How to Dispose of a Hard Drive While Being HIPAA Compliant
Do you know how your organization destroys protected health information (PHI)? The HIPAA Privacy and Security Rules explicitly state that you need a process for erasing the health information in your possession.
That means you can't merely shred or delete your records. Rule 45 CFR 164.530(c) requires you to maintain the appropriate privacy safeguards even when you destroy your data. Failure to do so can result in disclosures of the PHI involved--and leads to HIPAA violations and hefty fines.
We'll show you how to dispose of a hard drive without violating HIPAA rules.
Read This Before You Dispose of Your Hard Drive
Whether you're a covered entity or an associate, you must follow the HIPAA Privacy Rule in securing and destroying patient protected health information (PHI).
Before disposing of any hard drive, make sure you are free and clear to do so. Although HIPAA doesn't mandate a minimum amount of time to keep PHI, individual states do.
Check to see what your state's data limits are. Keep in mind that 45 CFR 164.530(c) says HIPAA protections apply as long as you hold onto the information.
Note that the Privacy Rule does not provide strict guidance on the disposal method used. However, covered entities should assess all privacy risks before choosing a disposal method. That means you need a risk assessment on your methods or before hiring a business partner to complete the work for you.
How to Dispose of a Hard Drive Following HIPAA Laws
Are you throwing away or recycling your old hard drive in favor of an upgrade? You can't just hand the hardware over.
You'll need to wipe it before it leaves your hands. The data removed should be unrecoverable, which means manually deleting files from the hard drive isn't enough.
Some of your hard drive clearing options include:
- Software to overwrite the data
- Magnetic purging
- Destroying the hard drive through shredding, melting, or incinerating
As previously mentioned, the rules don't strictly state what course of action a covered entity must take. It's up to you to choose your preferred policy that ensures any ePHI is not recoverable after disposal.
There are three things to keep in mind when you want to create a destruction policy. According to HIPAA, these are:
- Reasonable process
- Certified vendors
- Proper documentation
Here's how to apply them to your business
What Is a Reasonable Process?
HIPAA requires Covered Entities to follow reasonable processes for destroying ePHI or PHI in any form.
Reasonable process means two things: choosing compliant disposal procedures and providing training.
Because HIPAA doesn't require a particular method, you need to come up with your own. HHS lists the following procedures as potential ways of removing PHI from electronic media:
- Clearing (software or hardware overwriting)
- Purging (degaussing, exposure to magnetic fields, etc.)
- Destroying (disintegration, melting, shredding, pulverization, incinerating, etc.)
If you intend to kill the entire hard drive--including the hardware--then you need a destruction policy that matches such as shredding the hard drive.
You do not need to use more than one procedure as long as the method you select renders the data on the hard drive unrecoverable. So, there's no need to purge the data from the hard drive before melting it because you can't get the data back after the melting process.
What disposal method works best for ePHI? Covered Entities may find that disk shredding is a good option.
Shredding tears the hard drive into 1.5-inch strips that you couldn't put back together. It can shred one or hundreds of drives at a time, and the machines are mobile, which means you don't need to buy your own.
HIPAA shredding is the most effective and least complicated method listed here.
For example, degaussing is effective but has in limited cases left data available, which is in direct violation of HIPAA privacy law. Disintegrating is a highly-effective way, but it is also very special and requires specific power circuits, ventilation, and a massive amount of room.
Don't Forget the Training
In addition to choosing a procedure that meets the security standards required by HIPAA, you'll also need to provide training.
Training is essential when any member of your workforce plays any role in the destruction of data--whether it is destroying a whole hard drive or deleting a part of a patient record.
It's up to covered entities to ensure every relevant staff member has training in disposal and that they follow the procedures as described. The rule applies to anyone involved in data disposal or anyone who supervises the process.
Volunteers are not exempt from the rules. HIPAA covers them under the definition of "workforce."
You might think that it's unlikely that your staff will shred or incinerate a hard drive themselves. Even so, the training still guides them in more straightforward procedures.
It also prepares them to supervise the destruction of data and complete the paperwork, which we describe later.
How to Hire a Business Associate to Dispose of Your Hard Drive
With your preferred method of destruction chosen, you'll need to find a means. If you're destroying hard drives, then you typically need both specialist knowledge and equipment.
Fortunately, HHS says that covered entities may hire business associates to carry out the reasonable processes for them.
As you know, hiring a business associate isn't as simple as choosing a service and running with it. As a Covered Entity working with PHI, you need to ensure that your business associate also complies with HIPAA rules.
Before hiring a business associate, you need to ensure they're happy to sign a Business Associate Agreement stating what PHI is accessible, how it will be used, and how it will be destroyed.
Finding a compliant data destruction business isn't as easy as it sounds. Plenty of those businesses provide the services you need, but may not work with the destruction of protected data like PHI.
You also need a Business Associate that follows the appropriate standards for safeguarding the data while it is in their hands. Covered entities should perform this as part of the risk assessment before disposing of the data.
Finally, the business entity you work with should be aware of the HIPAA Breach Notification Rule and relevant procedures.
Remember that Business Associates put Covered Entities at risk. HHS treats violations on behalf of Business Associates as those of the covered entity.
It's not enough to securely dispose of ePHI. Like everything else, you need to create records of your data security practices. All data destruction requires meticulous documentation. You'll keep the documentation permanently.
What records need keeping? You'll keep track of:
- Date of destruction
- Procedure used
- A detailed description of records destroyed
- Names and signatures of parties who supervised the procedure
Maintaining these records is an integral part of your practice, so proper storage systems are required to avoid accidentally destroying these.
What Happens If You Improperly Dispose of Records
Improper handling of PHI is never something a Covered Entity sets out to do, but overlooking one aspect of the process leads to trouble.
To comply with the HIPAA Privacy Rule, your organization must:
- Have a destruction policy that meets Privacy Rule standards
- Train employees (or the "workforce") on the policy
- Enforce the policy, so it is always followed
Failing to do so risk the exposure of PHI to unauthorized individuals, which is a HIPAA violation.
HIPAA violations come with criminal penalties and fines. Willful violations like failing to destroy PHI properly can result in penalties of a minimum of $50,000. The maximum penalty is $250,000 per violation. Other violations come with a cost of $100 to $50,000.
That's why we recommend that Covered Entities skip magnetic or software deletion. Even though these methods are useful, they still come with a one in a million chance of leaving data behind and exposing it. If it happens to you, you face a lengthy investigation, fines, and even a jail term.
Violating HIPAA rules is serious, and the HHS takes it seriously.
What Should You Do If a Data Leak Occurs?
If you accidentally violate HIPAA rules, then you need to report the mistake immediately. The law applies to both the destruction of hard drives and any other accidental disclosure.
Report all issues to your Privacy Officer who will then investigate and send a report to the Department of Health and Human Services' Office for Civil Rights. Failing to provide this initial report can turn an accident into a serious incident.
Disposing of Old Hard Drives the Right Way
Knowing how to dispose of a hard drive in a way that complies with HIPAA is part of your job as a Covered Entity whether you do it yourself or hire a Business Associate to take care of it for you.
Be sure to follow all state laws relating to data destruction, and when it's time, use an irreversible method of destruction like shredding.