Data Disposal – a Key to HIPAA Security

Healthcare providers, health plans, health care clearinghouses, and their business associates have an obligation under the Health Insurance Portability and Accountability Act (HIPAA) to protect patient health information protected under the law. Regulations issued by the Department of Health and Human Services (HHS) under HIPAA require HIPAA covered entities and their business associates to implement policies and procedures to address the disposal of electronic protected health information (PHI) and the hardware or electronic media on which it is stored. As a result, secure data disposal is a key process for HIPAA covered entities and their business associates.

The covered entity or business associate must have policies and procedures to ensure PHI cannot be inadvertently disclosed during or after disposal or reuse of its storage media. Next to the theft of lost and stolen laptops and media, the second most common subject of enforcement by the HHS Office for Civil Rights (OCR) has been improper disposal of PHI. For example, South Shore Hospital near Boston faced an attorney general enforcement action after the hospital retained a data management company to dispose of computer tapes containing PHI, but the tapes were lost in transit. The hospital failed to delete the PHI from the tapes before shipping them.[1] In another case, the OCR forced Affinity Health Plan to pay over $1.2M after it returned photocopiers to a leasing company without first removing electronic PHI from them.[2]

Some of the OCR enforcement activities concerned cases involving the improper disposal of paper PHI. The security of paper PHI falls under the Privacy Rule, rather than the Security Rule.[3] In one of the OCR cases, workers left boxes of paper medical records on a retiring physician’s driveway while he was away.[4] In one attorney general enforcement action, the Massachusetts attorney general sued former owners of a medical billing practice and four pathology groups after they improperly disposed of paper records with sensitive PHI in a public dump, which were found by a Boston Globe photographer. The former owners paid $140,000 to settle the claim.[5]

The principle of secure PHI disposal, however, applies both to electronic and paper media. Organizations usually shred PHI in paper form to dispose of it. To securely dispose of electronic PHI, the organization can:

  • Securely destroy the storage media. When erasure is impractical, as in the case of a CD-ROM, the covered entity or business associate must physically destroy the electronic
  • Securely erase the PHI from the storage media using appropriate software or demagnetizing (degaussing) equipment.
  • Some mobile devices have “wiping” functions that can securely delete data from them.
  • Encrypt all PHI on the device and then delete the encryption/decryption key (or its activation data)[6] to prevent any future decryption of the data.

Safeguards to prevent disclosure should account for reasonably anticipated techniques for recovering erased data, such as unerase utilities, block read utilities, and the like.

One particular threat is the reuse or disposal of a workstation or laptop that previously stored or processed PHI. Simple file deletion generally does not permanently erase the information, and many utilities can easily recover these files. The covered entity or business associate must use a secure data destruction methodology to cleanse any storage media before reusing or disposing of them. The organization should also train workers concerning the threat posed by discarded media and the practices and technical standards it utilizes to eliminate PHI from media before discarding it.

Stephen Wu wrote A Guide to HIPAA Security and the Law (Second Edition) published by the American Bar Association in August 2016. For more information on determining if your business falls under HIPAA, please contact Stephen Wu by completing the web form here.

[1] See The Attorney General’s Office, South Shore Hospital to Pay $750,000 to Settle Data Breach Allegations, http://www.mass.gov/ago/news-and-updates/press-releases/2012/2012-05-24-south-shore-hospital-data-breach-settlement.html (May 24, 2012).

[2] See HHS, HHS Settles with Health Plan in Photocopier Breach Case, https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/health-plan-photocopier-breach-case/index.html (last reviewed Jun. 7, 2017).

[3] 45 C.F.R. § 164.530(c)(1).

[4] See HHS, $800,000 HIPAA Settlement in Medical Records Dumping Case, https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/parkview-health-system/index.html (last reviewed Jun. 7, 2017).

[5] The Attorney General’s Office, Former Owners of Medical Billing Practice, Pathology Groups Agree to Pay $140,000 to Settle Claims that Patients’ Health Information was Disposed of at Georgetown Dump, http://www.mass.gov/ago/news-and-updates/press-releases/2013/140k-settlement-over-medical-info-disposed-of-at-dump.html (Jan. 7, 2013).

[6] “Activation data” refers to a password or code used to operate an encryption key.

Contact Information