HIPAA Security Rule and Compliant Hard Drive Destruction
The HIPAA Security Rule is the established authority for ePHI data destruction. This rule describes best practices for healthcare organizations when disposing of ePHI and digital media such as computer hard drives.
HIPAA data destruction compliance can be broken down into three basic categories: planning, due diligence and documention.
The Five Steps for HIPAA Data Destruction Compliance
Prepare an inventory of all digital media in your possession. This report, combined with a Certificate of Destruction will be critical for any audit.
Vendor Due Diligence / Employee Training
The HIPAA Security Rule requires healthcare organizations perform due-diligence when hiring a Business Associate. This requirement can be met by doing your own research and vetting or by using a vendor that is certified by a recognized authority.
If you decide to complete the destruction project internally, all employees involved must be properly trained. Proof of training will be required during an audit.
Chain-of-Custody & Witnessed Destruction
Maintain a secure Chain-of-Custody. ePHI should remain in your custody up until the digital media is destroyed. Sending hard drives out for destruction may be considered a data breach.
Physical Destruction or Erase Decision
According to NIST 800-88, hard drives no longer being used inside your organization should be physically destroyed. Erasing is acceptable only if they will be reused inside the organization. Physcially destroying digital media is the ultimate proof of data destruction.
Certificate of Destruction
Proper documentation is a requirement under the HIPAA Security Rule. All digital media leaving the organization needs to be inventoried and recorded to establish a proper chain-of-custody. A Certificate of Destruction is the standard document required by auditors to establish the who, when and where hard drives and ePHI were destroyed.
“For practical information on how to handle the disposal of computers and digital media containing ePHI – consult NIST 800-88, Guidelines for Media Sanitization” –
Department of Health and Human Services.
HIPAA Security Rule & ePHI Data Destruction Summary
Covered entities must implement “reasonable” safeguards under HIPAA regulations to limit the disclosure of EPHI. The term “reasonable” is ambiguous, and covered entities should error on safe side for data destruction. For example, if physical hard drive shredding is available, erasing hard drives may no longer seem “reasonable” under HIPAA regulations. Also, if on-site data destruction is available, allowing a vendor remove PHI for off-site destruction may no longer be in compliance with HIPAA.
Full detail can be found within NIST 800-66 “Guide for Implementing HIPAA Security Rule”.