By Gil Vidals, , HIPAA Blog, Resources

The HIPAA privacy and security rules require certain steps to be taken regarding the destruction or removal of protected health information (PHI). These portions of the act mandate “reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI.”

What this means is that if HIPAA data is left in a trash can or on an old hard drive that is replaced and discarded, HIPAA is violated. Disposal and destruction of media is an integral part of handling PHI and is comparable in importance to transmitting or receiving the data in the first place. Proper disposal is the final step in the PHI life cycle that must be completed in order to adhere to HIPAA standards.

In addition to specific generalities about the handling of data that is no longer relevant, HIPAA also requires that covered entities provide their workforce with training and education about proper data destruction procedures.

HIPAA requires specifically that, “any workforce member involved in disposing of PHI, or who supervises others who dispose of PHI, must receive training on disposal.” This provision is meant to ensure that those who handle the PHI from day-to-day are familiar with the process for handling it throughout its lifecycle (the provision specifically includes volunteers).

So how does one destroy PHI?

HHS.gov recommends shredding, burning, pulping, or pulverizing paper records. The important part is that the data on the documents is absolutely unreadable, but HIPAA does not recommend one particular disposal method.

For digital media, secure overwriting or degaussing is recommended. Overwriting is recommended to be performed with a utility such as DBAN (Darik’s Boot and Nuke), a well-tested tool that can overwrite drives with a number of distinct “passes,” ensuring that the data is in no way present on the drive once it is finished.

DBAN is used by such government agencies as the Department of Defense. Degaussing essentially means to expose the drive or other media to a sufficiently strong magnet to disrupt the magnetic storage field on the media. This act generally renders the drive unusable along with unrecoverable. Traditional methods such as incinerating or smashing are also mentioned as appropriate by HIPAA.

For a company that deals with protected information, the basics of data disposal are fairly simple. First, PHI can’t be simply left in a dumpster. This mistake is a common one and has lead to many HIPAA violations.

Second, re-use of the media is allowed as long as it has been overwritten first (or the PHI on the drive has been sufficiently obfuscated through some other method). Third, if one is unsure about the proper data disposal practices, it is allowed to hire a company that specializes in data destruction to handle it on one’s behalf.

Avatar photo

Gil Vidals is the president and CTO of HIPAA Vault. He is a passionate, subject matter expert on HIPAA compliance and the healthcare cloud, and co-host of the HIPAA Vault podcast. Since 1997, Gil’s mission has been to provide uncompromising and affordable HIPAA compliant hosting solutions to commercial and government clients, helping protect their sensitive health information from data breaches and security vulnerabilities. HIPAA Vault has been recognized as an Inc. 5000 company and a Clutch Top B2B company. He can be reached here on Linkedin.

HIPAA Hosting Price Comparisons
April 27, 2015
New CMIA Law Strengthens CA Medical Privacy
July 20, 2015