ePHI Disposal Under the HIPAA Security Rule

HIPAA ePHI disposal

The HIPAA Security Rule requires that covered entities (health plans, health care clearinghouses, and health care providers who electronically transmit any health information in connection with a HIPAA-related transaction), and business associates (read more about business associates here), implement reasonable and appropriate physical safeguards for their electronic information systems and related buildings and equipment. 

These safeguards must protect the confidentiality, integrity, and availability of electronic protected health information (ePHI). ePHI is any protected health information that is created, stored, transmitted, or received in any electronic format.

What is HIPAA ePHI Disposal?

The HIPAA Security Rule Device and Media Controls Standard requires that covered entities and business associates develop a device and media controls standard as part of their physical safeguards. The standard requires covered entities and business associates to implement policies and procedures that address two things:

  • The final disposition (final removal) of ePHI; and 
  • The final removal of the hardware or electronic media on which the ePHI is stored. 

The policies and procedures for HIPAA ePHI disposal should contain:

  • A description of how, exactly, ePHI is to be disposed of.
  • A description of how, exactly, to dispose of hardware or electronic media on which ePHI is stored.
  • A description of what employees are authorized to perform HIPAA ePHI disposal.
  • A description of what employees are authorized to dispose of hardware or electronic media on which ePHI is stored.
    • ePHI should remain in the custody of an authorized employee at all times.
    • Documentation of the receipt and removal of hardware and electronic media that contains ePHI.

When covered entities and business associates dispose of ePHI or electronic media that contains ePHI, they should make sure that the ePHI or electronic media are rendered unusable, unreadable, and/or inaccessible. 

One common method of disposal that ensures data is rendered unusable, unreadable or inaccessible, is known as degaussing. Degaussing involves application of a magnetic field to magnetic data, fully erasing the data in the process.

Another method of HIPAA ePHI disposal is known as clearing, which is using software or hardware products to overwrite media with non-sensitive data. 

Entities that do not have degaussing equipment can dispose of electronic media by physically damaging it beyond repair, making the data inaccessible. HIPAA ePHI disposal can also be performed by disintegrating, pulverizing, melting, or incinerating the media.  

Hardware, such as a physical hard drive, may be disposed of by physically damaging the drive beyond repair. This process is known as physical shredding.

Compliancy Group Simplifies HIPAA Compliance

Having an effective HIPAA ePHI disposal policy is required to become HIPAA-compliant. Covered entities and business associates can address their HIPAA ePHI disposal obligations by working with Compliancy Group. Compliancy Group can work with you to address all federal HIPAA security standards.