DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
The HIPAA Security Rule requires that covered entities and business associates implement physical safeguards to secure electronic protected health information (ePHI). To implement these safeguards, covered entities and business associates must implement device and media controls. The Device and Media Controls standard, applicable to covered entities and business associates, outlines when and how an organization may (1) reuse computers or other electronic media that store ePHI; and (2) dispose of computers or other electronic media that store ePHI.
The "Media Reuse" requirement of the Device and Media Controls standard states, "Media re-use (Required). Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use."
The "Disposal" requirement of the Device and Media Controls standard states, "Disposal (Required). Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored."
Covered entities and business associates may reuse or dispose of computers or other electro nic media that store ePHI, but only if certain steps have been taken to remove the ePHI stored on the computers or other media before disposal or reuse, or if the media itself is destroyed before its disposal.
Depending on the circumstances, appropriate methods for removing ePHI from electronic media prior to reuse or disposal may be by:
1. Clearing (Using software or hardware products to overwrite media with non-sensitive data); or
2. Purging (degaussing or exposing the media to a strong magnetic field to disrupt the recorded magnetic domains); or
If the circumstances warrant the destruction of the electronic media prior to disposal, appropriate destruction methods may include disintegrating, pulverizing, melting, incinerating, or shredding the media. Covered entities may contract with business associates to perform these services for them.
For more information on proper disposal of ePHI and reuse of electronic media, see the HHS HIPAA Security Series 3: Security Standards – Physical Safeguards. In addition, for practical information on how to handle sanitization of PHI, check out NIST SP 800-88, Guidelines for Media Sanitization.
Covered entities and business associates must determine what steps are reasonable to ensure ePHI is safeguarded through disposal. In determining what is reasonable,
covered entities and business associates should assess potential risks to patient privacy, as well as consider such issues as the
form, type, and amount of ePHI to be disposed. For instance, the disposal of certain types of ePHI such as
name, social security number, driver’s license number, debit or credit card number, diagnosis, treatment
information, or other sensitive information may warrant more care due to the risk that inappropriate
access to this information may result in identity theft, employment or other discrimination, or harm to an
individual’s reputation.
What Disposal Methods are NOT Permitted Under HIPAA?
According to HHS guidance, covered entities and business associates may not simply abandon PHI or ePHI, or dispose of protected health information in dumpsters or other containers that the public or unauthorized individuals can access. New England Dermatology. P.C. (NEDLC) discovered that there are adverse consequences to doing so. In 2021, a third-party security guard discovered one empty specimen container labeled with PHI, in NEDLC's parking lot. Subsequently, NEDLC fined a breach notification report with OCR, stating that it had regularly discarded specimen containers with an attached label containing PHI as regular waste, bagged and placed in a parking lot dumpster, without any alteration to the PHI-containing label. This practice had gone on for ten years. OCR investigated the matter and determined that the PHI on specimen labels contained patient names, dates of birth, dates of sample collection, and the name of the provider who took the specimen. To settle the matter, NEDLC paid $300,000 to OCR and agreed to implement a corrective action plan.
Certain methods of disposal are ineffective by definition; these should be avoided as well. Consider degaussing. While degaussing is an effective data destruction method for hard disk drives (HDDs) and other magnetic media such as floppy disks and cassette tapes, degaussing does not work on solid state drives. The reason is that degaussing operates using a strong magnetic field, and solid state drives use flash memories. Flash memories do not store data magnetically.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article