The HIPAA privacy and security rules require certain steps to be taken regarding the destruction or removal of protected health information (PHI). These portions of the act mandate “reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI.”
What this means is that if HIPAA data is left in a trash can or on an old hard drive that is replaced and discarded, HIPAA is violated. Disposal and destruction of media is an integral part of handling PHI and is comparable in importance to transmitting or receiving the data in the first place. Proper disposal is the final step in the PHI life cycle that must be completed in order to adhere to HIPAA standards.
In addition to specific generalities about the handling of data that is no longer relevant, HIPAA also requires that covered entities provide their workforce with training and education about proper data destruction procedures.
HIPAA requires specifically that, “any workforce member involved in disposing of PHI, or who supervises others who dispose of PHI, must receive training on disposal.” This provision is meant to ensure that those who handle the PHI from day-to-day are familiar with the process for handling it throughout its lifecycle (the provision specifically includes volunteers).
So how does one destroy PHI?
HHS.gov recommends shredding, burning, pulping, or pulverizing paper records. The important part is that the data on the documents is absolutely unreadable, but HIPAA does not recommend one particular disposal method.
For digital media, secure overwriting or degaussing is recommended. Overwriting is recommended to be performed with a utility such as DBAN (Darik’s Boot and Nuke), a well-tested tool that can overwrite drives with a number of distinct “passes,” ensuring that the data is in no way present on the drive once it is finished.
DBAN is used by such government agencies as the Department of Defense. Degaussing essentially means to expose the drive or other media to a sufficiently strong magnet to disrupt the magnetic storage field on the media. This act generally renders the drive unusable along with unrecoverable. Traditional methods such as incinerating or smashing are also mentioned as appropriate by HIPAA.
For a company that deals with protected information, the basics of data disposal are fairly simple. First, PHI can’t be simply left in a dumpster. This mistake is a common one and has lead to many HIPAA violations.
Second, re-use of the media is allowed as long as it has been overwritten first (or the PHI on the drive has been sufficiently obfuscated through some other method). Third, if one is unsure about the proper data disposal practices, it is allowed to hire a company that specializes in data destruction to handle it on one’s behalf.