Q&A: Recycling electronic devices, medical scribes, and HR disclosing PHI

Q: Does HIPAA prohibit us from recycling electronic devices such as laptops and cell phones that were used to store or access PHI?

A. HIPAA does not prohibit recycling electronics if the PHI that was stored on the device is completely destroyed. There are several techniques that can be used to destroy the data such as degaussing (running a large magnet over the hard drive or flash drive), physically destroying the media, and reformatting the hard or flash drive several times. Some vendors can provide this service for you, or you can do it yourself. If you don’t destroy the data and a breach occurs, you may find yourself responsible for a reportable breach of PHI.

There are vendors who specialize in securely recycling electronics that were used to store PHI and other sensitive data. If you contract with a vendor to destroy data and recycle electronic equipment, make sure you require the vendor to provide you with a certificate of destruction. If the vendor will have access to the drives and the data stored on the drives, that vendor will likely be a business associate (BA) and you will need to execute a BA agreement (BAA).

Editor’s note: Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Editor Nicole Votta at nvotta@hcpro.com.