In the past few years, there have been a number of high-profile incidents involving the inappropriate disposal in public dumpsters of patient-identifiable health information (PHI). These incidents have led to considerable negative publicity and large fines for the offending providers. They are strong reminders to physicians and other healthcare providers that the HIPAA Privacy and Security Rules’ requirement of reasonable safeguards to protect the privacy of PHI extends all the way through the disposal process. Though the Privacy and Security Rules do not mandate a particular method of disposal, it should be one that is reasonably tailored to prevent access to the PHI after disposal. The reasonableness of the method of disposal varies with the type and sensitivity of the material contained in the PHI. Information (such as credit card numbers, social security numbers, and the like) that can be utilized by identity thieves is of particular concern.
The Department of Health & Human Services’ Office for Civil Rights recommends certain methods for the disposal of “physical” (as opposed to electronic) PHI. Paper records should be shredded, burned, pulped, or otherwise rendered into a form which cannot be deciphered or reconstructed. Labeled prescription bottles should be disposed of in opaque bags, in a secure area, through the use of a business associate disposal vendor. PHI should only be disposed of in public dumpsters after it has been rendered unreadable, indecipherable, and cannot otherwise be reconstructed. The process which is adopted should be documented in the provider’s HIPAA policies, and employees should be made aware of it.
If procedures are in place to ensure that these, or other appropriate methods, are followed for paper records, the likelihood of being the next healthcare provider in the headlines for a HIPAA violation will be greatly reduced.
With the recent surge of healthcare patient portals, proper disposal of electronic health records is equally important. Despite regulatory advances mandating the creation of and access to electronic health records, the Department of Health and Human Services (DHHS) declines to comment on how to properly dispose of electronic medical records. Instead, DHHS previously yielded such questions to the National Institutes of Standards and Technology (NIST), a technology-focused agency within the U.S. Department of Commerce.
In 2014, NIST released “Guidelines for Media Sanitization,” which recommended three (3) options for electronic data disposal: 1) Clearing: using software or hardware products to overwrite media with non-sensitive data; 2) Purging: exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domain; or 3) Destruction: physically destroying the media device.
The NIST Guidelines are not exclusive, especially as use of physical media devices has waned in favor of cloud services since 2014. Therefore, any method that reasonably renders electronic data irrecoverable is likely acceptable to DHHS.
Identifying reasonable disposal methods depends on how electronic health records are stored. Listed below are two common scenarios of electronic health record storage with the recommended disposal methods:
- Third-Party Hosted Application or Cloud-Platform: Here, disposal control rests with the third-party provider such as Google or Amazon, not the Covered Entity or Business Associate. Therefore, the Covered Entity or Business Associate should contact the third-party provider, either through the privacy officer (often found on the Privacy Statement) or customer relationship manager to request, in writing, the removal of all electronic patient records, occasionally referred to as a “purge.” More importantly, the Covered Entity or Business Associate is advised to request a “Certificate of Data Destruction.” These certificates confirm that the digital media is destroyed by the capable party and often require the requesting party and the data holder to mutually complete form(s) to accurately identify data for deletion and verify the requesting party’s authority to request the record destruction. Depending on the type of services of the third-party provider, they may decline the request and insist that the Patient make the request for deletion. In such matters, official notification should be sent to the patient advising of their sole authority to request the deletion of electronic health records, with instructions on contacting the third-party provider.
- End User Devices (computers, tablets) and Servers: Moving electronic health records to the “Trash” icon and then emptying the trash, does not make the data irrecoverable. Rather, the only methods by which to clear all electronic records are to reimage the machine or physically destroy the device. Reimaging the device returns the devices to initial factory settings, rendering it available for future use. All past configurations, data, and applications are removed and require reinstallation for future use. A skilled IT provider can reload a pre-crafted “image” with the desired settings, privileges, and applications to hasten the recovery process. If future use of the device is not desired, physical destruction can render all stored data irrecoverable if the device is placed into an industrial shredder. The effectiveness of using magnetic components to physically destroy hard drives is questionable.
Any Covered Entity or Business Associate seeking to dispose of electronic health records should document its efforts to show due diligence in effecting safe and permanent disposal.