Hipaa law for storage and disposal of health information

Healthcare providers, health plans, health care clearinghouses, and their business associates have an obligation under the Health Insurance Portability and Accountability Act (HIPAA) to protect patient health information protected under the law. Regulations issued by the Department of Health and Human Services (HHS) under HIPAA require HIPAA covered entities and their business associates to implement policies and procedures to address the disposal of electronic protected health information (PHI) and the hardware or electronic media on which it is stored. As a result, secure data disposal is a key process for HIPAA covered entities and their business associates.

The covered entity or business associate must have policies and procedures to ensure PHI cannot be inadvertently disclosed during or after disposal or reuse of its storage media. Next to the theft of lost and stolen laptops and media, the second most common subject of enforcement by the HHS Office for Civil Rights (OCR) has been improper disposal of PHI. For example, South Shore Hospital near Boston faced an attorney general enforcement action after the hospital retained a data management company to dispose of computer tapes containing PHI, but the tapes were lost in transit. The hospital failed to delete the PHI from the tapes before shipping them. In another case, the OCR forced Affinity Health Plan to pay over $1.2M after it returned photocopiers to a leasing company without first removing electronic PHI from them.

Some of the OCR enforcement activities concerned cases involving the improper disposal of paper PHI. The security of paper PHI falls under the Privacy Rule, rather than the Security Rule. In one of the OCR cases, workers left boxes of paper medical records on a retiring physician’s driveway while he was away. In one attorney general enforcement action, the Massachusetts attorney general sued former owners of a medical billing practice and four pathology groups after they improperly disposed of paper records with sensitive PHI in a public dump, which were found by a Boston Globe photographer. The former owners paid $140,000 to settle the claim.

The principle of secure PHI disposal, however, applies both to electronic and paper media. Organizations usually shred PHI in paper form to dispose of it. To securely dispose of electronic PHI, the organization can:

• Securely destroy the storage media. When erasure is impractical, as in the case of a CD-ROM, the covered entity or business associate must physically destroy the electronic

• Securely erase the PHI from the storage media using appropriate software or demagnetizing (degaussing) equipment.

• Some mobile devices have “wiping” functions that can securely delete data from them.

• Encrypt all PHI on the device and then delete the encryption/decryption key (or its activation data) to prevent any future decryption of the data.

Safeguards to prevent disclosure should account for reasonably anticipated techniques for recovering erased data, such as unerase utilities, block read utilities, and the like.

One particular threat is the reuse or disposal of a workstation or laptop that previously stored or processed PHI. Simple file deletion generally does not permanently erase the information, and many utilities can easily recover these files. The covered entity or business associate must use a secure data destruction methodology to cleanse any storage media before reusing or disposing of them. The organization should also train workers concerning the threat posed by discarded media and the practices and technical standards it utilizes to eliminate PHI from media before discarding it.

Stephen Wu wrote A Guide to HIPAA Security and the Law (Second Edition) published by the American Bar Association in August 2016. For more information on determining if your business falls under HIPAA, please contact Stephen Wu by completing the web form here.

Patient information security is one of the most important elements in the medical industry. Keeping patient records and details confidential is morally respectful, and also maintains an element of trust between a doctor and an individual. Failing to comply by HIPAA regulations can also be extremely costly—we’re talking $13,000-per-day fine amount for HIPPA violations in medical facilities.

DataShield thoroughly understands and complies with the Health Insurance Portability and Accountability Act (HIPAA), demonstrating our unwavering commitment to protecting our healthcare industry customers’ confidential information.

Under HIPAA law, companies are not allowed to simply abandon records/items containing personal health information (PHI) or dispose of it in public trash receptacles. Companies must have a permitted procedure in place and train all employees who handle confidential information. Companies must also address the final disposition of electronic PHI and/or the hardware on which it is stored and hard copies of the records.

Here are three things you should know about proper destruction and storage methods of PHI materials as outlined by HIPAA Privacy and Security Rules.

Disposal of Paper Records

A company must implement shredding, burning, pulping, or pulverizing the records so that PHI becomes essentially unreadable, indecipherable, and impossible to be reconstructed. DataShield’s convenient mobile or plant-based shredding services are HIPAA compliant, and ensure the utmost security to meet regulatory requirements.

Disposal of Electronic Media

A company must clear (use software or hardware products to overwrite media with non-sensitive data), purge (degauss or expose the media to a strong magnetic field in order to alter recorded magnetic domains), or destroy the media (disintegrate, pulverize, melt, incinerate, or shred). DataShield guarantees the destruction of your sensitive PHI files with our top-notch data destruction services. We strip your electronics of any hard drives and storage components and shred them down to irretrievable pieces.

PHI Storage

Hard copy paper medical records are very susceptible to security violations. They’re vulnerable to anything from unprotected FTP access to normal human error, which is unfortunately very common. These risks often make medical file storage a challenge for healthcare providers everywhere.

To avoid these issues with older, out-of-date files, it’s wise to store paper charts and medical records in areas away from other records or equipment, like the DataShield strictly controlled, off-site storage center, complete with 24-hour security and surveillance. Our security procedures have been approved by the National Association for Information Destruction (NAID). This denies access and visibility to unauthorized personnel, and guards against leaked patient information.

HIPAA regulations, like most other highly sensitive information standards, are always changing and developing. Our team of experts is committed to keeping you up-to-date on these shifts and ensure the safety and security of medical records you have on file.

Learn more about DataShield’s HIPAA compliance and data destruction services and contact us today.

How do you store protected health information?

What are the 4 most common Hipaa violations?

How protected patient information is accessed stored and maintained?

Does Hipaa allow you to store data outside of the US?