(2) Implementation specifications:
(i) Disposal (Required). Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.
Tell Me More:
The Disposal implementation specification requires covered entities and business associates to implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which the health information is stored. The Device and Media Controls standard must be met and addresses only such media and devices that contain electronic PHI; however, implementation of all specifications of the standard may not be necessary in every situation. For example, small providers would be unlikely to be involved in large-scale moves of equipment that would require systematic tracking, unlike, for example, large health care providers or health plans.
Each covered entity must ensure that electronic media are disposed of appropriately. Organizations should catalog all of the locations in which ePHI is retained. This includes all devices – workstations, laptops, PDAs, cell phones, medical devices, etc. – and all media – diskettes, CDs, DVDs, etc. All of the ePHI on all of these devices and media must be destroyed when they are no longer needed.
Industry best practices for disposal include: Degaussing magnetic devices to erase information; Overwriting data with random bits and bytes for multiple iterations (based on data sensitivity); and Destroying the most sensitive components through melting, chemical treatment, or grinding.
A complete set of HIPAA Security Policies and Procedures may be purchased here.
Questions to consider:
- Have you identified the locations of all ePHI maintained by the covered entity, including temporary locations, e.g., a server through which ePHI passes? You should inventory the locations of ePHI.
- Do you have methods for destroying the ePHI from each of these locations. You may need a different approach or methodology to each type of media and each type of device. Keep in mind that simple solutions may work just fine, e.g., scratching a diskette with a nail and snapping it in half. Also keep in mind that simply deleting a file does not destroy the information.
- Have you verified that your methodology works and that the ePHI is not recoverable? Double check that the ePHI is actually destroyed.
- If commercial software is being used to degauss (erase) ePHI, has the software been “certified” by recognized authority in destruction of electronic data?
- If workforce members are allowed to process ePHI on personally owned computers, have they been trained on how to properly dispose of ePHI? This may be a particular problem for some covered entities.
- NIST SP800-88 Guidelines for Media Sanitization
- NIST SP 800-12 chapter 14 An Introduction to Computer Security: The NIST Handbook
- NIST SP 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems
- NIST SP 800-34 Contingency Planning Guide for Information Technology Systems
- NIST SP 800-53, Revision 3 Recommended Security Controls for Federal Information Systems and Organizations