In a July 2018 newsletter, the Office of Civil Rights (“OCR”) of the U.S. Department of Health and Human Services (“HHS”), the federal agency responsible for enforcement of the HIPAA privacy, security, and breach notification regulations (collectively, the “HIPAA Rules”), provided informal guidance to HIPAA “covered entities”, such as employer-sponsored group health plans (“Covered Plans”), regarding the disposal of electronic devices and media that house “protected health information” (“PHI”). Examples of such devices and media include desktop and laptop computers, tablets, copiers, servers, smart phones, hard drives, USB drives, and other electronic storage devices. Employer-sponsors of Covered Plans should take note of the following key points raised by the newsletter’s guidance:
- A covered entity’s performance of a “risk analysis” (which is a required step to comply with the HIPAA Rules) plays a critical role in determining how best to protect PHI stored on electronic devices and media that has reached the end of its useful life.
- When developing policies and procedures for the final disposition of hardware and electronic media containing electronic PHI, a covered entity should:
- Determine and document the appropriate methods used to dispose of hardware, software, and the PHI itself
- Ensure that PHI is properly destroyed and cannot be recreated
- Ensure that PHI previously stored on hardware or electronic media is securely removed such that it cannot be accessed and reused
- Identify removable media and their use (tapes, CDs/DVDs, USB thumb drives, etc.)
- Ensure that electronic PHI is removed from reusable media before they are used to record new information
- PHI that has been disposed of in a “secure” manner would not be subject to the breach notification requirements under the HIPAA Rules. PHI is considered to have been disposed of in a secure manner when the media on which the PHI is stored or recorded has been destroyed in one of the following ways:
- Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed. However, redaction is specifically excluded as a means of data destruction
- Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800-88 Revision 1, Guidelines for Media Sanitization, such that the PHI cannot be retrieved
Improper disposal of electronic devices and media puts the PHI stored on such devices and media at risk for a potential breach of the HIPAA Rules. Covered Plans that experience a breach of unsecured PHI could incur significant monetary and non-monetary costs, including the costs of (a) issuing required notifications (to individuals and to HHS), (b) responding to any related governmental investigations and paying penalties or settlement amounts, and (c) addressing the resultant employee relations issues.