Guidance on disposing electronic devices from OCR
The Office for Civil Rights’ (OCR) July Cybersecurity Newsletter, released last week, gave advice on disposing electronic devices and media to protect sensitive information like financial records and electronic personal health information (ePHI).
The newsletter serves as a reminder that securing patients’ ePHI does not only apply to electronic devices currently in use. As devices like computers, tablets, copiers, servers, and smartphones get replaced with newer technology at healthcare facilities, data and ePHI on the old devices are still vulnerable to theft.
The HIPAA Security Rule requires covered entities and business associates implement policies and procedures for the disposal of hardware and electronic media containing ePHI. See 45 CFR §§164.310(d)(2)(i)–(ii).
To mitigate risk, OCR recommends that organizations ask the following questions as they plan and update disposal policies and procedures:
- What data is maintained by the organization and where is it stored?
- Is the organization’s data disposal plan up to date?
- Are all asset tags and corporate identifying marks removed?
- Have all asset recovery-controlled equipment and devices been identified and isolated?
- Is data destruction of the organization’s assets handled by a certified provider?
- Have the individuals handling the organization’s assets been subjected to workforce clearance processes and undergone appropriate training?
- Is onsite hard drive destruction required?
- What is the chain of custody?
- How is equipment staged/stored prior to transfer to external sources for disposal or destruction?
- What are the logistics and security controls in moving the equipment?
When a device is replaced, it must first be taken out of service, or decommissioned, before being disposed. In the decommissioning process, the data on the device is migrated to the new or replacement device and then destroyed on the old one. Only after data is totally destroyed, meaning it cannot be accessed, re-created, or reused, should the hardware be disposed or recycled.
OCR provides guidance for destroying all media that contains personal health information. Just as paper and other hard copy media must be properly shredded and destroyed, electronic media must be cleared, purged, or destroyed consistent with National Institute of Standards and Technology’s Special Publication 800-88 Revision 1, Guidelines for Media Sanitization.