these devices. However, they do store data internally and could – at least in theory – be compromised. They must be disposed of properly.
Therefore, it’s your responsibility to take inventory of any devices that store ePHI, together with a risk analysis to determine the best way to dispose of the equipment and protect the ePHI.
Develop a Disposal Plan
Finally, any organization that stores ePHI must develop a full data disposal plan that meets the requirements of 45 C.F.R. §164.310(d)(2)(i)-(ii). It says that entities must:
Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.
It means that paper, film or other hard copy media must be shredded or destroyed so that PHI cannot be read or reconstructed. The rule states that redaction is not acceptable as a means of data destruction.
It also says that electronic devices must be “cleared, purged, or destroyed consistent with NIST Special Publication 800-88 Revision 1, Guidelines for Media Sanitization.” Reusable media must be securely erased, and any asset tags or corporate identifying marks must be removed.
It is acceptable for providers to contract with third party contractors to dispose of electronic devices provided that a business associate agreement is in place. Gilmore Services is NAID-certified and compliant with 800-88 requirements for disposing of electronic devices.
Properly disposing of electronic devices is your obligation under HIPAA regulations. The information we’ve included here covers what you to know to ensure that you fulfill your duties and protect the sensitive health information of your patients.
Need assistance disposing of electronic devices in accordance with HIPAA? Click here to learn how Gilmore Services can help!