Proper safeguards are crucial when disposing of electronic Protected Health Information (ePHI).  Compliance with the HIPAA Security Rule will be reviewed if, and when, working with an auditor from the Office of Civil Rights (OCR). 

Included are computers, hard drives, cell phones and anything else with digital patient data. The Health Insurance Portability and Accountability Act (HIPAA) sets out the rules to be followed.

A FAQ on HIPAA by the Department of HHS’s Office of Civil Rights explains the rules. It stipulates any “entities” handling “protected health information … in any form” must “apply appropriate administrative, technical, and physical safeguards.” The entities also must ensure workers receive proper training and “follow the disposal policies and procedures” of the entities.

That means the responsibility of properly disposing of the electronic records rests on the “entities” – the companies, nonprofits, hospitals, government agencies and others. Supervisors also must receive proper training. Volunteers must receive the same training as paid workers.

The FAQ cautions medical information, whether electronic or paper, is not to be just thrown into dumpsters. But there’s also no specified method of disposing the waste. That is left to the medical facility to determine, including working with private waste disposal companies.

Medical electronic waste disposal considerations include:

  • Any potential risks to patient privacy.
  • Form, type and amount of waste.
  • Special care to prevent identity theft.
  • Specific data to protect include: name; numbers for Social Security, driver’s license, credit and debit cards; diagnosis and treatment data; prescribed medications.
  • Hospital ID bracelets and prescription bottles.

Proper disposal methods include:

  • Paper records should be shredded, burned, pulped or pulverized. Information must be made so it can’t be read, deciphered or reconstructed.
  • Labeled prescription bottles should be kept in opaque bags in secure areas. Then a disposal vendor should be contracted to pick up and destroy the bottles.
  • Data stored on electronic media should be given special care. Data on hard drives should be overwritten with non-sensitive data, such as 0000s. Or by degaussing – exposing the media to a strong magnetic field. Or by total destruction through disintegration, pulverizing, melting, incinerating or shredding.

Other considerations:

  • If a business or office is being closed, some states require patients be notified to pick up their records. Other states make this optional, but it still is good practice.
  • The FAQ advises consulting similar health care entities on how they dispose of their data, as well as consulting with data-disposal vendors. 
  • Computers and other electronic equipment may be reused, “but only if certain steps have been taken to remove the electronic protected health information.”
  • Health care workers operating from home – something that increased during the pandemic – also must follow proper disposal methods. The entity in charge must give these workers the same training as those on site. If the data cannot be disposed of properly at home, then it must be brought to the entity itself for disposal. Crucially, the FAQ warns, “In cases where workforce members fail to comply with the covered entity’s disposal policies and procedures, the covered entity must apply appropriate sanctions.”

Patients and their privacy always must be the first concern of those handling medical data. The proper disposal of such data should not be an afterthought, but built into any medical data system.