What is HIPAA Compliant Computer Disposal?

When an electronic device has contact with protected health information, and the device is no longer needed or is damaged, the device must be disposed of in a HIPAA compliant manner. There are certain requirements for HIPAA compliant computer disposal. These requirements are discussed below.

What is Required for HIPAA Compliant Computer Disposal?

Having policies and procedures for the disposal of protected health information (PHI) is a requirement of the HIPAA Privacy Rule as part of your obligation to prevent improper use or disclosure of PHI. As such, the first step to ensuring HIPAA compliant computer disposal is to develop policies and procedures for how your organization disposes of electronic media. 

When creating policies and procedures the Department of Health and Human Services (HHS) recommends the following:

1. Determine and document the appropriate methods to dispose of hardware, software, and the data itself.  
2. Ensure that ePHI is properly destroyed and cannot be recreated.  
3. Ensure that ePHI previously stored on hardware or electronic media is securely removed. 
4. Identify removable media and their use. 
5. Ensure that ePHI is removed from reusable media before they are used to record new information.

Before computers, or other electronic devices, can be disposed of, healthcare organizations must ensure that all electronic protected health information (ePHI) has been removed. To ensure that your organization is aware of all of the devices that touch ePHI, it is important to have a list of assets that includes what type of data is stored on the device. In addition to computers, other devices that are capable of storing ePHI may include mobile devices, tablets, portable hard drives, DVDs, CDs, zip drives, and backup tapes. Other equipment that have internal hard drives may also store ePHI including printers, photocopiers, and fax machines. All of these devices require the same methods of ePHI disposal as a computer.

NIST Guidelines for HIPAA Compliant Computer Disposal

For HIPAA compliant computer disposal organizations must ensure that ePHI has been purged, cleared, or destroyed in accordance with the National Institute of Standards and Technology (NIST) Special Publication 800-88 Revision 1, Guidelines for Media Sanitization. 

NIST defined sanitization methods include:

Clearing. Applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques; typically applied through the standard Read and Write commands to the storage device, such as by rewriting with a new value or using a menu option to reset the device to the factory state (where rewriting is not supported).  

Purging. Applies physical or logical techniques that render Target Data recovery infeasible using state of the art laboratory techniques.  

Destroying. Renders Target Data recovery infeasible using state of the art laboratory techniques and results in the subsequent inability to use the media for storage of data.

NIST Methods of Sanitization

NIST further explains the four most popular methods of sanitization for disposal of ePHI including overwriting user-addressable storage space, Cryptographic Erase, Degaussing, and destruction of data. 

Overwriting sensitive data with non-sensitive data uses the standard read and write commands for the device. Overwriting may not address all of the areas in which sensitive data is stored and can only be used on devices that are not damaged. When considering overwriting data for disposal of ePHI, organizations must ensure that the device that they are clearing is capable of being overwritten and if overwriting data will adequately dispose of ePHI. 

Cryptographic Erase leverages the encryption of target data by enabling sanitization of the target data’s encryption key. This leaves only the ciphertext remaining on the media, effectively sanitizing the data by preventing read-access. Using this method, data is unreadable without a decryption key. Cryptographic Erase should not be used if sensitive data was stored on the device before encryption was enabled. 

Degaussing renders a Legacy Magnetic Device purged when the strength of the degausser is carefully matched to the media coercivity. The coercivity of a device can be determined by referring to the device manufacturer. Degaussing renders devices unusable, however, should be used in combination with other techniques for devices with flash memory-based storage or for magnetic devices that have other means of storage. 

Destruction refers to disintegrating, pulverizing, melting, incinerating, or shredding. These methods completely destroy media and should only be used if other methods of sanitization are ineffective. 

ePHI Disposal and Third-Party Contractors

Many healthcare entities don’t have the means to adequately dispose of ePHI, and as such, many healthcare entities use a third-party contractor to dispose of ePHI. This contractor would be considered a business associate under HIPAA, which means for HIPAA compliant computer disposal, you must have a signed business associate agreement in place before they are permitted to dispose of electronic media.