In its July Cybersecurity Newsletter, the Department of Health and Human Services’ Office for Civil Rights has alerted HIPAA covered entities to be conscious of HIPAA Rules for disposing of electronic devices and media.
Before electronic equipment being scrapped, decommissioned, sent back to a leasing company or resold, all electronic protected health information (ePHI) on the devices must be disposed of in a safe manner.
HIPAA Rules for destroying of electronic devices cover all electronic devices capable of storing PHI, including desktop computers, laptops, servers, tablets, mobile cellphones, portable hard drives, zip drives, and other electronic storage devices including CDs, DVDs, and backup tapes.
Healthcare groups also need to be careful when disposing of other electronic equipment such as fax machines, photocopiers, and printers, many of which hold data on internal hard drives. These devices in particular carry a high possibility of a data breach at the end of life as they are not generally thought of as devices capable of storing ePHI.
If electronic devices are not destroyed securely and a data breach occurs, the costs to a healthcare group can be massive. Patients must be alerted, it may be appropriate to pay for credit monitoring and identity theft protection services, and third-party breach response consultants, forensic investigators, and public relations consultants may need to be brought in. OCR and/or state attorneys generals may conduct investigations and substantial fines may be sanctioned. Breach victims may also file lawsuits over the exposure of their financial data.
The costs all accumulate. The 2018 Cost of a Data Breach Study carried out by the Ponemon Institute/IBM Security highlighted the high expense of data breaches, in particular healthcare data breaches. The average cost of a breach of up to 100,000 records was calculated to be $3.86 million. Healthcare data breaches cost an average of $408 per exposed record to address, while the cost of data breaches of one million or more records was calculated to be between $40 million and $350 million.
It is not possible to make sure that all ePHI is disposed of securely if a group does not know all systems and devices where PHI is held. A full inventory of all equipment that stores ePHI must be created and maintained. When new equipment is bought the list must be updated.
A complete risk analysis should be conducted to determine the most appropriate ways to safeguard data stored on electronic devices and media when they reach the end of their lifespan.
Groups must establish a data disposal plan that meets the requirements of 45 C.F.R. §164.310(d)(2)(i)-(ii). Paper, film, or other hard copy media should be shredded or destroyed such that the PHI cannot be deciphered or otherwise cannot be reconstructed. OCR notes that “Redaction is specifically excluded as a means of data destruction.”
Electronic devices must be “cleared, purged, or destroyed consistent with NIST Special Publication 800-88 Revision 1, Guidelines for Media Sanitization,” to ensure that ePHI cannot be retrieved. If reusable media are in use, it is important to ensure that all data on the devices are securely erased prior to the devices being reused. Before electronic devices are scrapped or disposed of, asset tags and corporate identifying marks should be removed.
External contractors can be used to destroy electronic devices, although they would be considered business associates and a business associate agreement would need to be in existence. All individuals required to manage the devices must be aware of their responsibilities with respect to ePHI and its safe handling and should be subjected to workforce clearance procedures.
Groups should also consider the chain of custody of electronic equipment prior to destruction. Physical security measures should be put in place to ensure the devices cannot be stolen or accessed by unauthorized peoples and security controls should cover the transport of those devices until all data has been destroyed and is no longer thought of as PHI.